he Personal Data Protection (PDP) Law enacted in 2022 was seen as a big step forward in protecting the digital rights of Indonesian citizens, amid the government’s efforts to boost the country’s digital economy and speed up digital transformation in the public sector.
This legislation is also important for setting limits on how the government handles private data. There have been some bad examples in the past, like the breach of voter data ahead of the 2024 general election and the controversial use of the National Cybercrime Center system to monitor civil society groups without permission in 2021.
However, the government’s commitment to guaranteeing personal data protection as a fundamental right of its citizens remains questionable, despite passage of the PDP Law and Communications and Information Ministerial Regulation No. 20/2016 on private data protection in electronic systems.
The delay in issuing the implementing regulations for the PDP Law, which was originally scheduled for the fourth quarter of 2023, is just one factor. There’s also the vague framework on provisioning the law and doubt over the government’s future efforts in enforcing the law.
Privacy protection and data ownership is at the crux of debates on attempts at regulating technology. Nevertheless, the provisions in the PDP Law remain less purpose-based, since it only seems to be jumping on the bandwagon of the so-called Brussels effect (Bradford, 2020) by adopting the substance of the European Union’s (EU) General Data Protection Regulation (GDPR) without contextually substantiating what Indonesia fundamentally needs.
The fact is that even in the eurozone, the GDPR remains ineffective in addressing the harmful consequences of data harvesting activities by big tech like Facebook, Google and Microsoft, leading to digital surveillance of citizens as users.
If we give people ownership of their data (Lanier, 2013), we can make sure that tech companies can’t just harvest loads of users’ data without their consent. Plus, data ownership means that citizens can access and control their data, including deleting and modifying sensitive data.