Jakarta – The enactment of the Data Privacy Law by the House of Representatives on Tuesday is a step in the right direction, but we should be aware that the legislation is no panacea for a plethora of problems we now face in our increasingly digital life.
The legislation is far from perfect, but it is better than nothing, given its urgency. It was deliberated and finally approved amid a series of data-breach incidents exposing how ridiculously vulnerable our digital infrastructure is. In the words of one digital-security expert, our private data was just "sitting there" waiting to be harvested by malignant hackers who think our digital-security system is managed by a 14-year-old.
The government's response to a slew of non-traditional threats in cyberspace, particularly hacking, has been disappointing at best and farcical at worst.
In response to the data breaches committed by Bjorka and the following threats he made against the government, a senior Communications and Information Ministry official politely asked him: "If you can, do not attack us." His statement triggered an avalanche of memes on social media to make one point: a plea is not the best response to threats.
The government has set up a special team to curb data-breach incidents involving government institutions, but it is not clear what it is planning to do. What is now clear is that, regardless of who Bjorka is, or what his real motive is, the mysterious hacker is not our biggest threat. Our sheer technological incompetence is.
That is why the new legislation alone is not enough.
That said, a clear legal framework as an overarching institution to boost our digital resilience is still a necessity. Our priority now is to ensure that the implementing regulations of the law could address the contentious issues within the bill.
The law, for instance, still stipulates that a data protection oversight agency should be created to hold state and public institutions holding our private information accountable. However, the law also states that the agency would be part of the executive body, and its institutional design would be left to the discretion of the President.
Critics have raised some valid questions about the provision – will the agency be able to probe and impose penalties against government institutions when it is under the auspices of the President? Is it powerful enough to punish ministries?
In the meantime, the private sector is concerned that the legislation would unfairly target them with "exorbitant" fines. The law stipulates fines of up to 2 percent of annual revenue for organizations guilty of exposing private information.
These provisions should be made clear, or the law would make no difference. For it is critical that we have a piece of legislation in place to ensure we have accountability for every major data-breach incident that affects members of the public.
The list of things to do is long, but we believe that is the first step in creating a robust digital-security infrastructure capable of fending off external attacks.
In a brave new digital world, digital resilience is a must.