The importance of personal data protection in Indonesia’s economic development

Abstract

The aim of this study is to analyze the importance of personal data protection in economic development. To sharpen the analysis, a case study was conducted on consumer’s personal data breaches of Tokopedia as one of the largest digital marketplaces in Indonesia. Using the normative (doctrinal) type of legal research, this study examined legal materials obtained through documentary research and literature review. This paper also used statutory approaches, conceptual approaches, and case approaches. The results of this study indicate that Tokopedia data breach of its user accounts to be traded on the dark web significantly results in a crisis of consumer confidence in Tokopedia. In a broader sense, digitization in economic activities that makes personal data a state asset, especially in the economic sector because it has a direct impact on economic development, has necessitated the guarantee on personal data protection, which certainly has a positive effect on the economic development of a country. So that cases like what happened to Tokopedia do not happen again, digital marketplaces must provide a set of systems that guarantee compliance with personal data protection regulation. The government must also strictly enforce personal data protection regulation.

Keywords:

• Economic growth
• protection
• personal data
• Tokopedia

REVIEWING EDITOR:

• Heng Choon (Oliver) Chan
• Department of Social Policy, Sociology, and Criminology
• University of Birmingham
• Birmingham
• UK

SUBJECTS:

• Commercial Law
• Public Law
• Data Protection

1. Introduction

Nowadays, there has been an escalating attention to the personal data protection at the national, regional, and international levels. International and regional organizations have issued binding recommendations for their member countries that serve as guidelines for personal data protection laws in their countries. At the regional level, for example the Association of Southeast Asian Nations (ASEAN) published the Personal Data Protection Framework, which was adopted by the Ministers of Telecommunications and Information Technology in ASEAN countries.

The development of personal data protection is inseparable from developments in information and communication technology, including the internet. The increasing number of internet users, the flexibility of internet access, and the affordability of internet use are the driving factors for the increasing use of the internet in various fields, such as communication, entertainment, and others. However, it is necessary to keep in mind that the business sector is the most advanced sector in promoting the internet.

The current development of information and communication technology, particularly brought about by the internet has created free trade in human civilization. Free trade is resulted from the unlimited trading process regardless of space and time boundaries. In other words, it is justified to say that free trade is resulted from the technological developments. In the near future, this technological development will turn into the forerunner to the emergence of e-commerce, which is increasingly popular among the public. The soaring number of data stored in digital systems will create a new interaction ethic, and thus storing a lot of data from users will enhance effective business operation, especially for matters related to the trading system (Hisbulloh, 2021).

Electronic commerce or online commerce, which enables the exchange of goods or services electronically, especially via the internet, has been progressively popular among the public. Such condition is mainly attributed to the fact that an electronic trading system does not require the sellers and buyers to meet in person (face to face). Online trading is carried out through electronic correspondence, such as e-mail, fax and other electronic platforms. Similarly, payments are also made through an online system, thus making such system more efficient and less time consuming. The community’s interaction in electronic media through digital systems has now penetrated all lines of sectors of life, such as the tourism industry, commerce (e-commerce), the financial industry (e-payments), transportation, and the government sector (e-government). This interaction takes several scopes, including storage, processing, collection, delivery and production from and to industry or society effectively and quickly (Dewi, 2015).

Cases of personal data breaches have occurred in many countries, for example in 2018 in England there was a case of hacking the data of around 420,000 staff and customers on the British Airways website. Finally, British Airways was fined by Britain’s Information Commissioner’s Office (ICO) in the amount of 20 million pounds for failing to provide protection for personal data (British Airways Settles with 2018 Data Breach Victims | Reuters, n.d.). A major case has also occurred in India in early 2018, namely the hacking of the world’s largest ID database, Aadhaar, in the form of information on more than 1.1 billion Indian citizens including names, addresses, photos, phone numbers and e-mails, as well as biometric data such as fingerprint and iris scans. The database also contains information about bank accounts connected to unique 12-digit (The 15 Biggest Data Breaches of the 21st Century | CSO Online, n.d.). Apart from these two cases, there are many examples of other cases that have occurred in various parts of the world.

Modern legal instruments for personal data protection must satisfy the following three criteria: (1) serving as a bridge between individuals and economic society; (2) having an international character; and (3) encouraging the public to partake in the digital economy society (Dewi & Gumelar, 2018). Indonesia has recently issued Law Number 27 of 2022 concerning Personal Data Protection as a legal enforcement that satisfy the principle of legal certainty against any violations related to personal data. The issuance of this law is partly attributed to the many incidents of personal data breaches and the absence of law that satisfy the principle of legal certainty about data protection, which is clearly detrimental to many parties, as experienced by one of the major e-commerce platforms in Indonesia, Tokopedia.

