Beware of Private Data Sharing
Analyzing the PDP Bill draft and what kind of private data acquired by tech companies
Marsya Nabila - 27 February 2020
The government officially submitted the draft of Personal Data Protection Act (PDP Bill) to the Indonesian Parliament. This draft will be discussed immediately after the completion of the Omnibus Law Act.
Based on the draft as of December 2019, the PDP Bill contains 72 articles and 15 chapters governing the definition of personal data, types, ownerships, processing, exceptions, controllers and processors, transmissions, authorized institutions that regulate personal data, and resolution. In addition, it regulates international partnerships and sanctions imposed for misuse of personal data.
While waiting for the regulation to be ratified, whose authority is in the People's Representative Council (DPR), we need to know more about how to interpret in daily life. What is the impact before and after the regulation for the public?
Understanding the types of data based on the PDP Act draft
The PDP Bill defines personal data as any data about a person, whether identified and can be identified separately or combined with other information, directly or indirectly, electronic and non-electronic systems.
Types of personal data are divided into two, the general and specific data. The general category includes data that can be accessed through public services or listed in official identity. For example, your full name, gender, nationality, religion, and personal data must be combined to make it possible to identify someone.
Meanwhile, specific data is data that is sensitive to the safety and comfort of the life of the owner of personal data, namely health data and information, biometric data, genetic data, sexual orientation, political views, crime records, child data, personal financial data, and/or other data in accordance with statutory provisions. In order to get these data, approval from the owner is necessary.
What should be appreciated and fixed
SAFEnet's Executive Director, Damar Juniarto said, the PDP Bill refers to one of the fundamentals of the 1945 Constitution article 28 paragraph G stated the philosophical basis of personal data protection, the guarantee of citizens' self-protection.
Therefore, there are three things must be stated the PDP Bill. The right to personal, family, honor, dignity and property protection; the right to security; and the right of protection against the threat of fear to do or not do something.
The assessment he made for the PDP Bill contents was a progressive step in ensuring the certainty of the citizens' self-protection. "SAFEnet welcomes the presence of the PDP Bill which will soon be discussed at the Commission I of the DPR RI," Damar said in a written statement.
This bill, he continued, succeeded in formulating the concept of upholding data sovereignty; outline a longer draft of April 2019 in specific personal data; provide recognition of important basic rights in the principle of the right to privacy such as the need for citizen consent in data collection, the right to correction, and the right to withdraw data; emphasized on the time limit while residents withdraw the data; and sanction violations.
On the other hand, the part that needs improvement is the dimming of important issues that have been a public concern, such as profiling issue, illegal tapping by state institutions and corporations, alleged buying and selling of personal data by state institutions and discriminating sanctions against individuals and corporations that committed violation.
"Profiling can only be stopped whether residents raise objections as contained in article 10. Frankly, in SAFEnet's view, this is not enough. Profiling must be included in specific personal data because it is an important protection against the threat of oneself and protection of the right to do or not do something."
Illegal tapping, defined as an effort to acquire personal data by planting spyware on smartphone devices, collecting data through an unknown cloud, or applying AI in the form of facial recognition technology.
Discrimination of legal sanctions threatens an injustice feeling of the community for the right to privacy. The ITE Law, which was issued over 10 years ago, has problems with the number of convicted citizens and criminal proceedings during unfair law enforcement and justice.
"Reflection on the implementation of digital law needs to be taken into consideration in determining appropriate legal sanctions for those who commit personal data violations."
He thought in general, the PDP Bill narrowed the right to privacy to the extent of protecting personal data. Therefore, what should be the scope of this law is reduced to the issue of personal data. Whereas today, data is closely related to the lives of the human owners and when abused will endanger the lives of these people due to the possibility of crime.
"There is a right to security attached to it [PDP bill]. Therefore, it might sound like the PDP bill emphasized personal data definition as merely a commodity. Whereas personal data is not just a commodity, it concerns the virtual human dignity, the PDP Bill must protect the human being involved, not only the data."
Once the regulation passed, the greatest power you have for companies that collect your data and liability is to request for data removal. On the other side, the greatest right - or perhaps the most competed - is the ability to stop companies from selling your data to other parties, such as advertisers.
Selling data has been the most irritating issue for consumers. The condition does not apply when you consciously enter a photo in your Facebook account or enter your home address in the e-commerce application. Unlike the case, if they cash it, therefore, other companies you've never visited create a profile without your knowledge or approval.
The word "sell" does not mean literally in the form of money. When the company gains something or other benefits from your data for others, it can be categorized as selling. Exceptions only apply when the company sends data to "service providers" if the e-commerce site shares your credit card number and processes payments to complete the sale.
Data selling is a very sensitive issue for technology companies, especially giants like Google and Facebook, and the time when the Cambridge Analytica scandal hit Facebook. Data is the new oil.
The PDP bill also applies to office buildings that often request visitor data and photograph faces. This regulation accommodates data collectors to declare their purpose as retrieving data and guarantee its safety. As often the issues of data leak anywhere and anytime.
Global company concern of data security
Last year, Digital Rights Ranking has created a report titled The 2019 Ranking of Digital Rights Corporate Accountability Index, a piece of basic knowledge for everyone on how concerned global technology companies are about the security of their users' data.
