Yanuar Nugroho – Jakarta faces unprecedented pressure to get Indonesia's new personal data protection (PDP) law right from the get-go, lest a notorious hacker exposes more weaknesses in governance.
On 20 September 2022, Indonesia's House of Representatives (DPR) ratified the Personal Data Protection (PDP) bill as law, a long overdue development. This ratification will essentially support the government in realising Indonesia's national strategy for digital transformation.
Overall, the government seems to be optimistic about the PDP Law. Minister for Communication and Informatics Johnny G. Plate claimed that Indonesia is the fifth ASEAN country to have PDP regulations and believes the law embodies the government's protection of Indonesian citizens' private data. If successfully implemented, the law will provide a future-oriented regulatory framework and possibly stimulate reform in data governance for the government and non-government organisations.
Indeed, the PDP Law's implementation would strengthen the existing initiatives in cyber governance, which already have some regulatory basis, such as One Data Indonesia (presidential regulation or Perpres 39 of 2019), the One Map Policy (Perpres 9/2016 revised by Perpres 23/2021), and e-Government (Perpres 95/2018). It also closes the lacuna in Indonesia's governance framework on the protection of citizens' personal information and data, a lack that the government acknowledged years ago.
However, not all commentators are optimistic. The implementation of the new PDP Law already faces some serious challenges. First, the law stipulates the need for "implementing regulations" to be harmonised across government, from the executive (presidential) level to ministerial regulations. All of these supporting regulations need to be formulated inclusively. Second, what form the implementing agency will take as the highest PDP authority that reports directly to the president is still unclear. Many alternatives are being suggested and this authority could take at least a year to be established. The implementation of a comprehensive PDP framework inevitably will entail more complex debates.
Looking at Indonesia's legislative experience, the worry about a delay in the implementation of important laws is not baseless. For instance, the National System for Science and Innovation Law No. 11 of 2019 (UU Sisnas Iptek) was ratified in mid-2019 to mandate the formation of an independent Research and Innovation Agency (BRIN) but until now, the agency is not fully operational. The National Capital Law No. 3 of 2022 (UU Ibukota Negara, or the IKN Law) was extremely rushed – taking only 42 days from the first reading in parliament to passage. Its implementing regulations were quickly prepared but the IKN authority's structure was left incomplete, even now. The IKN authority's current head and his vice head are working without assistants or other organisational support. This has led to uncertainty whether the targets for the new capital's development can be achieved and if the government is serious about fully moving the capital.
The questions about the full implementation of the PDP Law loom large in the aftermath of the notorious hacker "#Bjorka case". This case, involving outrageous leaks of troves of personal information, has preoccupied Indonesians in the past month. Some observers question whether the case accelerated the ratification of the PDP Law, given the huge embarrassment it caused for the Indonesian government.
An audacious hacker or group called "Bjorka", formerly @bjorkanism on Twitter, serially published sensitive personal data and doxxed several Indonesian public figures. From 20 August to the second week of September 2022, Bjorka allegedly leaked and sold on dark sites the private data of millions of Indonesian citizens, supposedly taken from databases of Indonesia's private companies, state-owned enterprises, and even state agencies and ministries. Even private data such as the Covid-19 vaccination statuses of prominent persons such as Minister Plate, whose job scope ironically covers the prevention of such hacks, his fellow ministers Erick Thohir (state-owned enterprises) and Luhut Pandjaitan (Coordinating Minister of Maritime Affairs and Investment), and Puan Maharani (DPR Speaker) were leaked.
More seriously, Bjorka publicly accused retired former Kopassus (special forces) head and state intelligence officer retired general Muchdi as the alleged murderer of a human rights defender Munir. Munir's case made headlines in 2006 when a different individual was charged but then acquitted of Munir's murder in September 2004. Separately, Bjorka has leaked data belonging to Minister of Home Affairs Tito Karnavian and accused Karnavian of being involved in the recent high-profile murder of a police general's aide in the "Sambo case".
What Bjorka did has certainly angered public officials. Head of the Presidential Secretariat Heru Budi Hartono threatened to arrest the hacker for violating the Electronic Information and Transaction Law (ITE) Law. President Joko Widodo formed a special team to respond to Bjorka's 'attack' – a move which sparked mixed reactions. Critics feel Widodo is trying to address new problems (threats in the digital world) by using old or outdated approaches (coercive power). They argue that instead of prioritising the 'hunting' of Bjorka, the first thing the government must do is to improve its cyber and digital governance and then to ensure data protection is in place for citizens' private data and government data. The hunt for Bjorka has only embarrassed the administration: the wrong person, an individual from Madiun, East Java, whose initials were MAH, was arrested in mid-September. Other suspects were identified but to no avail.
Bjorka must be held accountable but the government also needs to be responsible for Indonesia's devastatingly weak cyber security regulations and digital capacity. The Bjorka case sends a loud and clear message: Indonesia's capacity in cyber governance must be improved if Indonesia is to enjoy the promise while facing the challenges and risks of fully embracing the digital economy.
The #bjorka case is merely a wake-up call. Governing in the digital era, Indonesia's government should prepare itself and protect its citizens by sharpening the saw that is the PDP Law: only bad workers blame their tools.