The hacking of Tokopedia in 2020 has shocked the public since the hack was suspected to leak personal data of 91,000,000 account users to be sold on the dark web. The dark web refers to a subset of the deep web of the internet where stolen data from corporate networks, such as customer personal information, health records, and so on, are sold for profit. The personal data of Tokopedia account users, which contains emails, telephone numbers, home addresses, and other privacy were leaked to third parties. In the field of online transportation, users’ personal data, such as telephone numbers, are misused to send private messages that have nothing to do with the use of these online transportation services (Pratama & Suradi, 2016). In Indonesia, there has been frequent personal data leakage as found in the banking system, where customer personal data is often transmitted to other fellow card centers. This practice enables bank employees to provide credit card customer information to third parties as a way to gain economic benefits by means of data leakage (Rosadi, 2017). Tokopedia has not wanted to be responsible for the leakage of personal data because Tokopedia has set terms and conditions that are considered to have been understood and agreed to by consumers when registering and/or using the www.tokopedia.com site.

As a result of the hacking incident, Tokopedia experienced a crisis of consumer trust because consumer personal data is crucial and private. This crisis of trust also had a direct impact on economic development in Indonesia, because the incident eventually led to the dwindling rate of transactions made through Tokopedia. This is certainly contradictory to the previously positive trend, which enabled Tokopedia, as an Indonesian e-commerce company to significantly contribute to economic development in Indonesia by providing online platforms for sellers to market their products and to make transactions with consumers. Departing from the hacking of Tokopedia’s account users, it is made clear that personal data protection has serious implications for consumer trust, which will ultimately have an impact on a country’s economic development.

When the case was initially revealed to public, Indonesia was yet to have specific regulations governing the personal data protection. In fact, there was very limited stipulation in the regulation related to personal data protection, as was the case in Law Number 11 of 2008 as amended by Law Number 19 of 2016 concerning Information and Electronic Transactions. These limitations have created absence of legal protection for consumers who are suspected of being victims of personal data breaches. On this ground, this study aims to analyze the importance of personal data protection for economic development in Indonesia by looking at a case study of Tokopedia consumers’ personal data breaches. This was conducted mainly to sharpen the analysis of the importance of protecting personal data for economic development in Indonesia.

There have been many studies explaining economic development strategies, one of which is through the adoption of renewable energy. A study has shown that customers’ intention to use renewable energy is influenced by consumers’ attitude toward renewable energy. Meanwhile consumers’ attitude is influenced by value orientation. (Asif et al., 2023). Another study has shown that environmental knowledge has a positive and significant effect on consumer attitudes and trust in the environment. Meanwhile, consumer attitudes have a negative and insignificant influence on purchase intentions. In contrast, green trust is significantly and positively related to purchase intentions. Perceived consumer effectiveness and perceived behavioral control have a positive effect on purchase intentions (Asif, Zhongfu, Irfan, et al., 2023). This is an example of another study of factors that influence the economic development of a country. This study will discuss other factors that also influence economic development in developing countries, especially Indonesia, by analyzing a real case example that has occurred in Indonesia. This study has never been done before so it has novelty.

Data from the United Nations Conference on Trade and Development has shown that personal data is not protected in a third of countries in the world despite developments (Data and Privacy Unprotected in One Third of Countries, despite Progress | UNCTAD, n.d.). 137 out of 194 countries have implemented laws to ensure data protection and privacy. As many as 61 percent of African countries and 57 percent of Asian countries have adopted the law (Data Protection and Privacy Legislation Worldwide | UNCTAD, n.d.). Meanwhile in less developed countries only 48 percent have adopted it. Indonesia has adopted this law in 2022.

2. Methodology

As a normative (doctrinal) legal research, this study examined law from an internal perspective with legal norms as the research object (Diantha & Sh, 2016). As normative legal research, this study used statutory approaches, conceptual approaches, and case approaches of legal material as the research object. The legal materials used in this study consisted of primary legal materials, which are authoritative or binding legal materials in the form of related laws and regulations, as well as secondary legal materials, which serve as explanation of primary legal materials. The primary legal materials used are Law Number 27 of 2022 concerning Protection of Personal Data, Law Number 11 of 2008 as amended by Law Number 19 of 2016 concerning Information and Electronic Transactions, Government Regulation Number 80 of 2019 concerning Trade Through Electronic Systems, and other laws and regulations related to research objects. The legal materials were obtained through documentary research and literature review to be analyzed using qualitative descriptive techniques. Analysis of qualitative descriptive was carried out by utilizing qualitative data which was then described descriptively, starting from data reduction, data display, to conclusion drawing.

3. Case study of personal data leakage of Tokopedia user accounts

Prior to the stipulation of Law Number 27 of 2022 concerning Personal Data Protection, Indonesia has enacted several regulations to protect consumers’ personal data. However, these legal arrangements remain applicable in partial context, as stipulated by Law Number 11 of 2008 as amended by Law Number 19 of 2016 concerning Electronic Information and Transactions, Government Regulation Number 80 of 2019 concerning Trading Through Electronic Systems, Government Regulation Number 71 of 2019 concerning Implementation of Electronic Systems and Transactions, Regulation of the Minister of Communication and Informatics of the Republic of Indonesia Number 20 of 2016 concerning Protection of Personal Data in Electronic Systems, and Circular of the Financial Services Authority Number 14/SEOJK.07/2014 concerning Confidentiality and Security of Data and/or Consumer Personal Information.

