« Back to Actio#9

LEGAL REMEDIES FOR BREACH OF CONFIDENTIALITY OF PERSONAL DATA

Because of the advancement of technology, it has become the norm for developers to compete with each other to release applications which provide cross services ranging from social media, marketplace, tourism, finance and etc. These applications generally offer a variety of services aimed at providing convenience at a low cost or even at zero cost in order to appeal to the masses. In order to improve and run the provided services, more often than not, the developers need to harvest the user’s personal data. In fact, it has become common practice for developers to require that users must
grant their consent to developers to use their personal data before they are granted access to the said applications. Thus, the larger the database of users of an application, the greater the amount of personal data coming under the control of the developer of the application. In essence, application developers now act as data controllers or data processors.

Considering the vast amount of personal data, it is reasonably expected of data controller to protect the data with utmost responsibility and care. However, in reality, breach of personal data is a common occurrence and happens whenever personal data is being released intentionally or unintentionally. One of the biggest cases of personal data breach that successfully grabbed the world’s attention recently was the leak of 50 (fifty) million Facebook users to Cambridge Analytica, a political data analysis consulting firm based in the UK. Cambridge Analytica was able
to unlawfully process the data of Facebook users due to Facebook’s negligence which allowed third-party applications to obtain the users’ personal data and use the data without the consent of the user or for purposes not consented for.

This high profile case further emphasizes the urgency and need for regulations that provide options of legal remedies, including to injunctive relief, damages suffered by the owner of personal data whose personal data is being compromised and other remedies available. This will go a long way to ensure the public that the data controller/data processor will take all the necessary precautions to prevent a data breach on the pain of penalties. In Indonesia, the draft national law on the protection of personal data is still under discussion at the legislative level. There is yet no comprehensive law that specifically governs data protection. Provisions on protection of personal data are still uncentralised and are found in various laws and regulations.

In addition to the ITE Law, provisions on personal data protection are also regulated under the Minister of Information and Communication Regulation Number 20 of 2016 concerning Protection of Personal Data in Electronic Systems (“Perkominfo 20/2016”). Under this regulation, besides filing a claim for damages, the owners of personal data are also entitled to file a complaint to the Minister of Communication and Information that the data processor/data controller has failed to protect the confidentiality of their personal data and that the organizer of the system does not provide written notice to the owner of the data or late in giving written notice while losses have occurred. These complaints shall be resolved by deliberation or through the means of alternative dispute resolutions.

Last but not least, the government may impose the following administrative sanctions on anyone who is accountable for the misuse of personal data including :

a. Oral warning
b. Written warning
c. Termination of activities; and / or
d. Announcements on sites on the network.

In conclusion, the legal remedies for breach
of confidentiality of data consists of claims
and complaints. However, the current legal regulations in Indonesia concerning personal data protection still leave a lot to be desired. For example, the current regulations have
not stipulated provisions regarding the implementation of the aforementioned legal remedies against data controllers/processors that are domiciled overseas. This is especially important as many data controllers/processors are foreign entities. Thus, it is hoped that the Government will complete the draft law on the protection of personal data soon in order to protect the legal interests of the nation and the people of Indonesia.

WNA/HES