Of the companies surveyed, some are running the business in Indonesia, which considers this report more or less correlated. As it was mentioned from 24 famous global technology and telco, Microsoft ranked the first, followed by Google and Verizon Media. Next, from telco are Telefonica, Vodafone, and AT&T.
There are 35 indicators for the 24 companies that were evaluated, examined the matter of commitments, policies, and practices that affect freedom of expression and privacy, including corporate governance and accountability mechanisms. This index score represents the extent to which companies meet minimum standards. There are several companies that score above 50 (on a scale of 100).
Overall, there has been some progress, although some issues remain since the Index was released in 2015. Does everyone still lacking basic information about who is controlling their ability to connect, talk online, or access information, or who has the ability to access their personal information in any circumstance.
The government in some countries is quite responsive by issuing various supporting regulations. Whereas the company action to take decisive steps in respecting user rights has not been well conveyed. As a result, most companies still fail to reveal important aspects of how they handle and secure personal data.
"Despite new regulations in the European Union and other countries, most global internet users still lack basic facts about who can access their personal information under what circumstances, and how to control their collection and use. Some companies have been found to disclose more than is required by law," as stated in the 2019 RDR Index report.
What kind of data collected and how to stop it
Facebook and other technology companies are basically trying to create a data bank, by taking as much user information in one's profile. The goal is none other, looking for inspiration for what products are and will be needed by consumers, to have it on target when it's launched.
Fintech applications are more or less similar. Why can they withdraw funds quickly? because there is digital data made accessible by users to be analyzed by smart machines. Before the FSA intervened, they could access various data such as photo galleries, contact lists, SMS, calendars, cameras, microphones, and others that were actually less relevant to the application function.
Usually, there will be pop-up notifications for various access requests that are unknown or explained after downloading. Unfortunately, if one of the access requests is intentionally denied - applicable to the majority of apps - there will be flaws appeared that interfere with the user experience. Eventually, it forces the user to allow all requested access.
Due to the rise of illegal fintech players and victims, user's smartphone data access is now limited to only cameras, locations, and microphones. All three are permitted by regulators for legal fintech players.
The way to find out what data is requested by the application is quite easy and available for check. On Google Play, try to check at the bottom of the "About this app" section, there is detailed information related to the application. There will be "App permissions," and choose to "See more." There will be a clear statement of access to any information requested by the application.
In general, companies will state privacy policies on their sites at the very bottom. It consists of data they take from users, the purpose of use, and its commitment to protecting user privacy from third parties.
Unfortunately, due to the insignificant location, it often passed the user's sight. The long arrangement with a small size font only creates more reason for users to not take a look and enjoy reading it. Even though the information conveyed is very important.
All the information is listed on the Gojek site. Some of these include name, address, date of birth, occupation, telephone number, fax, e-mail, bank account, credit card details, gender, official identification number, biometric information.
In one of its clauses, Gojek opens the opportunity to withdraw data with reasonable notice in writing. The consequence that users receive is that the account is terminated and cannot use applications or services for the future.
Tokopedia is no different. They collect data submitted independently by users, unlimited data when filling out surveys on behalf of the company, interacting with other users with message features, product discussions, reviews, ratings, detailed transaction data. Continues, real location data such as IP address, Wi-Fi location, geo-location, cookie data, pixel tags, device data used to access the site, and other data obtained from other sources.
On further exploration, users are not given the freedom to remove data. Tokopedia will store information as long as the user account remains active and can carry out removal in accordance with applicable legal regulations.
Meanwhile, Bukalapak opens the submission of data removal by attaching valid proof of identity and the reason for the request for removal. Bukalapak is to grant the request if it meets the requirements requested by the company.
Following these three applications can give a clear picture that the existence of this PDP bill is so important to give users full control of their data. Indeed, companies have an obligation to protect users if there is potential for fraud, but don't data owners have more control over it?
Reflecting on global technology companies, some of them provide features that function to close data access utilized by third parties. Facebook and Google have released it, even though the intensity is still doubtful, but now users are given control to restrict access to their data.
Google (including YouTube)
Google's main revenue is advertising. Last year's advertising revenue from YouTube reached $15 billion, more than the combined advertising revenue from three private TV stations in the U.S., namely ABC, NBC, and Fox. Google claims to operate its ad network internally. However, if you want to stop Google from sharing data with its own division, there is a tool for it. This option is called "Ad personalization." Simply slide the button to turn off the personalization.
Whether this company does or doesn't sell user data, this social media platform gives third parties access to a number of user information. For example, date of birth and email address. Spotify allows you to register as a user if you register through Facebook.
In order to close the access, you just have to go to the Facebook page. Then go to Settings > Apps and Websites. You will find which third parties can access Facebook data, just click which one will be disconnected.
Twitter provides options for all users who want to leave custom personalized ads. You do this by going to the Settings and privacy page > Privacy and safety > Personalization and data and the slide button left to turn it off.
The music streaming application claims to not so sure whether the way they share data is counted as sales when it refers to regulations in California. However, they provide a tool for users who want to stop Spotify from advertisers by turning off the "Tailored ads" toggle in the Privacy settings page. This tool allows Spotify to use any data from your Facebook account for target ads.
–Original article is in Indonesian, translated by Kristin Siagian