Private Data Protection Bill over Possibly a Better Legal Protection Against Stalkerware in Indonesia
Thu, 26 Dec 2019 || By Andja Karunia

The act of digitally tracking or stalking unsuspecting people have been reported to be a growing problem, according to experts.[i] Alongside that fact, nearly 20% of domestic abuse victims in Australia are reported to have been tracked through GPS.[ii] Kaspersky has recorded that there are up to 380 variants of stalkerware roaming the web.[iii] Kaspersky has also noted the apparent rise in its user base. Indicating this detrimental deliberate breach of privacy in the global stage, naturally, Indonesia is not impenetrable to this issue. These cases, in particular, focuses on the lack of consent in digital activities.

The established instruments regarding digital activities so far are the Electronic Information and Transactions Law of 2008, with all of its insufficiencies. The remedy can be argued to be in the form of a Private Data Protection bill, which tackles the usage and processing of data in a more detailed manner. Even though we can argue that there is no prominent case of stalkerware usage in Indonesia, this article views the need to preemptively discuss the matter of protection, taking into account the global trend.

This article will try to answer two questions: (1) why is the EIT Law insufficient in protecting Indonesians from stalkerwares and (2) how can the PDP bill protect Indonesians from stalkerware.

Regarding the first question, this article argues that the EIT Law (UU ITE) is predominantly used only to empower the elites in their capacity to prosecute those people who criticize them.[iv] Regarding the second question, this article argues that the Private Data Protection bill seconds many ideas that are embedded within the General Data Protection Regulation by the EU.[v]Thus, the bill would provide better protection for individuals from cyber deception.


Q1: Why is the EIT Law insufficient in legally protecting Indonesians from stalkerwares?

This article would argue that the ICT Law would be an impotent instrument to be used to tackle the usage of stalkerwares since it is more often used by the elites to prosecute those who they think is provoking credibility to their status.[vi] These elites, especially political officials, are the primary utilizers of EIT Law, which usually use the law to invoke the defamation clause, referring to chapter VII of the law regarding prohibited acts.


Additionally, within its heart and history, the EIT law has its shift of focus even from its conception. One of the experts responsible for the creation of the law states that lawmakers and experts differ in their respective concentrations. The latter focused on the regulations regarding broadcasting that was salient at the time. Meanwhile, the former departed from the focus mentioned above to gaze more on the sections regarding defamation.[vii] What's more troubling is the fact that the section on defamation was an 'added' issue from lawmakers, which was not discussed initially in the drafting process. In conclusion, one can argue that neither of the focus of these two groups of stakeholders takes into account the handling of private data, thus resulting in a lack of protection against possible stalkerware exploits to personal data.


Q2: How can the PDP bill preventively protect Indonesians from possible stalkerwares attacks?

The Private Data Protection bill proposes to provide mechanisms for the Indonesian government in data protection is quite similar to the GDPR of the European Union.[viii] The part regarding the consent of the people providing data and the availability of immediate termination for data collection proves how data protection is more or less the tip of the blade of this bill.[ix] The benefits of passing this bill may come from the focus of the bill, which is the consent-centric rules. This focus can better protect people from stalkerwares since the usual victims are people whose phones are operated illegally by the perpetrators, which violates consent.


Differing from the EIT Law, the PDP bill even considered by experts as being more aligned with issues related to the proper treatment of personal data.[x] Furthermore, we can see such a focus on consent in several articles within the bill. These focus on consent can be seen, such as in article 17 on the requirement of validity for private data processing which also discusses the urgency for the requirements. Also in article 18 on terms of approval of data processing which concerns itself on verbal or recorded consent in which this article argues that such elaborations ride within the bill. Thus providing a broader specificity on the matter of private data, thus legally protecting citizens from incoming stalkerware exploits more specifically within the legal context.

Editor: Amelinda Pandu Kusumaningtyas
Read more article written by Andja Karunia

[i] DW News (2019). The dangers of stalker were | DW News. [video]. Available at: [Accessed 30 Oct. 2019].

[ii] Ibid.

[iii] Kaspersky (2019). The State of Stalkerware in 2019 | Securelist. [online]. Available at: [Accessed 30 Oct. 2019].

[iv] Gerintya, S. (2018). Jerat UU ITE Banyak Dipakai oleh Pejabat Negara. [online]. Available at: [Accessed 31 Oct. 2019]

[v] Qur’ani, H. (2019). 3 Poin Ini Perlu Dipertimbangkan dalam Draf RUU Perlindungan Data Pribadi. [online]. Available at: [Accessed 31 Oct. 2019].

[vi] Kumparan. (2017). Kala UU ITE Makan Korban Rakyat Sendiri di Era Reformasi. [online]. Available at: [Accessed 22 Nov. 2019].

[vii] Ibid.

[viii] Qur’ani, H. (2019). 3 Poin Ini Perlu Dipertimbangkan dalam Draf RUU Perlindungan Data Pribadi. [online]. Available at: [Accessed 31 Oct. 2019].

[ix] See the Private Data Protection Bill 2019. Ch. III on the right of the private data holder. [online]. Available at: [Accessed 22 Nov. 2019].

[x] Purnamasari, D. M. (2019). Elam Nilai UU Perlindungan Data Pribadi Lebih Dibutuhkan daripada UU KKS. [online]. Available at: [Accessed 22 Nov. 2019].