Even though there have been several regulations related to personal data protection, the absence of specific laws governing personal data protection creates problems for the legal structure of consumer protection in Indonesia. This is reinforced by a report from the United Nations Conference on Trade and Development (UNCTAD), which estimates that the implementation of electronic commerce in Indonesia is still lacking in two aspects: consumer protection and privacy. UNCTAD’s claim is based on the real facts in Indonesia.

For instance, on April 17, 2020, an international hacker known as ‘Why So Dank’ could manage to hack Tokopedia and leak personal data of user accounts. The hacking of Tokopedia initially circulated on Twitter, as reported by @underthebreach, which wrote that the personal data of 15 million Tokopedia users had been hacked. According to @underthebreach, users’ emails, passwords and usernames were leaked to third parties. Further investigations found that the number of Tokopedia user accounts that were hacked soared to 91 million accounts and 7 million merchant accounts. A year earlier, Tokopedia reported that its platform had around 91 million users (Kronologi Lengkap 91 Juta Akun Tokopedia Bocor Dan Dijual, n.d.). This means that almost all of the Tokopedia user accounts were leaked to third parties including their personal information.

Pratama Persadha, a cyber security expert, articulated that the hacker of Tokopedia initially published the leaked data on the dark web, namely Raid Forums. The site delineated that the leaked data of Tokopedia user accounts had been published for sale under the name ‘Why So Dank’. It was reported that hackers sold the leaked personal information on the Dark Web, including the users’ full name, location, date of birth, telephone number, gender, and email address. The data were sold to the third parties for $ 5,000 or IDR. 75.000.000.00 (seventy four million rupiah) (Cerita Lengkap Bocornya 91 Juta Data Akun Tokopedia, n.d.).

As a service provider, Tokopedia has set terms and conditions for user accounts, which govern the use of services related to www.tokopedia.com site. Consumers who register and/or use www.tokopedia.com are deemed to have understood and agreed to the stipulated terms and conditions. In principle, these terms and conditions serve as an electronic agreement (e-contract) for the parties. This form of electronic agreement is known as a click-wrap agreement. These provisions are rules set by Tokopedia as a service provider. The conditions set forth apply to the use of services related to the use of the www.tokopedia.com website. Consumers who register and/or use the www.tokopedia.com website understand and agree to the terms (Santoso, 2015).

As an electronic agreement between the parties (e-contract), this form of electronic contract is known as a click contract. In electronic contracts, contracts are usually created when the consumer clicks on a part of the contract. A click contract refers to a contract for the purchase of goods or use of goods or services provided by an online retailer. In general, online buyers must agree to the terms referred to in a standard agreement made by clicking on an icon (usually containing the words I Agree, Agree, Ok, Agree) before completing the transaction (Santoso, 2015).

These click contracts are usually entered when someone wants to download software, register an account on the platform, and so on. Consumers are certainly bound by electronic contracts. However, what remains problematic in this context is the fact that the contract contains a clause, which can be treated as an exception clause. A clause in the terms of use of Tokopedia states: ‘Tokopedia is not responsible and users will not prosecute Tokopedia for any damage and losses arising from hacking actions carried out by third parties to user accounts’.

Such clauses are called exoneration clauses (standard clauses), which aims to limit or even eliminate the liabilities of producers/employers. Such clauses are inherently detrimental to consumers, because in essence, consumers are forced to follow rules that actually harm them and benefit the company (Annurdi, 2017).

In Indonesian context, the use of standard clauses is permissible as long as it complies with the stipulation in Law Number 8 of 1999 concerning Consumer Protection, especially Article 18 paragraph (1). This article provides limitations and prohibitions on the use of standard clauses for entrepreneurs/business actors. Article 18 paragraph (1) of the Consumer Protection Law states that business actors in offering goods and/or services intended for trading are prohibited from making or including standard clauses in every document and/or agreement if the standard clause states the transfer of responsibilities of the business actor.

By paying close attention to the provisions of Article 18 paragraph (3) of the Consumer Protection Law, it is obvious that any standard clauses stipulated by business actors in documents or agreements as referred to in paragraph (1) are declared null and void. Therefore, in the case of Tokopedia’s terms & conditions, it is clear that Tokopedia will not be subject to any violations and users may not sue Tokopedia for any damages and losses caused by hacking of user accounts by third parties, which is declared null and void. Ideally, in its hacking case, Tokopedia should be held responsible for leaking users’ personal data. It is necessary to pay attention to security and legal certainty in the use of telecommunications and information facilities so that they can develop optimally and strengthen the legal protection of public privacy data (consumers and service users) in e-commerce activities (Baiq, 2021).

