Understanding the Implementation of Personal Data Protection in Property Transactions.

Background

Human beings, as social creatures created by God, are inherently driven to live in communities due to their need for interaction and communication in daily life. This social nature necessitates the exchange of information. Personal data, being highly sensitive, is crucial and needs protection as it constitutes an individual’s privacy rights. Privacy is a constitutional right enshrined in the 1945 Constitution of the Republic of Indonesia, representing a state’s obligation towards its citizens.

In Indonesia, misuse of personal data for personal gain is a prevalent legal issue. The handling of such legal problems has not been optimal due to a lack of normative legal protection for personal data. The objective and focus of this study are to uncover the essence of legal protection of personal data as a privacy right and to explore how this protection is implemented in Indonesia. The research method used is normative juridical, with a conceptual approach. The results indicate that the essence of legal protection of personal data as a privacy right is a constitutional right of citizens.

The constitutional right covered by the 1945 Constitution includes 40 citizen rights, among which is the right to personal protection. This right is detailed in Article 28G, Paragraph (1), which states that citizens have the right to protection of their personal selves, family, honor, dignity, and possessions. This article assumes that personal rights are ownership rights. However, with the advancement of information and communication technology, personal rights should also be interpreted as privacy rights. Privacy rights are more sensitive and better represent personal rights. Personal rights are sensitive as they relate to personal data or identity, including ID cards, driver’s licenses, passports, family cards, taxpayer identification numbers, bank account numbers, fingerprints, and other distinguishing features.

Indonesia currently has many regulations regarding personal data protection, but they are scattered across various laws. The country now has a specific legislative framework for personal data protection, which could address various cases of personal data misuse. Indonesia has recently enacted the Draft Law on Personal Data Protection.

With the rapid technological advancements, people are required to adapt to ongoing changes, especially in telecommunications, where the need to access information and remain connected for social interactions is paramount. The public generally utilizes various communication tools to access needed information. Recently, Indonesia has faced numerous cyberattacks from cybercriminals leading to personal data breaches on several platforms.

One vulnerable party to personal data breaches is business operators. Business operators include individuals or entities, whether legal or not, operating within the jurisdiction of the Republic of Indonesia, either independently or collectively through business agreements across various economic sectors. Additionally, there are consumers, who are individuals or entities paying for services or products to meet their needs.

Given this context, legal protection is necessary to prevent potential losses due to negligence by business operators and consumers who misuse personal data for criminal purposes. The government has indicated that personal data regulation is currently embedded in several regulations. To enhance the effectiveness of personal data protection, President Jokowi signed Law Number 27 of 2022 on Personal Data Protection on October 17, 2022.

This law regulates both specific and general personal data. Specific personal data includes health data, biometric data, genetic data, criminal records, children’s data, personal statements, and other data as per legal provisions. General personal data includes full names, gender, nationality, religion, marital status, and/or combined data that can identify an individual.

The law also stipulates that it is prohibited to create false personal data or falsify personal data to benefit oneself or others, leading to potential harm to others. The law provides various sanctions, including administrative penalties such as written warnings, temporary suspension of personal data processing activities, deletion or destruction of personal data, and/or administrative fines, as well as criminal penalties of up to six years in prison and/or fines up to IDR 6 billion.

The enactment of the Personal Data Protection Law is expected to ensure and safeguard personal data protection. Additionally, offenders who misuse personal data for their gain may face deterrent effects due to administrative and criminal sanctions provided by the law. Comprehensive protection and effective implementation of this law will ensure data security for Indonesian citizens in an increasingly complex digital era.

It is also crucial to emphasize the need to continuously raise public awareness about the importance of protecting personal data. Education on how to safeguard personal data, recognize cyber threats, and actions to take if data is misused is necessary. The government, educational institutions, and various organizations must collaborate in campaigning for the importance of personal data protection. Additionally, cybersecurity technology must continue to evolve to address new and emerging threats.

