Various Indonesian government agencies and businesses are considering an emerging futuristic technology called the metaverse, a portmanteau of “meta” (meaning beyond) and “universe”, which promises to dramatically advance social connectivity via the internet, boosting virtual 3-D experiences from tourism and cultural exploration to interactive banking, consumer sales, office communication, education and daily life.
One especially controversial aspect of this gradual convergence of digital and physical worlds, however, is its requirement for the collection of biometric data used as personal identification to bring out the individual’s natural character in this virtual metaverse. But the acquisition of biometric data is a sensitive issue, given its inherent vulnerability to potential threats, while Indonesia’s regulatory framework is limited with personal data protection and safeguarding against cyberattacks.
In this article, the authors discuss the existing framework and long-awaited Law No. 27 of 2022 on Personal Data Protection Law (PDP Law) recently came into force in Indonesia, and whether a more specific regulation on biometric data is needed in anticipation of the metaverse evolution.
METAVERSE EMERGENCE
The pandemic encouraged many enterprises to reconsider how to carry out their businesses more effectively. Not surprisingly, many turned online using digital meeting platforms such as video-conferencing, webinars and many other forms of internet communication. However, despite certain clear benefits, these also had limitations that are considered somewhat confining compared to more flexible experiences in the real world. Hence the metaverse emerged, bridging the metaphysical gap to answer those problems, offering real-life experiences in a virtual world through a replica of the physical realm where parties can more effectively socialise, attend meetings and participate in events through avatars representing themselves without a physical presence.
In Indonesia, as elsewhere, this metaverse provides many opportunities to improve and encourage the national economy and stakeholders have already begun to explore this virtual world to advance their business activities. Bank Rakyat Indonesia, one of the largest state-owned banks, has signed a memorandum of understanding to develop a metaverse ecosystem. This could, for example, provide new experiences and opportunities for customers to access virtual banking services. At the same time, although there would be costs in development, metaverse businesses could also reduce the cost of building physical offices.
Meanwhile, Indonesia’s Minister of Tourism and Creative Economy recently signed a collaborative plan to launch the “WonderVerse”, a metaverse platform to promote Indonesian tourism globally, with virtual space for local businesses to market their products virtually.
The metaverse is still emerging and evolving, and is far from the finished article. Development is at an early stage and even tech companies competing to create optimum ecosystems are still only forming a picture of what the completed metaverse will look like. While there are many ways to participate in the virtual world, one sensitive drawback already is uniformity of access. Submitting various kinds of data required to register user profiles, including biometric data, to ensure only authorised parties can access the system.
BIOMETRIC DATA REGULATION
Indonesia’s original legislation that slightly concerns biometric data is Law No. 23 (2006) on citizenship administration, which was amended by Law No. 24 in 2013. This describes various kinds of personal data that must be protected, such as fingerprints and the iris of the eye, which are both types of biometric data. However, the law does not specifically define and provide up-to-date protection for biometric data. Until recently, there has been no regulation specifying biometric data, not even Law No. 11 (2008) on Electronic Information and Transaction, amended by Law No. 11 in 2016.
The recent PDP Law is the most important law regulating personal data with more significant, stringent and integrated protection. It classifies personal data into general and specific data, and biometric data as specific personal data, in a similar way the EU General Data Protection Regulation classifies biometric data as “sensitive”.
The PDP Law defines biometric data as relating to an individual’s physical, physiological or behavioural characteristics that can identify their uniqueness, such as facial recognition or dactyloscopy (fingerprint) data. It also explains the uniqueness and/or characteristics of a person that must be maintained and cared for, including but not limited to fingerprint records, eye retina scans and DNA samples.
CYBER VULNERABILITY
Although biometric data for identification is considered more secure than the password-based method, it remains very sensitive and high-risk, potentially exposing someone’s profile and characteristics vulnerable to cyber threats. There are many ways to hack biometric data, whether via cyberattack through an IT system or simply insider threats due to the level of access, and many other possibilities. For example, a high-resolution digital photo could be used to manipulate a face recognition system.
Articles 27 and 28 of the PDP Law legally require personal data controllers to perform personal data processing only in a limited and specific manner that is legally valid and transparent. This means that collection of personal data must be limited in accordance with its purpose of processing and explicitly determined at the time of collection.
Processing must be conducted in accordance with the applicable laws and regulations, and data subjects should be fully aware of how their personal data will be processed. In addition, article 34 emphasises that personal data controllers must also assess the impact on personal data protection if the data processing is considered high-risk to the subject.
Under article 58, the government takes the role of implementing the protection of personal data in accordance with the law through the establishment of a data protection institution that will be directly appointed by (and responsible to) the president. This institution will be mandated to carry out the formulation and stipulation of policies and strategies for personal data protection, supervision, administrative law enforcement, and facilitating dispute resolution outside the courts.
In short, the PDP Law formulates far more significant policies than before, where corporations will be subject among other things to hefty fines of up to 2% of annual income or revenue for failure to notify the data subject and authority on a data breach within 72 hours. While some may argue the 2% fine is considered low for large corporations, given the sensitive nature of biometric data, businesses should anticipate and be ready for this very short notification period compared to the previous 14 days’ notice.
LOOKING AHEAD
The metaverse might indeed be one of the answers to strengthening the digital economy in Indonesia. However, alongside increasingly advanced technology today, cyberattacks are not expected to stop. Biometric data, as an integral part of the metaverse, is and always will be very sensitive and high-risk information that needs special attention. The PDP Law is seen to have set more specific regulations for biometric data protection, where the processing must be carried out strictly and in a very limited manner. As the world expects the use of more advanced technology will continue to evolve in today’s business landscape, it will be interesting to see how the current laws and regulations effectively stand at the forefront, as guardians at the gate.
While the PDP Law mandates the establishment of an authority governing data protection, it also remains to be seen whether such an authority will be fully independent. It may be worth considering establishing an independent biometric data monitoring function, with the highest standard of supervisory functions, regulating standards for the acquisition, processing, supervision and destruction of biometric data to prevent future cyber threats.
Finally, it is also important that law enforcers have sufficient capability and capacity (including advanced technical support) to ensure that any violations of personal data protection are investigated and punished in accordance with the law to create a formidably strong deterrent effect, since it is almost impossible to undo the damage once personal data are unlawfully leaked.
MELLI DARSA & CO
Indonesian member law firm of PwC global network
World Trade Center III
Jl Jenderal Sudirman Kavling 29-31, Kuningan
South Jakarta – 12920, Indonesia
Tel: +62 21 521 2901
Email: id_contactus@pwc.com