The Hacker Attack on Indonesia's Temporary National Data Center: State Responsibility and the Implementation of the Personal Data Protection Law

On Thursday, June 20, 2024, Indonesia experienced a significant cyber-attack on its Temporary National Data Center. This omission exposed the personal data of millions of citizens, raising serious concerns about data privacy and security. Despite enacting the Personal Data Protection Law (Undang-Undang Perlindungan Data Pribadi) on October 17, 2022, the government claimed that the law was not yet effectively implemented due to the absence of its derivative regulations. This essay examines the state's responsibility for this oversight. It outlines the principles that should be incorporated into the implementing regulations of the Personal Data Protection Law to ensure the privacy and sovereignty of citizens' data.

Meanwhile, there are specific data that are naturally considered "sensitive" as mentioned in Article 4, Paragraph 2 of the Personal Data Protection Law, including health data, biometric data, genetic data, crime data, children's data, personal financial data, and other data. It is imaginable that, as reported in many news stories, this data is sold on the dark web. This certainly opens up the possibility that the data can be used for criminal activities by irresponsible parties using random data from innocent people. Consequently, this issue will create chaos in law enforcement and social stability.

The National Data Center is a facility owned by the government through the Directorate of Government Informatics Application Services (LAIP) of the Ministry of Communication and Information, which oversees the National Data Center (PDN). The purpose of establishing the PDN is to serve as a repository for all public data managed by ministries/agencies at both the central and regional levels. This means that the facility (eventually) will become a place for the placement, storage, and processing of data, and the recovery of all citizen data recorded by the government for electronic-based public services. This is part of the government's effort to achieve spending efficiency by reducing duplication of spending, accelerating national data consolidation, integrating national public services, and ensuring the security of information and the sovereignty of state and personal data of Indonesian citizens. Although this facility is still under construction, the services of the temporary National Data Center have been used by some ministries and government agencies from the central to regional levels.

However, the attack on the Temporary National Data Center on June 20, 2024, revealed several vulnerabilities in Indonesia's data protection framework. Despite the existence of the Personal Data Protection Law, the lack of implementing regulations has created significant gaps in the country's cybersecurity defences. This case underscores the importance of efficiently implementing and enforcing comprehensive data protection measures. Thus, it is easy to see the government's weaknesses in handling this issue, including:

Delayed Implementation. The government's claim that the law could not be effectively implemented due to the absence of derivative regulations highlights a critical oversight. The state must prioritize the timely development and enactment of these regulations to ensure that the provisions of the law can be fully operational. They should understand that the development of government regulations and the technical operational regulations for the Personal Data Protection Law must keep pace with the ability of hackers to breach citizens' data.

Inadequate Cybersecurity Measures. In the current era of digital technology and AI, "data is gold." It is a highly valuable commodity in any transaction, especially those based on the Internet. The government should be aware of the need to protect this public treasure. The government's negligence highlights the need for stronger cybersecurity measures. Implementing regulations must mandate the adoption of state-of-the-art security technologies and regular assessments to identify and address vulnerabilities. If necessary, using third-party data security providers who are credible and accountable to protect the data centre should be considered if the government cannot do so independently.

Lack of Transparency. The government's response to the cyber-attack that threatens the privacy and sovereignty of citizens' data must be transparent, providing clear information to the public about the nature, extent, and level of the cyber attack, as well as the steps being taken to mitigate its impact. This transparency is crucial to maintaining public trust, rather than showing a lack of coordination between government agencies responsible for data protection.