Protection of Personal Data

Personal data refers to information that can identify an individual directly or indirectly. This includes data such as names, addresses, phone numbers, financial information, medical data, and other personal information that can be used to identify or contact someone. In the digital age, personal data is highly valuable and often becomes a target for various types of cyberattacks, identity theft, and information misuse. Personal data protection aims to safeguard this information from unauthorized use or dissemination and ensure that individuals’ rights concerning their data are respected and protected.

Personal data protection involves a series of measures to ensure that data is used ethically and securely. This includes implementing clear privacy policies, ensuring data is used only for agreed-upon purposes, and applying adequate security measures to protect data from unauthorized access. Legal regulations and laws on personal data protection play a crucial role in providing a legal framework and guidelines for appropriate data management.

In Indonesia, the protection of personal data is governed by Law Number 27 of 2022, which came into effect on October 17, 2022. This law introduces a comprehensive legal framework for protecting personal data from misuse and ensuring data control is carried out ethically and legally. It sets out various provisions, including administrative sanctions for violations, with administrative fines up to 2% of the violator’s annual revenue.

Law Number 27 of 2022 covers several important aspects of personal data protection. First, it requires organizations and companies managing personal data to have clear and transparent privacy policies. These policies must include information on how data is collected, used, stored, and shared, as well as individuals’ rights regarding their data. Second, the law mandates data controllers to obtain explicit consent from individuals before collecting or using their personal data.

Additionally, Law Number 27 of 2022 outlines individuals’ rights regarding their personal data. This includes the right to access data, correct inaccurate data, and request data deletion. The law also requires reporting data breaches to the relevant authorities and affected individuals to enhance transparency and accountability in data management.

Protection of Personal Data in Property Transactions

With advancements in information and communication technology, the way data and information are distributed and accessed has significantly changed. Digital technology allows for the instant distribution of information and facilitates online transactions. However, these changes also bring new challenges regarding personal data protection. Rapid data exchange and the formation of big data increase the risk of data theft and information misuse.

In the property sector, where transactions often involve sensitive personal data, protection is crucial. Property transactions frequently involve personal information such as identity, financial status, and credit history. This data must be strictly protected to prevent misuse and fraud. The need to protect personal data in property transactions becomes more urgent with the increased use of digital technology in buying, selling, renting, and managing properties.

 

Cases of Data Breaches and Misuse

In recent years, there have been numerous cases of data breaches and misuse of personal information. These cases span various sectors, including e-commerce, banking, fintech, and online transportation services. Examples of misuse include online sales of personal data, identity theft, and fraud involving personal data. For instance, leaked personal information may be used for credit card fraud, bank account theft, or extortion, causing financial and emotional harm to individuals.

Regulations and Obligations in Data Protection

Law Number 27 of 2022 is a crucial step in protecting personal data in Indonesia, but its implementation requires deep understanding and compliance from all parties. Data controllers, i.e., individuals or entities managing personal data, must ensure they comply with the law’s provisions on data collection, usage, and storage. They must also implement security measures to protect data from unauthorized access and ensure data is not disseminated without consent. The financial sector, heavily reliant on consumer personal data, must adhere to strict data protection policies. Regulations such as POJK Number 6/POJK.07/2022, issued prior to the PDP Law, provide guidelines for this sector. However, with the PDP Law in place, data protection in the financial sector must be updated and reinforced according to the latest provisions.

 

The implementation of the PDP Law faces several challenges. One is the need to educate companies and institutions about the law’s requirements and the importance of data protection. Many companies may not fully understand their obligations or the best practices for compliance. Therefore, training and resources to help companies implement appropriate privacy policies and security measures are essential. Additionally, evolving technology presents further challenges in data protection. For example, the use of artificial intelligence (AI) and data analytics can increase the risk of data misuse if not properly managed. Effective control and oversight are required to ensure technology is used in compliance with the law and protects individual privacy.