To deal with any violations against public protection amidst the digital economy, it is necessary to enforce the relevant law as legal protection to ensure the smooth operation of the digital economy for future development. Violation against the personal data of Tokopedia’s account users has led to the public doubt about the security of their personal data as consumers. At the time of the Tokopedia hacking, there was no law to specifically regulate the personal data protection, there was no guarantee for the security of consumers’ personal data, and there was no adequate protection against misuse of personal data by irresponsible parties. What about the responsibility of Tokopedia as a party that stores consumer personal data.

Personal data protection significantly affects consumer trust, because trust is a moral right that is fully given to people and organizations, companies, corporations, and other institutions. Trust as a moral right is very fundamental and is irresistable. It is justified to say that the government function is operated based on trust. Without citizens’ effort to trust their leaders, it is inconceivable how the government should run its function, and how the people can contribute to the state functions. A crisis of trust will cause an increasingly complicated situations. Not only will the field of law but also the field of communication and other fields be hampered and experience difficulties. The low level of public trust in the government makes it difficult for the community to accept everything that is informed by the government (Kairoot & Ersya, 2021). This is attributed to the fact that community involvement in carrying out a policy is a form of political participation related to trust.

Personal data protection is part of human rights and that incontrovertibly, all parties be it individuals, or startup companies like Tokopedia, corporations, society, and the state must recognize, appreciate, respect and protect this basic right. Philosophically, the protection of personal data is a manifestation of the recognition and protection of basic human rights in accordance with the values of Pancasila (Sinaga & Putri, 2020). Several countries have recognized data protection as a constitutional right or in the form of ‘data habeas’, namely a person’s right to protect their data (Niffari, 2020). The preamble to letter b of the Personal Data Protection Law states that personal data protection is aimed at guaranteeing citizens’ rights to personal protection and raising public awareness as well as ensuring recognition and respect for the importance of protecting personal data. The phrase ‘raising public awareness’ must be based on community trust itself, and without public trust, the community will not try to raise awareness. Thus, when Tokopedia creates a standard clause in the agreement with its users as a way to avoid any liabilities when there is a hacking incident against users’ personal data, there will be a significant decrease and degradation of users’ trust towards the company because the content of the agreement clearly indicates the company’s interests and tendentiously in favor of Tokopedia or the company.

According to Deutsch et al. (2011), the following factors are known to urge someone to place their trust in other people, companies, and others: (1) Each individual has a different predisposition to trust other people. The higher the level of individual predisposition to trust, the greater the hope to trust other people; (2) Even though individuals do not have direct experience with other people, individual expectations can be formed through what is learned from friends or from what has been heard. The reputation of others usually forms strong expectations that lead individuals to see the elements for trust and distrust and lead to a relational approach of mutual trust; (3) Most individuals develop facets of experience to speak, work, coordinate and communicate. Some of these facets are very strong in terms of trust, and some are strong in terms of distrust. Over time, both elements of trust and distrust begin to dominate experience, and stabilize and easily define a relationship. When the pattern is stable, individuals tend to generalize about a relationship and describe it with high or low trust or distrust; (4) Individuals build and maintain social relations based on their psychological orientation. This orientation is influenced by the relationships formed and vice versa. In a broader sense, their orientation remains consistent, and thus individuals will seek relationships that are in accordance with their souls. Building trust in other people is far from easy. It depends on our behavior and the ability of others to trust and take risks; (5) Interpersonal relationships are not just a set of habits, since it contains a structure, a stable behavior, giving and taking, demands, and commitments. The basis for building a good interpersonal relationship lies on mutual trust between one another.

4. The importance of personal data protection in economic development

The growth of Indonesian e-commerce market is undisputable. The plethora of internet users in online buying and selling activities is deemed as a gold mine for business people, which has a positive impact on some people who can assess future potential. One of the unicorn startups, Tokopedia, has provided various features through its application to facilitate users with buying and selling.

In terms of financial principle, buying and selling are carried out almost every day in people’s daily lives to meet the basic needs. The outbreak of pandemic has shifted people’s habit from having the traditional and direct buying and selling to e-commerce. This shift certainly satisfies the government program to encourage people to practice social distancing as a way to prevent the spread of the Covid-19 virus. Given such condition, Tokopedia launched various innovative and flexible features as a way to attract new users amidst the pandemic situation to build the Indonesian economy.

Nonetheless, in 2020, the information and technology system of Tokopedia was hacked, which led to personal data breaches of 91.000.000 user accounts. This incident resulted in the declining trust of users of Tokopedia as a startup company that is reliable and applies high protection of users’ personal data. This dwindling trust is also attributed to the fact that the agreement between consumers and Tokopedia as a service provider principally contains provisions with the interests to avoid any liabilities upon an incident of personal data breach, particularly through the standard clause as described above.

