Privacy vs. Security: Questioning Personal Data Protection in Indonesia’s Mandatory SIM Card Registration Program
Mon, 12 Mar 2018 || By Faiz Rahman

Introduction

The Ministry of Communication and Information Technology issued a mandatory SIM Card registration for all Indonesian citizens in late 2016, which was regulated in the Minister of Communication and Information Technology Regulation No. 12 of 2016 juncto Minister of Communication and Information Technology Regulation No. 14 of 2017 regarding Telecommunication Services Customer Registration. In the beginning, this policy raised controversy among the public concerning its purpose. Back then, some hoaxes circulated that persuaded the public 3not to register their number.[1] Despite the controversies, this policy was finally implemented on 31 October 2017. Before Indonesia, many countries like Thailand, Africa, Spain, Italy, France, and Greece already implemented this kind of policy.[2]

According to the Ministry of Communication and Information Technology, this policy aims to grant protection and comfort to the customers, minimize crime and fraud, and to facilitate the tracking of a lost phone.[3] Moreover, it is part of the government’s efforts to implement the National Single Identity, which is to connect cellular operator system to the Department of Population and Civil Registration database.[4] To register their SIM Card, the citizen must input their National Identification Number (NIK) and Family Card Number (FC Number). Thus, their cellular phone number will be connected to their identification number. All citizens should have registered their SIM Card no later than 28 February 2018 or their phone number will be blocked gradually, and thus, can no longer be used.[5]

Controversies Surrounding the SIM Card Registration Process

During the registration process, several issues occurred. Some of the most controversial issues have been errors and failures in the registration process and the incompatibility of NIK and FC Numbers.[6] These issues have urged some people to search for available NIK and FC Numbers that can be used to register their number on the Internet. There are several websites that can illegally generate NIK and FC Numbers, although these websites cannot be accessed anymore.[7] A citizen named Aninda Indrastiwi contended that her NIK and FC Number were being used to register more than 50 unknown numbers illegally.[8] The incident sparked a rumor concerning alleged NIK and FC Number data leakage during the mandatory SIM Card registration process. This rumor was clarified by the Ministry of Communication and Information Technology, assuring that there was no data leakage, but only abuse or unauthorized use of NIK and FC Numbers by some irresponsible individuals.[9] As of now, the reports concerning the misuse of NIK and FC Number is currently being investigated by the Ministry and the police.

Although the data leakage rumors were already clarified by the Ministry, the fact that there were illegal websites which can generate a compatible NIK and FC Number, as well as Aninda Indrastiwi’s case, indicates the potential abuse of personal data by irresponsible people. If not handled properly, this issue could become a disaster for society’s privacy and personal data protection, especially in the era of big data where many government institutions and private companies can easily generate, collect, and even utilize vast quantities of data, including personal data. The prime example for this is in the making of E-KTP, where the government has collected citizens’ biometric data such as fingerprints, face and retinal recognition. If these data are leaked or hacked, criminals can use our biometric data to access our biometric-secured file which is stored digitally, or even use it to perform crime without us ever knowing. In another example, e-commerce companies also collect their customers’ location data,[10] and ‘disclose’ it to shipping companies to send the ordered goods to their customers, since e-commerce companies cannot send products to their customers if they don’t ‘disclose’ the location data to the shipping companies. As these types of data are susceptible to abuse, personal data protection, either formal (through the laws and regulations) or technical (information security technologies), once again becomes a very crucial matter to be resolved.

Lack of Specific Regulation

As it is known, currently there is no specific Law or Regulation concerning personal data protection in Indonesia. The legal basis of (electronic) data protection can only be found in Law No. 11 of 2008 juncto Law No. 19 of 2016 concerning Electronic Information and Transaction (EIT Law/UU ITE), as well as its implementing regulations.[11] However, there are very few provisions concerning personal data and its protection mechanism. There is only 1 Article in the ITE Law concerning notification of personal data usage.[12] As for the definition of ‘personal data’ can be found in the Government Regulation No. 82 of 2012, although very broad and general.[13] Moreover, there is no specific personal data classification and protection mechanism stipulated in those laws and regulations. The minimum provisions can lead to broad interpretations and are prone to abuse. Furthermore, according to ELSAM, there are at least 30 Laws that are associated with personal data protection, even though these Laws overlap one another.[14] The overlapping includes the data processing and data disclosure purpose, data usage notification, permission for data disclosure, and sanctions or criminal provisions.[15]

Learning from Other Countries: UK’s Data Protection Act

As a comparicson, UK is one of the countries that has long had specific data protection law, which is stipulated in its Data Protection Act 1998 (DPA). Additionally, EU General Data Protection Regulation (GDPR) will apply in the UK from 25 May 2018.[16] The UK’s DPA regulates in detail, specifically regarding the classification of personal data (general and sensitive personal data), rights of the data subject[17], responsibilities of the data controller[18] and data processor[19], transfer of any personal data, exemptions, enforcement, as well as remedies, liability, and penalties.[20] In contrast, to date, Indonesia still has no specific regulations on personal data protection, especially concerning clear data classification and protection mechanism. The existence of specific and clear provisions concerning matters mentioned above is essential as a formal protection of personal data. Therefore, there will be clear boundaries on what can and cannot be done by the stakeholders to personal data they held (depends on the type of data), and what sanctions and how the enforcement mechanisms will be for any violations or crimes related to personal data.

Conclusion

Finally, although data collection by government institutions and private companies are aimed to improve the quality of services to its public and customers, there is a high probability of threats and abuses of personal data. Therefore, in an era where vast data collection becomes mainstream, the stipulation of a clear regulation on personal data protection should become the priority for Indonesia’s House of Representatives (DPR) and the government. They need to protect citizens’ privacy rights and personal data security, as well as to set clear boundaries to the stakeholders concerning personal data utilization. This regulation is of paramount importance considering the trend of vast data collection will continue to rise. Thus, the legal certainty regarding the guarantee of personal data protection becomes crucial in an era where a vast amount of data is stored digitally.

