A while back ago, the largest eCommerce platform in the country, Tokopedia suffered a data breach that led to the loss of 15 million user records. It was also revealed that the hackers kept the details of 91 million users up for sale on the dark web. According to reports by Under the Breach, the leaked information included names, passwords, emails, and other personal information. Yet this incident wasn’t so much of a talking point, nor did the government take significant concrete action. But why are most people so unbothered about the data breach? Here’s why I think us average Indonesian consumers should start being data privacy cautious.
I don’t necessarily think consumers need to feel resentment whatsoever, rather, I only think that the average Indonesian consumer will have to understand their rights to demand for more adequate data protection and transparency between them and the businesses they interact with.
“Data is the new oil”
In 2018, amidst the famous and highly controversial Cambridge Analytica scandal, it was revealed that the value of data had surpassed the value of oil. Businesses, industries, government organisations, and other public bodies that use the data of millions of people everyday have eventually come to realise the true benefit of knowing even more about their audience than ever before. As I’m writing this piece, I’m currently working in the digital marketing division of a Dutch based company providing data privacy software to businesses all around the world. Specifically to businesses that work with the personal data of people within the European Union (EU).
This is because the EU has the most strict regulations when it comes to data privacy and protection – the General Data Protection Regulation (GDPR). Known to be the most robust privacy laws on the planet, organisations found guilty of breaking the laws set out in the regulation have been issued significant financial penalties (within the ranges of a €10 million fine, or 2% of the firm’s worldwide annual revenue, depending on which sum is larger) and an even greater reputational damage from the public. Famous cases include the €183 million fine British Airways had to pay as a result of having 500,000 customer personal data stolen from their website or the €3 million fine the Bulgarian tax authority had to pay as a result of a cyberattack that saw hackers steal personal records of around 7 million residents. Putting that into perspective, Tokopedia lost 15 million.
I guess the most common response to an incident of a hacking is to understand that the company might not be at fault. The GDPR, however, stays adamant that businesses hold an obligation to do whatever it takes to protect such valuable data.
This includes granting the right of EU citizens to request access to whatever data a business has on them or going as far as to making sure that firms have absolute consent from their consumers before sending them any marketing material. The fact that Tokopedia lost such a substantial amount of user data and conducts business as usual is something I personally can’t wrap my head around. When I first heard of the Indonesian government’s plans on enforcing a new data protection regulation, I knew that it would be the start of a new consumer – to – business relationship. How effective it will be, can only be answered by time.
Why is personal data so valuable?
GoJek, Tokopedia, BukaLaPak, and other service based online platforms probably hold more information about users than the user knows about themselves. These range from a consumer’s preferences, behaviours, interactions, habits, and buying patterns. It’s no hidden secret that tech firms such as the ones mentioned will need to optimise such information to further personalise their app’s interface accordingly for the users. But for how long should our privacy be the cost for better interface?
Data privacy regulations aren’t
“anti-business” or “anti-innovation”,
it’s just more pro-consumer and we obviously need one.
There’s no denying that the country’s innovation in the tech sector in the last couple years has, and continues to influence a generation of even more tech savvy solutions. In fact every year there’s a solution to almost every niche we can think of. I do however, consider this as a call for action.
It was about time that governing bodies such as Kominfo urged a push for the country’s enforcement of a data protection law, something that had been announced already earlier this year.
Having a regulation in place is just a start.
For a regulation to work in full effect, it’s going to be down to us consumers to fully understand what the regulation means for us. This includes understanding how and why you should exercise your right to data privacy. The proposed data privacy regulation (RUU PDP) is set to include the obligation of businesses to clearly gather consent from consumers before they use any of their data, similar to that of the EU’s GDPR. In brief, the PDP draft law regulates several rights of people’s personal data which are almost identical with those of the GDPR. These rights that the PDP is said to include are:
- The right to access one’s personal data
- The right to correct any mistake(s) in one’s personal data
- The right to erase existing personal data or erase the processing of one’s personal data
- The right to withdraw previously given consent for the processing of one’s personal data
- The right to object to automated processing of one’s personal data based on profiling and;
- The right to limit the processing of one’s personal data proportional to the purpose of processing
However, as long as the RUU PDP stays as a draft law, it’s up to us consumers to take the time to understand the importance of having a data privacy regulation. More importantly, to understand the importance of data privacy itself. Once the law is in place, it’s up to us consumers to exercise our rights and it’s up to businesses to keep up with the regulation.