Article 15 paragraph (1) of Law Number 11 of 2008 as amended by Law Number 19 of 2016 concerning Electronic Information and Transactions (‘UU ITE’) states that electronic system operators are required to operate electronic systems reliably and safely and responsibly for the proper operation of the electronic system. Article 15 paragraph (2) states that PSE is responsible for the operation of its electronic system. However, the provisions as stated in Article 15 paragraph (1) are limited by Article 15 paragraph (3), which stipulates that the provisions of Article 15 paragraph (1) become invalid in the event that PSE can prove the existence of a force majeure, and/or an error/negligence on the part of the user electronic system.

Consumers who are aggrieved by the leakage of their personal data can use Article 15 paragraph (1) and (2) as a legal basis in their lawsuit. However, it should be noted that the use of Article 15 paragraphs (1) and (2) as a legal basis for prosecution can be used as long as Tokopedia cannot prove the existence of a force majeure and the fault/negligence is on the part of the user/consumer. However, the ITE Law constitutes no sanctions or penalties that can be imposed on PSE, who violate the provisions of Article 15 paragraph (1) and/or (2). Further explanation is stipulated in Government Regulation Number 71 of 2019 concerning Implementation of Electronic Systems and Transactions.

The current era has seen a development in the concept of the right to privacy, one of which gave birth to the concept of personal data. Schermer stated that by definition, the right to privacy is based on the distinction between public and private. What belongs to private space has the right to be protected by privacy rights. Nonetheless, to establish a distinction between public and private spaces has been increasingly difficult as a result of technological advances and the accompanying social changes. Therefore, areas that remain free from outside interference are equally difficult, if not impossible to differentiate (Perlindungan Hak Privasi Atas Data Diri Di Era Ekonomi Digital, n.d.).

It is necessary to protect privacy based on the following reasons: First, when in a relationship, one must cover part of one’s private life to maintain one’s status at a certain level. Second, someone needs time to be alone in his life, so someone really needs privacy. Third, privacy is a right that stands alone and apart from other rights but this right is lost when someone discloses personal things to the public (Dewi & Gumelar, 2018). Fourth, privacy also includes a person’s right to manage their household relationships, including how a person maintains a happy marriage, forms a family, and hide personal relationship from others. Fifth, another reason why privacy deserves legal protection is because the harm it does is difficult to assess. The loss is far greater than the physical loss, because it interferes with individual’s personal life, and thus when it is harmed, the victim is forced to compensate (Rosadi, 2017).

Apart from Tokopedia, in the last two years, there have been many hacks in personal data in Indonesia, for example hacking of patient personal data in several hospitals in the form of full names, hospitals, patient photos, COVID-19 test results, and X-ray scan results. Then the hacking of customer personal data at 16 Bank Indonesia Bengkulu Branch Offices with an estimated total of 52 thousand documents. Personal data of job applicants at PT Pertamina Training and Consulting (PTC) has been hacked containing full names, cellphone numbers, home addresses, places and dates of birth, diplomas, academic transcripts, and BPJS cards. (Inilah 7 Kasus Dugaan Kebocoran Data Pribadi Sepanjang 2022 - Nasional Tempo.Co, n.d.).

A data explains that in Indonesia in the second quarter of 2022, as many as 1.04 million personal account data were hacked. This figure has jumped by 143% when compared to the second quarter of 2021. As a result of the many data hacking cases, Indonesia ranks 3rd as the country with the highest data hacking rate in the world. Hacking of personal data can have a negative impact on both individuals and corporations. Losses that can be experienced by individuals, for example their identity is used in fraud or bank account burglaries. Meanwhile for corporations, the losses incurred can be in the form of a decrease in corporate reputation, incurring large costs for recovery, and being subject to fines in accordance with applicable laws (Waspadai Kebocoran Data – Dampak, Penyebab, Dan Cara Mencegahnya, n.d.).

The importance of personal data as a dimension of private space is a direct consequence of the generalization of information and communication technology. It often gives rise to classes to discuss the three ‘privacy domains’, namely physical privacy, relational privacy, and data privacy. Physical privacy includes: (1) body privacy, (2) mind privacy, and (3) intimate behavior privacy. In contrast, relational privacy includes privacy for: (1) intimate behavior, (2) home, (3) correspondence, and (4) family life, while information privacy consists of: personal data and correspondence (Schermer, 2007).

Each dimension of private space can be explained as follows: (Schermer, 2007)

1. Body. In many societies, including the western society, people like to hide their body parts from the eyes of others. The right to protect our naked bodies from prying eyes is a protected personal freedom. The integration of the human body is another element of this dimension of privacy. This refers to the fact that the human body must not be subjected to unwanted scrutiny in the form of seeking out or eliminating the external body.

2. Mind. This aspect is closely related to the integrity of the human body in terms of the mind. Analogous to the right to the integrity of the human body, it can be said that there is a right to the integrity of the human mind. The integrity of the human mind, like other dimensions of the right to privacy, is essential to the human right to self-determination. By guarding our minds from outside scrutiny and influence, we ensure that our minds develop more quickly.

