Indonesian Govt Warns Facebook on Data Leak
Date 10 April 2018
Indonesian Ministry of Communication and Informatics on Thursday (5/4) issued a written warning to Facebook for allowing third parties to abuse personal data taken through the quiz or profiling of social media user data.
“The written warning is in accordance with Law Number 11 of 2008 on Electronic Information and Transactions as amended by Law Number 19 of 2016 and Regulation of the Ministry of Communication and Informatics Number 20 of 2016 on the Protection of Personal Data in Electronic Systems,” an official of Public Relations Bureau of Ministry of Communication and Informatics said in a press release on Monday (9/4).
Before the warning issuance, the Ministry previously issued verbal warnings to confirm the issue of abuse of Facebook user data in Indonesia by third parties on 27, 28 and 29 March 2018.
Based on data released by Facebook, the amount of personal data of Indonesian Facebook users abused by Cambridge Analytica is the highest in the world, after the United States and the Philippines.
A total of 1,096,666 personal data of Indonesian Facebook users allegedly have been abused.
Regarding the written warning, Public Relations Bureau of the Ministry acknowledged that Facebook has answered the verbal warning with 2 (two) official letters. However, the answers have not been accompanied by detailed and sufficient explanation and have not included the data requested by the Government as well.
The official continued that in accordance with Article 36 Paragraph (1) of Regulation of Ministry of Communication and Informatics Number 201 of 2016, the Ministry finally issued a written warning to the social media manager of Facebook.
The Ministerial Regulation stipulates that administrative sanctions will be imposed by Minister of Communication and Information with the stages of: (1) verbal warning; (2) written warning; (3) suspension of activities; and / or (4) announcements on sites within the network/online website.
“Therefore, Ministry of Communication and Informatics immediately urges Facebook to close the service partners category, which allows third parties to obtain personal data of Facebook users in the form of quizzes, personality tests or the like,” the official further said.
In addition, according to the press release, Facebook is also required to provide audit results to the Government, for the occurrence of personal data abuse.
Ministry of Communication and Informatics has also coordinated with Directorate of Cyber Crime of the Indonesian National Police to conduct an investigation of alleged crime of the personal data abuse.
Public Relations Bureau further explained that the personal data is regulated in Law Number 11 of 2008 on Information and Electronic Transactions and Law Number 19 of 2016 on Amendment to Law Number 11 of 2008 on Information and Electronic Transactions Article 26 Paragraph 1, stating that the use of any information through electronic media concerning personal data of a person shall be made with the consent of the person concerned, unless otherwise provided by law.
In line with the aforementioned law, Regulation of Ministry of Communication and Informatics Number 20 of 2016 on the Protection of Personal Data in Electronic Systems also regulates the protection of personal data, including protection against the acquisition, collection, processing, analyzing, storage, appearance, announcement, delivery, dissemination and destruction of personal data.
According to the Ministerial Regulation, electronic systems that can be used in the process of protecting personal data are electronic systems that have been certified and have internal rules on the protection of personal data which must pay attention to the aspects of technology application, human resources, methods and costs.
The Ministerial Regulation further stipulates that the owner of the personal data is entitled to the confidentiality of his data; has the right to file a complaint in the settlement of personal data; entitled to access to obtain historical personal data, and has the right to request for the destruction of certain personal data belonging to him in the electronic system.
Any electronic system, the regulation continues, shall be notified in writing to the Owner of Personal Data in the event of a failure to protect confidential personal data.
The information shall explain the reasons or causes of the failure of confidential personal data protection, shall be received by the Owner of Personal Data if such failure contains potential loss to the person concerned and shall be sent to the Owner of Personal Data no later than 14 (fourteen) days after the failure is known, in a written form.
In addition to administrative sanctions, in accordance with Law Number 11 of 2008 on Information and Electronic Transactions in conjunction with Law Number 19 of 2016, a maximum imprisonment of 12 (twelve) years and/or a maximum fine of Rp12.000.000.000 (twelve billion rupiahs) shall be imposed if it is proven that there is personal data abuse by third party and there is criminal element of personal data abuse.
(Biro Humas Kemenkominfo/ES) (RI/EP/Naster)