JAKARTA, KOMPAS – Buying and selling personal data are conducted not only by marketing agents banking and insurance products; the retail sector also collects a massive amount of personal data from their consumers. In fact, no regulations exist that truly guarantee the security of personal data.
Credit card registration is not the only way for banks to collect personal data, which can then be misused or even sold to market banking products. There are many other doors through which personal data can be collected. The personal data of Fredi, 53, a resident of Kelapa Gading, North Jakarta, for example, was sold along with the data of many other customers of the AH store on the Bukalapak online marketplace. Fredi\'s personal data was included in a group of luxury car owners who bought their cars with cash. The data category also identified Fredi\'s financial condition. Kompas contacted Fredi on the mobile phone number that was contained in the data to confirm its validity.
"I bought several cars with cash, but the cars were for the office. The car dealer is located in Jakarta. For my personal car, I used a bank loan to buy a [Toyota Kijang] Innova, an ordinary car," said Fredi. He acknowledged that he often received various product promotions on his mobile phone. He also received marketing calls almost five times a day. Fredi said he was not aware that his personal data had been sold.
In the retail sector, cashiers at cafes, restaurants and shopping malls also often request customers to provide personal data, such as names and mobile phone numbers. The cashiers often cannot provide a clear explanation as to why they need such data.
Personal data collection also occurs through online stores, online bookings and online transportation apps. Users are usually required to provide their personal data in order to access services. However, almost no information is provided on how their personal data might be used.
Not aware
Bank Mandiri corporate secretary Rohan Hafas said that the rapid development of e-commerce increased users’ vulnerability to the circulation of personal data, but the public was unaware of this.
Rohan said that store cashiers and online stores often asked customers that used credit cards to provide their card verification value (CVV), which was printed on the back of the credit card. Not all online shops or stores had a good system to protect personal data.
"People are not aware that they have made transactions in places that lack security. There are also reliable online stores that have a good system for protecting customers’ data, despite the absence of regulation. But yes, there are also online stores with fake identities," he said.
Tokopedia vice president for corporate communications Nuraini Razak said the online marketplace had taken firm action against vendors that were involved in misusing personal data. It had previously found that several vendors were freely selling users’ personal data. "The stores that were involved have been removed," she said.
The government drafted a personal data protection bill (RUU) in 2016. The bill was harmonized in 2017 across relevant ministries and agencies but it has not been finalized, as many legal aspects of the bill must be aligned with other laws. The Law and Human Rights Ministry is still completing the final harmonization.
According to House of Representatives Commission I vice chairman Satya Widya Yudha, the House was still awaiting the draft bill from the government. "The government says that the Home Ministry is harmonizing the bill with its legal index. So far, the government promised to submit the draft bill in March," he said.
A study from the Institute for Policy Research and Advocacy (ELSAM) found that personal data protection was stipulated in the articles of more than 30 laws, such as the Banking Law and the Electronic Information and Transaction Law (ITE).
However, ELSAM research deputy director Wahyudi Djafar said that none of the articles in the laws stipulated criminal sanctions for those involved in selling and buying personal data. Even under Article 26, Paragraph 2 of the ITE Law, individual can only sue for compensation through civil mechanisms if they find out that their personal data had been sold.
"If the data controller that manages the electronic system is proven to have transferred personal data without permission from the owner of the data, the sanctions are merely administrative. With such regulation and model of sanctions, of course the [legal] binding capacity is not strong enough," he said. (MDN/ADY/NIA)