Lately, the issue of leakage of personal data and offer of transactions to that has again spread. The incident not only struck personal data managed by a corporation but also a Government agency. The public is worried and questioned why such incidents often occur and as if there is no law enforcement. All leakage incidents of personal data seemed to be complete with just the news. Corporations and related agencies as if it is enough to notify the public simply by issuing statements and clarification. As a result, as if the perpetrators of personal data theft strolled freely to carry out these actions and seemed to feel legitimate free to buy and sell personal data as a livelihood to make an offer through the darknet site.
Meanwhile, an incident of data leakage, is likely not only due to attacks from outside, because it may be an act of disclosure from within the organization itself. To clarify this, certainly, the proof is needed that is not possible to hang from the statement of only one party, but must also be proven by audits from other parties or related agencies. The government, through sectoral institutions that are in accordance with the authority given by the law, has the duty and function as well as the authority to supervise the protection of personal data of the public. Concerned, the public will judge as if there is no legal awareness for corporations and related institutions to protect public personal data.
As if there is no effort that can be done by the community to demand better protection because it appears that the corporation and related agencies only underestimate this because the incident repeatedly occurred without clear law enforcement. Is there really no rule of law liability by the electronic system provider for the leak? Does the public have to wait for the Draft Personal Data Protection Bill (RUU PDP) to be passed first and then can these actions be held liable? This paper tries to remind all parties related to legal liability for personal data leakage, both civil, administrative, and criminal.
Protection of Privacy and Personal Data and Electronic System Security
Historically, the terms of privacy and personal data are not really new. Although the International Covenant on Civil and Political Rights (ICCPR) does not explicitly mention the term ‘personal data’, the protection of personal data is substantially part of everyone’s privacy or personal life. Protection of personal data is not only regulated in the European Union (General Data Protection Regulation / GDPR) conventions but also other regions such as Africa (African Union Convention on Cyber Security and Personal Data Protection) and Asia. In the ASEAN Declaration of Human Rights (2012) it is explicitly stated that personal data is part of privacy even though it is not described in more detail.
In Indonesia itself, philosophically, the appreciation of privacy should also be understood as the embodiment of the second principle of the Pancasila, namely Kemanusiaan yang Adil dan Beradab (Fair and Civilized Humanity). The terms privacy and personal data have also been known and included since Law No. 39 of 1999 concerning Human Rights. Furthermore, ‘personal data’ is also mentioned and regulated in various subsequent legislation, such as; UU no. 23 of 2006 jo. UU no. 24 of 2013 concerning Population Administration, Law No. 36 of 2009 concerning Health, Law No. 43 of 2009 concerning Archives, Law No. 11 of 2008 concerning Information and Electronic Transactions (UU ITE) and their amendments.
In other words, in the current national legal system, there are privacy protections and personal data, but the conditions are indeed scattered according to the characteristics of each sector. Although there is no specific law, it does not mean that there is no provision at all (legal vacuum) for the theft or leaking of personal data. Especially with the existence of Government Regulation (PP) No. 71 of 2019 and also PP No. 80 of 2019 which also regulates aspects of personal data protection, each electronic system provider should meet legal compliance with personal data protection specified in the laws and regulations. In the two PPs the principles of protecting personal data based on the norms (best practices) have been accommodated in Article 2 paragraph (5) PP No. 71/2019 and Article 33 PP No. 80/2019 and there is also the threat of administrative sanctions against non-compliance with these rules.
Civil Law Responsibility
Article 26 of the ITE Law has stated that anyone can file a lawsuit against the acquisition of personal data without his consent. At least against PDP violations can be sued as Unlawful Acts (PMH) on the basis of errors based on the provisions of the Act (1365 Civil Code), or on the basis of impropriety or carelessness (1366 Civil Code). Article 3 of the ITE Law has stated that there is a precautionary principle and also gives responsibility to each Electronic System Operator (PSE), both corporate and government, to implement electronic system accountability, which must be reliable, safe and responsible.