3. Home. This aspect refers to the inviolable right to the human soul. The integrity of the human mind, like other dimensions of the right to privacy, is an essential human right of self-determination. By protecting our mind from outside control and influence, we ensure faster development of our mind.

4. Intimate behavior. Everyone wants to keep part of the secret life to ourselves. The right to hide our physical behavior (call it sex life, for example) from the outside world is one element of this right, while the rest being our thoughts and those with whom we share them.

5. Correspondence. The right to protect one’s intimate behavior from the outside world also includes expressing one’s thoughts through communication. It is still not clear what are the limitations of the right to privacy protection of correspondence. If privacy of correspondence is considered an absolute right, investigation of a person’s correspondence is considered illegal.

6. family life. The right to an undisturbed family life includes freedom to form a family, to enjoy each other’s company and to live together.

The increasingly growing digital economy that satisfies public interest has led to improvements and growth in the economic sector. Ideally, Indonesia’s digital economy has implemented adequate personal data protection principles and takes into account the interests of all stakeholders. The principles applied in regulations related to personal data protection must take into account the current dynamics of the digital economy, at least in Indonesia.

The issuance of laws that specifically stipulates the personal data protection can support the achievement of digital economic growth, one of which is a clearer mechanism to protect data confidentiality. The law will provide guarantees and legal certainty to all digital economy stakeholders, as well as clear responsibilities for data protection and confidentiality. In addition, at the national level, equal data protection and regulation of personal data are also promoted across regions (between regions and other countries), for example sharing of personal data between the European Union and the United States. According to this system, people’s personal data can be transferred from the European Union to America and vice versa, provided that both countries have the same protection (Linn, 2017).

Indonesia’s digital economy can continue to grow due to the e-commerce acceleration attributed to the Covid-19 pandemic, one of which is due to changes in people’s transaction and spending habits. However, this growth must be accompanied by protection of the confidentiality of personal data. The rapid adoption of internet services and the large market size make Indonesia the fastest growing digital economy in ASEAN. According to Statista 2022, e-commerce growth in Indonesia will reach $43 billion in 2021 and is expected to reach $62.59 billion in 2022 (Perlindungan Kerahasiaan Data Pribadi Dukung Capaian Pertumbuhan Ekonomi Digital, n.d.).

Ensuring personal data protection will have an impact on economic development, for several reasons. First, investors gain confidence in the protection of their personal data and that of their company. This can attract investors to confidently invest to run their business in one country and Indonesia will also benefit from it. Second, the guarantee of legal certainty. This guarantee of legal certainty makes it clear to prosecute a person or corporation who violates personal data. Companies and investors will not be afraid to do business in Indonesia because the clarity of responsibility for violations has been regulated in the law.

Third, many people will voluntarily carry out shopping transactions if more guarantee of legal certainty for the protection of one’s personal data is provided. This will lead to more stability and more number of people will be able to shop online without having to worry about the violation agains their personal data. As a result, the number of users will continue to increase because the feeling of comfort in the protection of personal data significantly influences economic development in Indonesia.

Digital developments result in transitions to the joints of the economy. In the past, the economy was driven conventionally or offline, now it has penetrated the online realm. This development encourages convenience in various business fields of a country, so that the Indonesian government must be able to guarantee and maintain online trust in order to develop the digital economy (Dewi & Gumelar, 2018).

This digital development has also changed various media for economic transactions, which raise the popularity of the terms e-transaction, e-commerce, and e-business. Atkinson and McKay describe digital developments, especially in the economy as: ‘The digital economy represents the pervasive use of IT (hardware, software, applications and telecommunications) in all aspects of the economy, including internal operations of organizations (business, government and non-profit organizations)…’ (Atkinson & McKay, 2007). The description put forward by Atkinson and McKay shows that all economic activities cannot be separated from digital developments, because they have penetrated all aspects of the economy to the internal activities of the organization. The implication of this digital development demands legal protection of personal data because personal data is the main component in this digital development, meaning that personal data has turned into a state asset, especially in the economic sector.

A survey was conducted in Europe regarding the importance of protecting personal data. It was revealed that more than two-thirds of Europeans or 72 percent said they were concerned about how companies used their personal data. Concern about the security of personal data in online transactions is one of the most common reasons why people do not buy goods and services over the internet. Therefore, protection of personal data with a high level of security is essential to increase trust in online transaction services and increase the potential of the digital economy, thus driving economic growth and industrial competitiveness (Reding, 2012).

Even though online transaction has a positive impact in driving economic growth, there are economic costs that must be borne by business actors. This economic cost is considerably costly, especially for the MSMEs. A research also conducted in Europe when the EU Data Protection Regulation was first enacted demonstrated that small and medium sized enterprises (SMEs) or MSMEs had to bear costly spending to implement the provisions of the EU Data Protection Regulation. This is because business actors including MSMEs are required to provide system designs and procedures for protecting consumer personal data, integrating personal data protection in an IT management system that can identify and mitigate risks in processing consumer personal data, and appoint employees in charge of protecting consumer personal data. These obligations incur additional costs as a way to build the standardized system and to hire employees (Christensen et al., 2013).