Editors: Atin Prabandari, MA(IR) & Nabeel Khawarizmy Muna, S.IP

Picture: pexels


[1]           Hakim, R. N. (2017). Hoax Registrasi Data Seluler Bisa Disebar oleh Penjahat Siber [online] Kompas. Available at https://nasional.kompas.com/read/2017/11/04/11221401/hoax-registrasi-data-seluler-bisa-disebar-oleh-penjahat-siber [Accessed 6 Mar. 2018].

[2]           Bloemendaal, J. Mobile Identity Verification, Key to Mitigate the Effects of EU’s Mandatory SIM Card Registration [online] Mitek. Available at https://www.miteksystems.com/blog/mobile-identity-verification-key-mitigate-effects-eu-s-mandatory-sim-card-registration [Accessed 6 Mar. 2018]. See also Donovan, K. P., and Martin A. K. (2014). The Rise of African SIM Card Registration: The Emerging Dynamics of Regulatory Change, First Monday, 19(2). Available at: http://firstmonday.org/ojs/index.php/fm/article/view/4351/3820 [Accessed 6 Mar. 2018].

[3]           Biro Humas Kementerian Kominfo. (2018). Hindari Pemblokiran, Pemerintah Imbau Masyarakat Segera Registrasi Sebelum 28 Februari 2018 [online] Ministry of Communication and Informatics. Available at: https://www.kominfo.go.id/content/detail/12647/siaran-pers-no-54hmkominfo022018-tentang-hindari-pemblokiran-pemerintah-imbau-masyarakat-segera-registrasi-sebelum-28-februari-2018/0/siaran_pers [Accessed 6 Mar. 2018].

[4]           Yusuf, O. (2017) 7 Hal yang Wajib Diketahui Soal Registrasi Kartu SIM Prabayar [online] Kompas. Available at: https://tekno.kompas.com/read/2017/11/01/20190067/7-hal-yang-wajib-diketahui-soal-registrasi-kartu-sim-prabayar [Accessed 6 Mar. 2018].

[5]           Biro Humas Kementerian Kominfo. (2018). Penghentian Layanan Bertahap Kartu Prabayar Telekomunikasi [online] Ministry of Communication and Informatics. Available at: https://www.kominfo.go.id/content/detail/12688/siaran-pers-no-62hmkominfo022018-tentang-penghentian-layanan-bertahap-kartu-prabayar-telekomunikasi/0/siaran_pers [Accessed 6 Mar. 2018].

[6]           See Santhika, E. (2018). Kominfo Sebut Situs Berikan NIK dan KK Gratis ‘Pelanggaran’ [online] CNN Indonesia. Available at: https://www.cnnindonesia.com/teknologi/20180301173056-213-279773/kominfo-sebut-situs-berikan-nik-dan-kk-gratis-pelanggaran [Accessed 6 Mar. 2018].

[7]           Librianty, A. (2018). Beredar Situs Web Diduga Penyedia KK dan NIK Gratis [online] Liputan6. Available at: http://tekno.liputan6.com/read/3347093/beredar-situs-web-diduga-penyedia-kk-dan-nik-gratis [Accessed 6 Mar. 2018]

[8]           For instance, see Ayuwuragil, K. (2018). Kominfo Akui ‘Pencurian’ NIK dan KK Saat Registrasi Kartu SIM [online] CNN Indonesia. Available at: https://www.cnnindonesia.com/teknologi/20180305204703-213-280691/kominfo-akui-pencurian-nik-dan-kk-saat-registrasi-kartu-sim [Accessed 6 Mar. 2018].

[9]           Biro Humas Kementerian Kominfo. (2018). Kemungkinan yang Terjadi Saat ini Penyalahgunaan NIK dan KK Yang Digunakan Registrasi Tanpa Hak dan Bukan Kebocoran Data [online] Ministry of Communication and Informatics. Available at: https://www.kominfo.go.id/content/detail/12713/siaran-pers-no-66hmkominfo032018-tentang-kemungkinan-yang-terjadi-saat-ini-penyalahgunaan-nik-dan-kk-yang-digunakan-registrasi-secara-tanpa-hak-dan-bukan-kebocoran-data/0/siaran_pers [Accessed 7 Mar. 2018].

[10]          See Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), Art. 4(1). Location data is one of the personal data types defined by in the GDPR.

[11]          For instance, Government Regulation No. 82 of 2012 regarding the Implementation of Electronic System and Transaction; and Ministry of Communication and Informatics Regulation No. 4 of 2016 concerning Information Security Management System.

[12]          See Law No. 11 of 2008 jo. Law No. 19 of 2016 concerning Information and Electronic Transaction, Art. 26.

[13]          See Government Regulation No. 82 of 2012 concerning Implementation of Electronic System and Transaction, Art. 1(27).

[14]          Sanjaya, D. (2017). Kebutuhan Akan UU Perlindungan Data Pribadi Kian Mendesak [online] ELSAM. Available at: http://elsam.or.id/2017/05/kebutuhan-akan-uu-perlindungan-data-pribadi-kian-mendesak/

[15]          Ibid.

[16]          See Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), Art. 51(4).

[17]          Data subject means any individual who is the subject of personal data. (Data Protection Act 1998 (UK), Art. 1)

[18]          Data controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. (Data Protection Act 1998 (UK), Art. 1)

[19]          Data processor means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. (Data Protection Act 1998 (UK), Art. 1)

[20]          See Data Protection Act 1998 (UK).