Ghina Ghaliya, Jakarta – Businesses that manage large quantities of the public's data have asked the House of Representatives not to regulate anonymized data in the personal data protection bill, saying that it could hamper their business development.
The businesses – grouped under the Indonesian Hospital Association (PERSI), Indonesian E-Commerce Association (iDEA), the Association of Indonesian Financial Technology (Aftech) and the US-ASEAN Business Council (USABC) – expressed their concerns in a hearing about the bill with House Commission I overseeing defense, foreign affairs, information and intelligence on Monday.
"We must distinguish aggregate data and individual data. Aggregate data is unidentified, unlike individual data. Unidentified data should be excluded from this regulation," Bima Laga of the IdeA said.
Budi Sampurna of the PERSI echoed Bima's sentiments, saying that hospitals normally classed anonymized behavioral data of their patients as non-personal data.
He added that all patient personal data should be considered confidential, which could not be transmitted or opened without the patient's consent, except in certain circumstances.
Lawmakers questioned the businesses' arguments for excluding anonymized data from the bill, saying that companies should get the data holders' permission to use it in creating behavioral profiles.
"We understand the businesses' concern, but for me, whatever the purposes are, they should have the owner's consent," Charles Honoris of the Indonesian Democratic Party of Struggle (PDI-P) said.
Fellow PDI-P lawmaker Bobby Adhityo Rizaldi agreed, saying one of the bill's objectives was to regulate encrypted and anonymized behavioral data as well as administrative data.
"That's the main objective of this bill. Not regulating it means the bill would be totally different from what we're expecting," he said.
The European Union's General Data Protection Regulation (GDPR) considers pseudonymous or encrypted data as a part of personal data as it can be used to re-identify a person.
However, personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data, and for data to be truly anonymized, the anonymization must be irreversible.
The House aims to complete deliberation on the bill by October 2020.
In addition to data pseudonymization and anonymization, several issues remain up for debate. Critics have warned of the potential for abuse of power due to the unequal sanctions for personal data misuse conducted by the government, private sector and the public.
The bill also does not include clear provisions on the establishment of an independent data protection authority to monitor and analyze the use of personal data in the proposed bill.