Absence of a Clear Compensation Mechanism. Affected individuals must have access to effective compensation mechanisms. Indeed, this is guaranteed in Article 12, Paragraph (1) of the Personal Data Protection Law as the right of "Personal Data Subjects" to sue and receive compensation for violations of the processing of their data. However, the following paragraph mandates the government to issue regulations related to this matter. Then, Article 58 of this law stipulates that the compensation mechanism will be implemented by a data protection agency responsible to the President. In the following two articles, this agency also has legal remedies, including administrative and non-judicial sanctions that can be imposed in case of violations. The implementing regulations should establish clear procedures for filing complaints and seeking compensation for damages resulting from the failure to protect citizens' data. Indeed, the President has taken the initiative in designing the electronic-based government system architecture through Presidential Regulation No. 132 of 2022. However, this presidential regulation does not regulate the compensation mechanism as intended in the Personal Data Protection Law. It can be said that the current regulations are not fully oriented towards protecting citizens' data as a human right that must be protected by the state, especially when the state neglects this duty.

State Responsibility for Data Protection Failures

The hacker attack highlights a critical lapse in the state's duty to protect its citizens' data. While the enactment of the Personal Data Protection Law was a significant step towards securing personal data, the lack of effective implementation undermines its purpose. The state's responsibility for this failure can be viewed from several perspectives:

Firstly, Preventive Measures. The state must implement robust preventive measures to safeguard against cyber-attacks. This includes investing in advanced cybersecurity technologies, conducting regular security audits, and ensuring continuous monitoring of data systems. Subsequently, Timely Implementation of Laws. Enacting a law without promptly developing and enforcing its implementing regulations renders the law ineffective. The state must ensure that all necessary regulations are in place and operational to give full effect to the law. Then, Accountability and Transparency. The government must be transparent about its data protection efforts and accountable for any lapses. This includes clear communication with the public about data omissions and the steps being taken to address them. Finally, Compensation and Redress. The state should provide mechanisms for affected individuals to seek compensation and redress for any harm suffered due to data omissions. This includes establishing clear procedures for filing complaints and ensuring that violations are addressed promptly.

Principles for Implementing Regulations of the Personal Data Protection Law

To effectively safeguard the privacy and sovereignty of citizens' data, the implementing regulations of the Personal Data Protection Law must incorporate several key principles:

1. Data Minimization. Data controllers should only collect and process personal data that is necessary for specific, legitimate purposes. This minimizes the risk of data exposure in the event of cyber-attacks;

2. Security Measures. Regulations should mandate the implementation of comprehensive security measures, including encryption, access controls, and regular security assessments. These measures should be regularly updated to address emerging threats;

3. Malware Attack Notification. In the event of a data breach, data controllers must promptly notify affected individuals and the relevant authorities. This allows for timely action to mitigate the impact of the malware;

4. Data Subject Rights. The regulations should clearly define and protect the rights of data subjects, including the right to access, correct, and delete their data. These rights should be easy to exercise and supported by efficient mechanisms.

5. Data Protection Impact Assessments (DPIAs): organizations, be they governments, companies, NGOs and others should be required to conduct DPIAs for processing activities that pose a high risk to individuals' privacy. This helps identify and mitigate potential risks before they materialize.

6. Accountability Framework. Data controllers should be required to demonstrate compliance with the law through documented policies, regular audits, and the appointment of data protection officers. This ensures that data protection is an ongoing priority.

7. Cross-Border Data Transfers: The regulations should establish clear guidelines for transferring personal data across borders, ensuring that such transfers do not compromise the protection of personal data.

8. Sanctions and Penalties. Effective enforcement mechanisms are crucial. The regulations should prescribe stringent penalties for non-compliance, including fines and other sanctions, to deter negligent behaviour and ensure accountability.

Conclusion

The hacker attack on Indonesia's Temporary National Data Center serves as a stark reminder of the critical importance of effective data protection measures. The state's responsibility to protect personal data extends beyond the enactment of laws to include the prompt development and enforcement of implementing regulations. By incorporating key principles such as data minimization, robust security measures, omission notification, and clear accountability frameworks, Indonesia can ensure the privacy and sovereignty of its citizens' data.

As the digital landscape continues to evolve, the state must remain vigilant and proactive in its efforts to safeguard personal data. The lessons learned from the June 20, 2024, attack should inform the ongoing development and implementation of data protection policies, ensuring that Indonesia is well-equipped to face the challenges of the digital age.