Data protection is a critical aspect of maintaining individual privacy in today’s digital age. With the enactment of Law Number 27 of 2022, it is hoped that personal data protection in Indonesia will be strengthened, providing better assurance of individual privacy rights. Implementing this law requires attention and compliance from various sectors, as well as government support in enforcing regulations. All parties—government, businesses, and individuals—must work together to create a secure and trustworthy environment for managing personal data. Addressing challenges in personal data protection requires ongoing efforts to understand, implement, and enforce appropriate policies. Only with a holistic and comprehensive approach can we ensure that personal data is well protected and individual rights are respected. Personal data protection is not just about complying with regulations but also about building trust and ensuring that every individual feels secure in an increasingly complex digital world.

Legal Basis

Article 28G, Paragraph (1) of the 1945 Constitution:

Every person shall have the right to protection of himself, his family, honor, dignity, and possessions that are under his control, as well as the right to feel safe and protected from threats or fears related to exercising or not exercising their fundamental rights.

Law Number 27 of 2022 on Personal Data Protection (PDP Law):

Article 1, Number 2:

This article outlines the comprehensive efforts required to protect personal data during its processing to ensure the constitutional rights of data subjects.

Article 4:

This article regulates the fundamental rights and freedoms of individuals to protect their personal data. Individuals have the right to be informed about what is done with their data.

Article 5:

This article covers the principles of personal data protection, including clarity, fairness, appropriateness, transparency, openness, security, and integrity.

Articles 20 to 50:

These articles stipulate that data controllers must provide evidence of consent given by data subjects when processing personal data, must maintain confidentiality of personal data, and must prevent unauthorized access to personal data.

Articles 51 to 52:

These articles mandate that data processing must be based on the orders of data controllers and that data controllers must obtain written consent before involving other data processors.

Articles 5 to 15:

These articles detail the rights of data subjects, including the right to information about the identity and legal basis of data requests, the purpose of data collection, and the accountability of the requesting parties. They also include the right to terminate processing, delete, and/or destroy their personal data, and to seek compensation for violations.

Electronic Information and Transactions Law

Law Number 11 of 2008 on Electronic Information and Transactions (ITE Law):

Article 26:

This article addresses the protection of personal data in electronic transactions. It specifically prohibits unauthorized access to electronic systems or alteration or deletion of electronic data within them.

Article 28F:

This article regulates the cessation and prohibition of the distribution of electronic information containing personal data without the consent of the data owner. It also covers the restrictions and responsibilities related to such information dissemination.

 

Key Points

In the growing digital economy, personal data utilization is integral to nearly every aspect of our lives, from online shopping to social media interactions. However, this extensive use of personal data requires proper governance and accountability to ensure that individuals’ rights are protected and their data is not misused.

Law Number 27 of 2022 on Personal Data Protection (PDP Law) provides a crucial legal framework in this regard, in alignment with Article 28G, Paragraph (1) of the 1945 Constitution, which guarantees every person’s right to personal protection.

The PDP Law establishes strict regulations for all parties involved data controllers, processors, and data subjects to ensure personal data protection. However, the implementation of the PDP Law faces challenges, including unclear institutional arrangements and authority. The responsible body for personal data protection still needs further regulation regarding its position, structure, and powers, indicating that legal protection for personal data in Indonesia is still spread across various sectoral regulations and lacks comprehensive integration.

In the context of retail companies, legal enforcement and dispute resolution related to data protection breaches can be handled through litigation and non-litigation mechanisms. Litigation involves resolving disputes through court proceedings, where data subjects can file complaints against data controllers for violations. However, this process can be time-consuming and costly.

Alternatively, non-litigation dispute resolution can be achieved through personal data protection authorities established by the PDP Law. These bodies are expected to provide more efficient and less formal dispute resolution mechanisms compared to courts. This approach is anticipated to allow data subjects and data controllers to resolve disputes more quickly and effectively, minimizing negative impacts for both parties.

Overall, while the PDP Law provides a fundamental legal basis for personal data protection, its effective implementation and enforcement require strong collaboration among the government, private sector, and society. All stakeholders must work together to ensure that personal data protection is optimized and effective.

Open chat
WNPASIA
Free Consultation about Our Services