From the aforementioned explanation, the issuance of a law that specifically regulates the protection of personal data is important, especially in the framework of economic growth in the digital era as it is today. With the enactment of Law Number 27 of 2022 concerning Personal Data Protection, Indonesia officially has issued a special law that regulates personal data protection. Article 37 reads: ‘The Personal Data Controller is obliged to supervise each party involved in the processing of Personal Data under the control of the Personal Data Controller’. The controller of personal data here refers to every person, public body and international organization, who acts individually or jointly in determining the goals and exercising control over the processing of personal data. The personal data controller is assigned with overseeing the protection of personal data (Article 1 number 4).

Article 39 paragraph (1) and paragraph (2) of the Personal Data Protection Law stipulates that: ‘(1) The Personal Data Controller is obliged to prevent unauthorized access to Personal Data. (2) The prevention referred to in paragraph (1) is carried out with a security system for Personal Data that is processed and/or processes Personal Data electronically in a reliable, safe and responsible manner’. Article 44 paragraph (1) and (2) of the Personal Data Protection Law regulates that:

1. The Personal Data Controller is required to destroy Personal Data in terms of: a. the retention period has expired and the information is destroyed according to the archive retention schedule; b. there is a request from the Personal Data Subject; c. It is not related to the settlement of the legal process of a case; and/or d. Personal Data is obtained and/or processed in a way that violates the law.

2. The destruction of Personal Data as referred to in paragraph (1) is carried out in accordance with the provisions of laws and regulations’.

Article 57 paragraph (2) stipulates that: ‘The administrative sanctions as referred to in paragraph (1) are in the form of: a. written warning; b. temporary suspension of Personal Data processing activities; c. deletion or destruction of Personal Data; and/or d. administrative fine’. Article 65 regulates that:

1. Everyone is prohibited from unlawfully obtaining or collecting Personal Data that does not belong to them with the intention of benefiting themselves or other people which can result in loss of Personal Data Subjects.

2. Everyone is prohibited from unlawfully disclosing Personal Data that does not belong to him.

The criminal provisions regulated in the Personal Data Protection Act are Article 67 which stipulates that:

1. Any Person who intentionally and unlawfully obtains or collects Personal Data that is not owned by him with the intention of benefiting himself or another person, which can result in loss of Personal Data Subjects as referred to in Article 65 paragraph (1) shall be punished with imprisonment for a maximum 5 (five) years and/or a maximum fine of Rp. 5,000,000,000.00 (five billion rupiah).

2. Any person who intentionally and unlawfully discloses personal data that does not belong to him as referred to in Article 65 paragraph (2) shall be subject to imprisonment for a maximum of 4 (four) years and/or a maximum fine of Rp. 4,000,000,000. 00 (four billion rupiah).

3. Everyone who deliberately and unlawfully uses Personal Data that does not belong to him as referred to in Article 65 paragraph (3) shall be subject to imprisonment for a maximum of 5 (five) years and/or a maximum fine of Rp. 5,000,000,000.00 (five billion rupiah).

Article 68 states that:

Any person who intentionally creates false personal data or falsifies personal data with the intention of benefiting himself or another person, which can cause harm to other people as referred to in Article 66 shall be punished with imprisonment for a maximum of 6 (six) years and/or fines for a maximum of IDR 6,000,000,000.00 (six billion rupiah).

The above provisions increasingly guarantee legal certainty for the protection of personal data along with the legal consequences when someone violates the rights to personal data. The legal guarantee for personal data protection is expected to boost economic growth in relation to the digital economy. The same protection is a mandatory condition for the exchange of personal information. The hampered exchange of personal information not only hinders the interests of the government, but also economic interests of the public. In various industries, such as frameworks, the exchange of such personal data is essential for the continuity of the financial system (Cole & Fabbrini, 2016). The issuance of the Personal Data Protection Law is an indispensable necessity because it is crucial for various national interests. The Indonesian International Association also requires the protection of personal data and information, and that such protection can facilitate international trade, industry and investment.

It is necessary to complement the issuance of the Personal Data Protection Law with a global framework for personal data protection (An international legal framework for data protection). This is deemed important because the issue of personal data protection is no longer limited to a national issue but a global one, especially in the economic field. Processing of personal data has become a key activity in both private and government entities. The development of IT, especially the internet, opens opportunities for companies, governments and individuals to transfer large amounts of personal data around the world with just one click of computer devices. In addition, innovations such as cloud computing enable large amounts of personal data to be routinely processed across national borders. This condition certainly necessitates the presence of a global framework in the protection of personal data in order to provide more guarantees for the security of personal data (Reding, 2012).

