Cyberattacks in Indonesia are increasing in frequency. During the first quarter of 2022, targets in the country faced over 11.8 million cyberattacks, which cybersecurity company Kaspersky reports is a 22 percent increase from the same period in 2021. Meanwhile, Indonesia’s National Cyber and Crypto Agency (BSSN) recorded over 1.6 billion “traffic anomalies” in 2021, according to its annual report released on March 30. Over 62 percent of the “anomalies” were attributed to malware, followed by trojan activity and phishing attempts. Furthermore, Indonesia experienced more ransomware attacks in 2021 than any other Southeast Asian country, according to an Interpol report.
Despite the magnitude of Indonesia’s cyberspace vulnerabilities, the country’s government has yet to implement comprehensive cybersecurity or data protection bills. Indonesia’s parliament introduced a draft personal data protections bill, Undang-Undang Perlindugan Data Pribadi (UU PDP), in 2016, but disagreements between the legislative and executive branches have hindered its passage. Cybersecurity experts have voiced concerns about Indonesia’s vulnerabilities, especially as Indonesia holds the presidency of the G20 in 2022. However, it remains unclear whether Indonesian politicians will overcome their deadlock in time for the G20 Leaders’ Summit in November.
Presently, Indonesia relies on cybersecurity policies that only indirectly address data protections. The closest Indonesia has to a personal data protection bill is Law No. 11 of 2008 on Electronic Information and Transactions (EIT) and its 2016 amendment. The 2008 bill amends Indonesian data privacy laws to prioritize consent, according to a 2021 report by labor law expert Indrawan Dwi Yuriutomo. The law allows netizens to petition for a court to order a webhost to remove their personal data. It also authorizes the government to terminate online connectivity for any site hosting information that the government deems as violating Indonesian laws or morals.
However, the existing policies fail to define personal data classifications, according to Indonesian legal and cybersecurity experts. Without narrow definitions, efforts to tailor penalties for data security violations or establish preventative measures are limited. The amended version of the EIT law does not explicitly articulate the rights of personal data owners beyond deleting themselves from websites. As it is unclear which agency would be responsible to prevent or respond to such violations, data owners are vulnerable to having their information compromised without any means of recourse.
This indirect approach to cybersecurity policymaking mirrors the administration of Indonesia’s cybersecurity infrastructure writ large. Rather than having a central organization to delegate responsibilities and coordinate cybersecurity capacity building across sectors, different agencies have established their own frameworks. For example, the Financial Services Authority (OJK) manages financial data protections for activities like peer-to-peer lending, digital banking, and financial consumer protection.
Meanwhile, the BSSN is largely responsible for cybersecurity intelligence and cybercrime, the Bank of Indonesia handles data protection in the banking sector, and the Ministry of Communication and Information Technology (KomInfo) receives support from the police to monitor and investigate cybercrimes. Evidently, many of Indonesia’s cybersecurity bodies have overlapping jurisdictions.
While this decentralized approach allows each agency to build up its internal capabilities based on knowledge of its existing needs and resources, it undermines the central government’s ability to efficiently coordinate responses to cyberthreats. Cybersecurity means something different to each agency, which makes it challenging for these actors to agree on strategies to strengthen cybersecurity infrastructure. For example, despite both the Bank of Indonesia and OJK being engaged in financial data security, there is no comprehensive regulation aimed at ensuring the security of Indonesian financial data transactions across borders.
These deficiencies are particularly alarming given the large number of micro, small, and medium enterprises (MSMEs) in Indonesia. Today, MSMEs comprise more than 90 percent of existing businesses and more than 60 percent of Indonesia’s national GDP. The digitization of MSMEs accelerated after the implementation of pandemic-induced movement restrictions in 2020. However, these companies lack the resources to invest in digital infrastructure, leaving a significant portion of Indonesia’s business owners vulnerable. As businesses increasingly rely on online tools to grow their operations, the “more exposed they’ll be,” as the Asia Society Policy Institute’s Deputy Director Elina Noor said during a 2021 Pacific Forum webinar.
The draft data protection bill seeks to begin addressing these gaps across issues like cross-border data transfer, data controller and processor obligations, and data owner rights. The bill creates two classifications of personal data, outlines 11 explicit rights of data owners, and requires data transfers to areas outside of Indonesia to meet more stringent security standards.
“Such data management is very important right now, not only because of the economic value but because it relates to state sovereignty and geopolitical and geostrategic conditions,” KomInfo representative Johnny G. Plate said during a webinar on June 28.
Legislator Abdul Kharis Almasyhari said on June 22 that Commission I, the body responsible for drafting the bill, is nearly finished with UU PDP’s text. Commission I aims to complete UU PDP before July, six years after its 2016 introduction.
The long lag time is attributable to disagreements between government bodies. UU PDP has been stuck in a tug-of-war between the legislature and the executive branch over which government body should wield authority over data management.
KomInfo has argued that it should have control over data protection, perhaps sharing responsibilities with BSSN. Conversely, the House of Representatives argues for the establishment of an independent data protection agency that answers directly to the president to prevent conflicts of interest. KomInfo has resisted the idea of establishing an independent oversight body thus far, which is line with efforts by President Joko Widodo to dissolve state agencies in the name of efficiency.
“Hopefully there will be an agreement on UU PDP within one or two months,” member of parliament Meutya Hafid said in Bahasa Indonesia at a panel in Jakarta on June 9. “Regarding UU PDP, which was deadlocked previously, we reached agreement with [KomInfo official] Mr. Johnny G. Plate yesterday.”
KomInfo’s response, however, suggested that both parties are still not on the same page.
“If Ms. Meutya Hafid said one or two months, I am certainly pleased,” Plate said. “But I don’t want to get ahead of things. This is a political process. We hope the process moves quickly.”
After Commission I completes the bill, the government will undergo the long process of implementing the new protections. Balancing this and Indonesia’s continued efforts to improve digital literacy, foster cooperation with partners like the United States and Australia, and work with companies like Kaspersky on cybersecurity capacity building may become a challenge. With the G20 Summit approaching and “digital transformation” named as one of Indonesia’s three pillars of its presidency, the pressure is on for lawmakers to find a compromise.