Dosen Bidang Studi Hukum Ekonomi dan Teknologi Fakultas Hukum Univesitas Indonesia, Peneliti di Lembaga Kajian Hukum dan Teknologi (LKHT) Fakultas Hukum Universitas Indonesia.

Peduli Lindungi Does Not Violate Rights, but Might Be Abused

Angga Priancha

3 min read

The US accusation that Indonesia’s COVID-19 tracing application “Peduli Lindungi” (Care Protect) has “arbitrarily and unlawfully interfered the privacy” of the Indonesian people in its 2021 Country Reports on Human Rights Practices is sparking debates on whether the government’s app policy has violated the human rights of the citizens.

Public have questioned if the data stored in the app could be or have been used in a way that it violates the people’s right of privacy.

This concern is making sense as the app gathers personal data from vaccination certificate, identities and even tracked the places the user has gone through. Such data and information can be misused for other purposes, such as profiling, or other activities that deviates from the original goal of the app.

Despite the massive impacts caused by the accusation, the US in its report does not specify how and why the app interferes privacy as it only stated that “NGOs expressed concerns about what information was gathered by the application and how this data was stored and used by the government”.

While the US does not directly accuse Indonesia to have violated the human rights, it does put the app policy under the subtitle “Arbitrary or Unlawful Interference with Privacy, Family, Home, or Correspondence”.

The question is, does it really violate the human rights, especially the right of privacy?

Peduli lindungi works to track the movement of persons in hoping to easily monitor and control the movement of the virus. Indeed, applying this the app policy would need personal information such as identity and geographical movement of the users, thus, making the user feel their privacy breached and their personal life spied.

However, this policy works on the goals to protect another human right, which is the right to life of others Indonesian citizens.

If we look up the Article 28G of Indonesia’s 1945 Constitution and the Article 21 of Law No. 39/1999 on Human Rights, the right of personal life, which in this case privacy is something that is should be protected by the state. This however is also subject to limitation of other people human rights as stipulated in the article 28J of the 1945 Constitution and article 69 (1) of the Human Rights Law.

With this understanding, it should be argued that how Peduli Lindungi apps operates to protect Indonesian citizens from COVID-19 is aligned with the Indonesia’s human rights frameworks as it is done to respect and protect other people’s basic right, in this context the right of life.

Mahfud MD, Indonesia’s coordinating minister for politics, law and security, delivered similar argument in his subsequent press conference, stating that the country’s human rights does not only protect the aspect of individual rights but also the rights of the social-communal aspect.

However, what if the data being stored in the Peduli Lindungi app is being used for purposes other than protecting citizens from COVID-19? For instance, for profiling for marketing?

If we look at the US report carefully, this is actually what concerns the civil society groups in regard to Peduli Lindungi. They are questioning on how government stored and used the personal data. Is it being used in accordance with the original goals, or is it being used for something else?

These concerns are valid because of the prevalent personal data thefts and misuses in Indonesia, especially those stored in government agencies. According to recent report by Dark Tracer, a prominent global body that deals with data theft, in the first quarter of the 2022 alone, some 15, 000 domains in Indonesia have its data leaked, misused or stolen, with more than a quarter of the amount being stored or belonged to the government’s institutions.

This report confirms other previous media reports of how data stored by millions of people to apps owners or operators have been stolen, sold or misused.

So, who can guarantee that the date store in Peduli Lindungi does not have the same fate, considering that Indonesia still fails to pass data protection bill into law?

Despite such a prevalent data thefts and misuses, the country’s lawmakers seem reluctant to pass the Privacy and Personal Data Protection Bill (RUU Perlindungan Data Pribadi) into law.

Like most of personal data protection laws, for instance the European Union’s General Data Protection Regulation (EU GDPR), they state the rights and responsibilities of data controller (the one that collect the data and set out the goals on the purpose of the collection) and the data processor (the one who process the data gathered by the data controller, including the one who stored the data).

Based on this framework, the government, and the electronic service provider of Peduli Lindungi shall be the data controller and data processor who have the responsibility and obligation to protect the rights of the data owners (those who owns the personal data, the users).

In general, the data controllers and data processors cannot use the collected data outside of the stated purpose of collection. Thus, every data processing and uses needs the consent of the data owners.

Hence, the usage of the collected data outside of the original purpose can be sued for responsibility of privacy breach.

Currently Indonesian Privacy and Personal Data Protection norms is still spread out in various laws such as Electronic Information and Transaction Law (UU ITE) or the Population Administration Law (UU Administrasi Kependudukan). These laws do not explicitly contains the detailed rights and responsibilities in terms of data privacy management.

The absence of such a specific law has complicated the implementation of the human rights of privacy in Indonesia, not only in the case of the Peduli Lindungi app but also other applications that collect and process data in Indonesia.

So, there is no other way. Indonesian government must speed up the passage of Indonesian Data and Privacy Protection Bill into law. This is because by the passing of the law, Indonesia would have a clearer legal certainty regarding privacy and personal data protection. This, in turn, will also raise the quality of human rights protection in Indonesia.

Angga Priancha
Angga Priancha Dosen Bidang Studi Hukum Ekonomi dan Teknologi Fakultas Hukum Univesitas Indonesia, Peneliti di Lembaga Kajian Hukum dan Teknologi (LKHT) Fakultas Hukum Universitas Indonesia.

Leave a Reply

Your email address will not be published. Required fields are marked *

Dapatkan tulisan-tulisan menarik setiap saat dengan berlangganan melalalui email