Living in the era of the constantly dynamic information society, everyone requires globalization and technology as the essential drivers of information-based economic development. In principle, the availability of information has been made globally, without ant boundaries of space and time. Cross-border data flow has become indispensable for transnational companies. Technology greatly facilitates the ability to quickly collect and manipulate consumer-related data (Bergkamp, 2002). Thus, personal data protection act should regulate the personal data protection that crosses national borders. Data protection reform in Europe can be used as an example of such regulation, so that it is not considered a protectionist policy but will instead help overcome regulatory differences between European digital service providers and other countries such as the US (Ciriani, 2015).

Cross-border data flows have become increasingly important, especially in the economic aspect, for thirty years since the adoption of the Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980 concerning Privacy Protection and Cross-Border Flows of Personal Data. Limit. Personal data protection regulations should indeed regulate the movement of personal data that is cross-border in nature in order to prevent evasion of responsibility for personal data breaches that are cross-border in nature. In addition to avoiding risks in processing personal data in other countries, overcoming difficulties in enforcing personal data protection laws abroad, and increasing consumer and individual trust in transactions. Cross-border data flow brings not only risks, but also benefits. With the globalization of the world economy, the ability to transfer personal data internationally has become increasingly important in driving economic development

Cross-border data flows have become increasingly important, especially in the economic aspect, for thirty years since the adoption of the Economic Cooperation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980 concerning Privacy Protection and Cross-Border Flows of Personal Data. Personal data protection regulations should indeed regulate the movement of cross-border personal data in order to prevent evasion of responsibility for personal data breaches that are also cross-border in nature. In addition to avoiding risks in processing personal data in other countries, it is also crucial to overcome difficulties in enforcing personal data protection laws abroad, and to increase consumer and individual trust in transactions. Cross-border data flow brings not only risks, but also benefits. With the globalization of the world economy, the ability to transfer personal data internationally has become increasingly important in driving economic development (Kuner, 2010).

5. Conclusion

The personal data breach of Tokopedia user accounts to be sold on the dark web significantly resulted in a crisis of consumer confidence in Tokopedia. The incident of personal data breaches of e-mails, home addresses, and telephone numbers of 91,000,000 (ninety-one million) users has created consumers’ doubt in making transactions through Tokopedia, including other digital marketplaces. This incident certainly has a significant effect on the dwindling trust in Tokopedia because trust is a person’s moral right that cannot be disturbed or violated freely by someone.

The declining public trust in Tokopedia insinuates a correlation between personal data protection and economic growth. Protection of personal data is very important in supporting economic development because investors gain confidence in the guarantee of their personal data protection and that of their companies. Therefore, the issuance of personal data protection regulations can provide legal certainty to prosecute individuals or corporations who violate personal data laws. This legal certainty is expected to prevent companies and investors from concern of doing business in Indonesia given the clear legal certainty and accountability for any violations based on the regulation. The better the guarantee of legal certainty for the protection of one’s personal data, the better the stability of legal certainty. This will definitely bring more people to shop online through digital marketplace without having to worry about the violations against their personal data. Having this legal certainty, it is expected that the number of users continues to increase because the feeling of comfort in personal data protection significantly influences economic development in Indonesia. So that cases like what happened to Tokopedia do not happen again, digital marketplaces must provide a set of systems that guarantee compliance with personal data protection regulation. The government must also strictly enforce personal data protection regulation.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Correction Statement

This article has been corrected with minor changes. These changes do not impact the academic content of the article.

Additional information

Funding

This work was supported by the Lembaga Pengelola Dana Pendidikan of Ministry of Finance of the Republic of Indonesia and Balai Pembiayaan Pendidikan Tinggi (BPPT) of Ministry of Education, Culture, Research, and Technology of the Republic of Indonesia.

Notes on contributors

Ari Wibowo

Ari Wibowo is a Ph.D. candidate in Law at Faculty of Law, Universitas Sebelas Maret, Indonesia, and awardee BPI scholarship, Balai Pembiayaan Pendidikan Tinggi (BPPT) of Ministry of Education, Culture, Research, and Technology of the Republic of Indonesia. He is also a lecturer in the Department of Criminal Law at Faculty of Law, Universitas Islam Indonesia. His research interest includes corruption, terrorism, and other issues of criminal law.

Widya Alawiyah

Widya Alawiyah is a Ph.D. candidate in Law at Faculty of Law, Universitas Sebelas Maret, Indonesia. She is also a advocate at UBR Law Firm, Indonesia. His research interest includes the issues of business law.

Azriadi

Azriadi is a Ph.D. candidate in Law at Faculty of Law, Universitas Sebelas Maret, Indonesia, and awardee BPI scholarship, Balai Pembiayaan Pendidikan Tinggi (BPPT) of Ministry of Education, Culture, Research, and Technology of the Republic of Indonesia. He is also a lecturer in the Department of Criminal Law at Faculty of Law, Universitas Muhammadiyah Sumatera Barat. His research interest includes the issues of criminal law.