Along with the boom in e-commerce and fintech has come the risk of data breaches and leaks. The Indonesian government and parliament have now agreed that victims should be able to sue platforms for violations in the handling of personal information, including data leaks.
The issue will be regulated in the updated version of article 13 of Indonesia’s data protection bill, which was discussed between the Communications and Information Ministry and members of the Parliament on Monday.
“The perpetrators can be prosecuted in court, while victims can sue the company for compensation,” said the ministry’s Semuel Ajibrani Pangerapan, according to a parliament meeting document. He added that the compensation can take any form preferred by the victim. “This is because there is an obligation [for platforms] to protect [user’s] data. If there’s a leak, it’s because of their [platform’s] negligence,” Pangerapan said.
Indonesian digital platforms have faced a number of significant data breaches this year. E-commerce giant Tokopedia suffered an alleged 91-million data leak, while fintech aggregator Cermati reported that the personal information of 2.9 million users had been compromised.
Sinta Dewi Rosadi, an associate professor at the Padjajaran University’s faculty of law, said that the bill will put the responsibility of data leakage or breach to the right parties—company or institution. “Before they accuse a third party, like hackers, for the leakage, they should prove that there’s no problem with their system first,” she told KrASIA.
Rosadi, however, added that the current bill still needs to define what is categorized as a data leak or breach. “They only specified what is considered as illegal data processing or illegal harvesting,” she said.
Under the existing law, such as the electronic information and transactions law or the government regulation 71/2019, platforms don’t face any consequences for user data leaks. As for the perpetrators, they could be sentenced for a maximum of 12 years of jail time, and fined up to IDR 12 billion (USD 852,000).
Personal data includes name, national identity card number, address, and biometric data, among others. Indonesian President Joko Widodo submitted the data protection bill draft to the parliament in January this year. However, it is still discussed by the parliament and might be passed into law in 2021.