Recently, as most of you are surely aware, Facebook, the popular social-media network, has become embroiled in a data-breach scandal. The incident, ostensibly caused by Facebook in conjunction with third-party players, has sown the seeds of major distrust among Facebook users. Indeed, a movement to delete Facebook accounts has sprung up in the wake of the scandal, although here in Indonesia this movement has yet to attract significant attention among Indonesia’s netizens. The Facebook data-breach scandal has occurred at the same time as a number of complaints which have been made by holders of Indonesian bank accounts who have suffered losses of funds. The criminal group responsible for this activity has now been apprehended by the police, who discovered that the unauthorized fund transfers were the result of skimming activities undertaken by the group.
Both of these incidents raise similar questions. Obviously, individual data owners have to shoulder the main burden of responsibility as regards securing their own data. However, does this responsibility rest solely with data owners, or do banks, social media companies, and even the government also have a duty to protect data?
Corporate Digital Responsibility
The answer to this question is more complex than a simple yes or no. Corporate social responsibility is a well-known concept, however, the idea of corporate digital responsibility has now emerged as a consequence of the interactions between corporations and consumers in the digital world. The term corporate digital responsibility was specifically discussed during the Internet Governance Forum 2017 in Geneva, and many industry experts and academics admitted that such responsibility stems from diverse security knowledge of users and the need for corporations to avoid protracted legal disputes. Meanwhile, in Indonesia, these responsibilities are not yet commonly discussed and ultimately still lie scattered across various provisions and practices.
Through Government Regulation No. 82 of 2012 on the Implementation of Electronic Systems and Transaction Providers, as well as Ministry of Communication Regulation No. 20 of 2016 concerning Personal Data Protection in Electronic Systems, the government has tried to regulate a number of measures aimed at ensuring the security of individuals’ personal data. These regulations attribute responsibility to the entities concerned, especially corporations, as the controllers of data. This regulatory framework addresses many areas, starting from the requirement to provide breach notifications, implement accountable data-policy mechanisms and plenty more besides. This responsibility works in combination with other provisions which are scattered across a number of more general regulations, including Law No.8 of 1999 on Consumer Protection (Consumer Protection Law), as well as Law No. 11 of 2008 on Electronic Information and Transactions, which was most recently amended through the issuance of Law 19 of 2016 (EIT Law).
However, it is obvious that implementation and mere compliance with the law are insufficient. This is evidenced by the number of complaints deriving from consumers who have become the target of product marketing activities without them knowing how their personal information came to fall into the hands of parties engaged in said marketing and promotional activities. The existence of fake accounts, the non-consensual transfer of personal data and many other incidents all reveal the vulnerability of consumers when they engage in digital activities and show that greater efforts will be needed from corporations. As such, in the midst of this highly connected digital world, like it or not, corporations have to take much more responsibility for these matters than they currently do.
Based on the regulations which are currently applicable, there are primarily three responsibilities which are relevant to corporations, specifically the responsibility to educate, the responsibility to provide adequate safety measures and the responsibility to be accountable, which requires corporations to travel an extra mile if this responsibility is to be adequately met. Ultimately, this means that in spite of the best efforts of corporations to comply with the minimum standards which are set by the law, the laws are not ultimately fit for purpose in terms of being able to provide assurance and comfort to consumers.
The responsibility to inform consumers is thus very important. Consumers should be educated regarding the mechanisms which underlie the various services which are offered, while consumer rights and obligations should be the primary responsibility of corporations. The prioritization of these responsibilities is vital, as corporations are service providers who possess the most advanced knowledge of their products, as well as any potential consequences which could arise as a result of their consumption. These corporations have the responsibility to inform consumers regarding the proper utilization of their products. The provision of such education will increase the digital literacy of consumers, which should as a consequence increase the good behavior of users on the internet, as well as the safety of the public as they engage in online activities. Education will also eventually assure consumers, increasing the reliance of the consumers on the providers and thus increasing trust regarding the services/goods which are offered by corporations.
Also of vital importance is the responsibility to provide adequate safety measures. This responsibility involves a greater amount of technical detail and corporations are required to provide both services and goods which are safe for consumers. The wordings of safety warnings in this context should not only be aimed at protecting consumers from external factors such as viruses, malware or various types of interference. Rather, consumers should also be offered services and goods which protect said consumers from their own negligence or attempts to improperly modify services or goods. A standard system which is safe and which can anticipate possible intrusions, either internal or external and which has the potential to adapt and keep up to date would serve as a good start in terms of providing protection to consumers, as well as fulfilling this secondary responsibility.
Last but not least is the responsibility to be accountable. This is a sensitive subject, however, and no perfect system can be said to currently exist. To set up an accountability mechanism, which should be prepared based on research and adjusted to meet relevant needs, corporations need to prepare for potential disruptions to their systems. While many may remain worried that accountability mechanisms may lead to secrecy being compromised and vulnerabilities in terms of their systems or products, the accountability mechanism can serve as a system of checks and balances. Consumers and the public in general also need to be made aware that even if a mechanism has been implemented properly, system-wide disturbances may still occur. Through the upholding of accountability, and the daring to be honest regarding system vulnerabilities, consumers and the general public gain the opportunity to contribute to system-wide improvements, as well as to checks on the security of their information, as they relate to any goods and/or services which are provided by the corporation.
All of the abovementioned responsibilities have the ultimate purpose of protecting consumers, as well as preventing corporations from potential legal consequences, such as sanctions for violating their obligations and being brought before the court by parties looking for compensation for losses which they have suffered. Ultimately, mere compliance may not ultimately protect corporations from legal consequences and demands for compensation, as guaranteed under the relevant applicable laws, if the consumers suffer losses as a result of the failures of corporations to protect consumers from said losses.
The fact that the current regulation may not guarantee that corporations are protected from being held liable is fully understood, as a law is not meant to regulate the nitty-gritty technical details that may apply differently between different business entities. Therefore, the relevant regulatory framework may simply set the minimum standards that have to be complied with, despite the fact that this may ultimately be insufficient in terms of offering protection for individual personal data which are gathered by the relevant corporations. At this point, the government may have made its best effort to formulate a regulation that establishes the basics of personal data protection, combined with enforcement efforts aimed at raising the theoretical and practical awareness of business and industry. Ultimately though, it is highly unfortunate to witness the current relegation of personal data protection-related regulations to a point where they are considered less important than other issues.
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official position of Hukumonline.com
 Bhredipta is a legal practitioner focusing on Technology, Media, Telecommunication (TMT) and Intellectual Property (IP) law. Bhredipta is working as an Associate at a boutique law firm specializing in TMT and IP in Jakarta