Lack of Protection: Individual and Data Protection Regulation
Sun, 30 Sep 2018 || By Sri Handayani Nasution

In the digital era, personal data protection is not a novel issue anymore. The increasing usage of devices and the production of a large amount of data create the urgency to build personal data protection mechanism. It is shown by the fact that at least 90% of the data in this world is produced within the last few years only.[1] Individual users are the main actor in the world of data production, especially as the access to devices becomes easier. However, this trend bears a negative consequence. The exploitation and misuse of an individual's personal data have become a common case in this digitalized world.

Q1: What is the current state of individual data protection regulation in the international level?

A1: Until recently, the international society still has not formulated any international law in regards to personal data protection. However, the matter of personal data protection has been widely recognized as a part of individual’s rights to privacy, for instance in Article 12 of Universal Declaration of Human Rights and Article 17 of International Convention of Civil and Political Rights.[2] The protection of individual’s privacy in cyberspace then explicitly acknowledged in one of the resolutions of United Nations General Assembly: resolution 68/167.[3] Although these instruments highlight the importance of an individual's privacy, it does not provide the mechanisms of personal data protection in cyberspace especially in regards to personal data processing and the transfer of personal data. The lack of such mechanism is primarily caused by the difficulty to harmonize the law of personal data protection in each country in this world.[4]

Finally, in 2016, the European Union managed to create a more comprehensive regime that specifically regulates about the personal data protection: GDPR (General Data Protection Regulation). GDPR tries to harmonize the laws that regulate the behavior of every actor involved in data collection and distribution of each member states of EU.[5] GDPR tries to formulate a solution to the issues of personal data regulation that has been addressed before. GDPR now has the extraterritorial applicability, the individuals' ownership of his or her own data, and the punishment mechanism for those who violate the rules.[6] However, GDPR is the product of a regional organization in Europe. Even if GDPR has the capability to regulate the behavior of private sectors or other parties that have the ability to collect and process personal data of its people, the fate of the individual's personal data outside of its jurisdiction is still unclear, or worse, unprotected.

data protection regulation

Q2: How does the government of Indonesia regulate the personal data protection?

A2: The newly amendment Information and Transaction Act of 2016 becomes the pioneer to Indonesian’s law to regulate the behavior of actors in cyberspace. The issue of personal data protection is mentioned explicitly in Article 26 of the Act.[7]  Interestingly, this act also consists of the acknowledgement of individual’s authority and rights to erase his or her own information in cyberspace at will. This feature is essential in the regime of personal data protection. The right to be forgotten of an individual indicates the increasing control of individuals for his or her property at the expense of the decreasing control of other parties to this matter. Sadly, this feature is not being followed by a thorough transparency mechanism to ensure that the process of collecting, using, and processing of personal data is being conducted with the informed consent of an individual. At the end of the day, even if the individual can erase his or her information, they are still uninformed and unaware about the types of data other party has managed to collect on them.

Other than that, the Information and Transaction Act has yet to have the capability to hold organizations, institutions, and or corporations accountable for their violation of privacy and data collection without the informed consent of the individual. Within the clauses of the Act, Person (specifically refer to an individual) is the only actor that becomes subject to law, meaning it is only an individual that can be punished for his or her violations of the law in cyberspace. The lack of mechanisms to regulate and hold a group of people accountable for their act of violations is a problem to the personal data protection regime. It is a fact that the entities who have access to an individual’s personal data in cyberspace are institutions, organizations, and or corporations. Often, the exploitation and misuse of individuals’ personal data are being done by these collective entities (usually corporations) to gain profits. Therefore, because of the reasons stated above, the Information and Transaction Act still unable to be the instrument to protect the personal data of individuals.

Q3: What is the implication of the lack of regime that regulates personal data processing?

A3: At the very least, there are three implications of this condition that harmed the individual users. First, there is a high chance of corporate's utilization of individual users’ personal data for political purposes without the consent of the data owner. This happened in the case of Cambridge Analityca that collects personal data information through an online questionnaire to steer the public's opinion about the 2016 presidential election of the United States of America.[8] Second, the lack of regime will result in the unequal power relations between the data processor (corporation) and the owner (individuals). With the assumption of data as a commodity, the trade and transfer of personal data often happen without the consent of the individuals. The lack of transparency and the inexistence of informed consent system become the contributing factor to this phenomena. In the practice of data transfer and trade for the purpose to create personalised ads, corporation profited from the personal data meanwhile the individuals suffer from the exploitation that has been done without their awareness. Third and last of all is the lack of individual’s control upon their own personal data. Other than their consent and knowledge about their data’s whereabouts, the lack of data protection regime shut the opportunities for individuals to enter and exit from the digital agreement that they (unconsciously) have entered before.[9] Without this mechanism, they cannot erase their own information at will.

Even if the urgency of personal data protection is rising, we do not yet have a strong and extensive regulation for the protection of personal data in either international or national level. The individuals, in this case, are often exploited and harmed without them knowing. The formulation and effort to strengthen the existing regime become more critical for the future of data protection.

Editor: Lia Wulandari & Treviliana Eka Putri

Read another article written by Sri Handayani Nasution or article about Data Protection.

[1] Wu, X. Zhu, X. Wu, G-Q. and Ding, W. (2014). Data Mining with Big Data. IEEE Transactions on Knowledge and Data Engineering. Vol. 26 (1). p. 97

[2] Bygrave, L. (2010). Privacy and Data Protection in an International Perspective. Scandinavian Stud. L. p. 180

[3] General Assembly resolution 68/167. (2014) The Right to Privacy in Digital Age. A/RES/68/167. Available at: Accessed 15 September 2018.

[4] Ibid, 180-199

[5] GDPR, GDPR FAQ. [online] EU GDPR. Available at: Accessed 15 September 2018.

[6] GDPR. GDPR Key Changes. [online] EU GDPR. Available at: Accessed 15 September 2018

[7] The President of the Republic of Indonesia. (2016). Undang-Undang Republik Indonesia Nomor 19 Tahun 2016 Tentang Perubahan Atas Undang-Undang Nomor 11 Tahun 2008 Tentang Informasi Dan Transaksi Elektronik.

[8] Osborne, H. and Parkinson H. (2018). Cambridge Analytica Scandal: The Biggest Revelations So Far. [online] The Guardian.  available at: Accessed 15 September 2018

[9] Victor, J. (2013). The EU General Data Protection Regulation: Toward a Property Regime for Protecting Data Privacy. The Yale Law Journal. Vol 123 (2). p.520