JAKARTA – Indonesia is pushing ahead with a data protection law following a series of high-profile data breaches in recent months at some of its biggest e-commerce companies.
The legislation – due by the end of the year – will make it illegal to collect consumer data without permission and requires businesses to alert customers within days of knowing that their names, email and other information had fallen into the wrong hands.
The proposed law, which includes fines of up to 210 billion rupiah (S$20 million) for corporations or up to seven years in prison for individuals, reflects growing concern among Indonesia’s quickly growing cohort of online shoppers that companies and government are failing to keep their personal information safe.
Indonesia’s State Cyber and Crypto Agency (BSSN) has said the country had more than 98 million cyber attacks in 2019, up from 12 million a year earlier.
Mr Ardi Sutedja, who helped found BSSN and is now chairman and founder of non-profit Cyber Security Forum, said more attacks are going unreported by companies eager to avoid spooking customers and investors.
“This is just the tip of the iceberg,” Mr Ardi said.
In early May, news broke on Twitter that online mall Tokopedia suffered Indonesia’s biggest data breach with the theft of personal data, including emails and passwords for 91 million accounts, which was put on sale on the dark web.
Earlier this month local media reported the data, which can be used as fodder for phishing scams, had resurfaced for sale for the equivalent of S$15.
Days after the Tokopedia heist, smaller rival Bhinneka, which specialises in business supplies, revealed it had been the victim of a hack, too, that had gained access to 1.2 million accounts.
Also, in May, the country’s election commission said the private information of 2.3 million voters had been illegally copied.
Late last year, e-commerce site Bukalapak found hackers had made off with the personal data of 13 million accounts.
Up until now, rules governing personal data have been scattered across myriad financial, telecommunication and employment regulations that have made it tough for consumers to hold businesses to account for misusing their information, analysts said.
Modelled after the European Union’s 2018 General Data Protection Regulation, Indonesia’s pending Personal Data Protection Bill allows the data’s owner to withdraw permission for its usage, to be notified within three days of its theft and to sue.
Atop this new regulatory structure in every company must sit a data protection officer that can ensure the company is compliant – something Mr Ardi says will cost on average the equivalent of 10 per cent and 20 per cent of working capital to train staff and upgrade the IT network.
The rules could not have come too soon. The value of Indonesians’ online purchases of plane tickets, home appliances, take away orders and other goods is expected to triple to US$130 billion (S$181 billion) by 2025, according to a 2019 study by Google, Temasek, and Bain & Company.
After all that, the customs of everyday life may still put Indonesians in the crosshairs of digital bandits.
One example: IDs left at front desks to manage the flow of visitors to offices may still be recorded, their contents shared or dissected as the host wishes – something the new legislation so far fails to address.