Cyberspace is becoming increasingly brutalized by its rapid monetization and weaponization, mainly through the erosion of privacy. How do we effectively protect individuals and their fundamental human rights, and how do we exercise the right of dignity and privacy?
The European Union is now offering model legislation to its member states, and via spill-over power to similar supranational projects elsewhere, particularly ASEAN, as well as the Organization of American States, the African Union, the Shanghai Cooperation Organization and the rest of the world.
There are deepening concerns that today’s technology serves not only the predictability imperative enunciated by the German sociologist Max Weber to further rationalize society. It is making society less safe and its individuals less free.
Prevention of personal information misuse is the main reason the EU introduced the new set of provisions in May 2018. Hence, the General Data Protection Regulation (GDPR) is an ambitious attempt to further regulate digital technology, especially in respect to private data protection. It is in conformity with provisions of both the Universal Declaration of Human Rights and the European Charter of Human Rights.
The law’s provisions enforce protections against a wide variety of privacy issues including the right for people to lawfully agree with companies to use their private information. They also enforce the right for people to withhold private information accessible by a company as well as giving users the right to refuse to allow their private information to become public. The regulation also makes sure that no personal data is processed unless the user has allowed the processor of personal data to do so. Failure to comply makes offending individuals and companies liable to fines up to €20,000,000, or up to 4 percent of the company's profits from the previous year, whichever number is higher.
The intention of the lawmakers behind the data protection regulation is twofold: to regulate domestically as well as to inspire and galvanize internationally.
ASEAN, Indo-Pacific, Asia
For the rest of the world, the regulation should be predictive and eventually obligatory. Beyond a statement of general principles agreed by the ASEAN members in 2016 committing them to “an inclusive and integrated ASEAN through cooperation to propel the organization towards a “secure, sustainable and transformative” regime, and recognizing “the importance in strengthening personal data protection,” little has been done in the region. It is obvious that the provisions of the EU document can be expected to serve well the interests of the citizens of Indonesia.
That is actually in line with the spirit of the country’s 1945 Constitution, which obligates the state to protect, educate and provide for the prosperity of the Indonesian people. That act proclaims that respecting individual personal data is resting upon the two principles of Pancasila, a fair and civilized humanity. The mutual grant and observance of everyone’s elementary rights is the essence of freedom and overall advancement of society.
The government, with a mandate to protect the public (the public trust doctrine), must manage personal data fairly and accountably. The EU legislation also encourages the formation of an independent personal data protection supervisory institution so that it can correct the policies and rules of the bureaucracy and state administration to act accordingly in managing the personal data of the population.
Moreover, every democratic government should be more proactive in protecting society when comes to the management of the personal data of its residents.
When comes to the Right to be Forgotten (Right for Privacy and Right for Dignity), Indonesia must see it as a principle of real protection that is in the best interests of data owners. Further on, such a right should be strengthened without undue delay so as to avoid the administrative obligation to request a court decision to uphold the right.
In the long run, the regulation’s proponents believe will surely benefit businesses far more than the personal data originators themselves.
Leading by Example
In regard to security, Indonesia must immediately develop a clear policy on cryptography to protect personal data. Cryptography is a double-use process; it can be used for civilian purposes, but it can also be used to protect vital national interests such as defense and security. Therefore, privacy and cybersecurity protection are complementary concepts of protection. A holistic approach strengthens both the rights of individuals and protection of national interests, rather than posing a conflict between the two.
Finally, the ASEAN Declaration of Human Rights in its article 21 stipulates that the protection of personal data is an elementary part of privacy. As one of the founding members, a country that even hosts ASEAN’s headquarters, Indonesia must observe the principles of the Human Rights Charter. That is the additional reason why the country has to lead by example.
The EU’s data protection regulation clearly encourages a paradigm shift within the public services and government administration services on national, subnational and supranational levels for all of the ASEAN member states.
Indonesia and ASEAN can learn a lot from the dynamics of the EU’s regulation of data protection and elDAS – the electronic IDentification, Authentication and trust Services, an EU regulation covering standards for electronic identification and trust services for electronic transactions in the European Single Market – to its own benefit, to foster its own security and to elevate trust in regional e-commerce within the ASEAN economic zone.
Since the combined ASEAN ranks as the world’s fourth-largest world economy, this is a call of the future that starts now. After all the EU and ASEAN – each from its side of Eurasia – are twin grand projects of necessity, passion and vision.
Naturally, for anyone outside outside the region, Indonesia and ASEAN are already seen as among the world's e-commerce hubs, of pivotal importance far beyond the Asia-Pacific theatre. Adoption of the EU’s model legislation would materially enhance that perception.
Melda Kamil Ariadno is a professor of International Law at the Faculty of Law Universitas Indonesia, Jakarta. Anis H Bajrektarevic is chairperson and professor in international law and global political studies, Vienna, Austria