Page 93 - AEI Insights 2019 - Vol. 5, Issue 1
P. 93
Ariadno and Bajrektarevic, 2019
The government, with the mandate of its authority to protect the public (public trust doctrine),
must manage the personal data fairly and accountably. The GDPR also encourages the
formation of an independent personal data protection supervisory institution so that it can
correct the policies and rules of the bureaucracy and state administration to act accordingly in
managing the personal data of the population. Moreover, every democratic government should
be more proactive in protecting society when comes to the management of the personal data of
its residents.
Interestingly, the Indonesian legislation already has instruments that follow notion of the
GDPR. Thus, the Law No. 11 on Information and Electronic Transactions of 2008 (by a letter
of its article 2) emphasizes the principle of extra-territorial jurisdiction. (In this particular case,
it is related to the cross-border transactions. Indonesia should always safeguard its national
interests: the RI jurisdiction stretches on any legal action that apply in Indonesia and/or carried
out by Indonesian citizens. But it also applies to legal actions carried out outside of Indonesian
jurisdiction by Indonesian citizens or a foreigner legally residing in RI, or Indonesian legal
entities and foreign legal entities that produce legal effects in Indonesia.
This of course assumes the very nature of a use of Information Technology for Electronic
Information and Electronic Transactions, which can be cross-territorial and even universal.
What is assumed by this Law as "harming the interests of Indonesia" goes beyond pure national
economic interests, while protecting strategic data, national security, territorial integrity and
sovereignty, citizens, and Indonesian legal entities.)
When comes to the Right to be Forgotten (Right for Privacy and Right for Dignity), Indonesia
must see it as a principle of real protection that is in the best interests of data owners. Further
on, such a right should be strengthened by the principle of 'without undue delay', as to avoid
the administrative obligation to request a court decision to uphold the right. On a long run, it
will surely benefit businesses far more than the personal data originators themselves.
Leading by Example
In line with the Right to Portability Data elaborated by the GDPR, Indonesia also needs to
closer examine the EU instruments. Hence, the EU Regulation No.910 / 2014 concerning
electronic identification, authentication and trust services (eIDAS) offers an idea how to
harmonize the provision of digital identity and personal data in realm of electronic
communications. (Electronic identification and authentication is a technology process that has
an economic value. Such a business opportunity should be reconciled with a safety and security
standards when comes to use of and traffic with of personal data for commercial interests.)
Regarding security, Indonesia must immediately have a clear policy on Cryptography to protect
personal data. Cryptography is a double-use process; it can be utilised for civilian purposes,
but it can also be used for the vital national interests, such as defense and security. Therefore,
privacy and cybersecurity protection is a complementary concept of protection. Holistic
approach strengthens the both rights of individuals as well as protection of national interests,
rather than it ever conflicts one over the other.
Finally, the ASEAN Declaration of Human Rights in its article 21 stipulates that the protection
of personal data is elementary part of Privacy. As one of the founding members, a country that
even hosts the Organisation’s HQ, Indonesia must observe the notions of this Human Rights
Charter. That is the additional reason why RI has to lead by example.
The EU’s GDPR clearly encourages a paradigm shift within the public services and
government administration services on national, subnational and supranational level for all the
93
