Legal Review of Perpetrators of Hacking Telco Company Customer Data Privacy

Read this if you:

• are curious about how the legal arrangement of personal data
• want to know how to complain about misuse of personal data

Jakarta – The rapidly developing digital age demands that people always use data-based technology. Moreover, the presence of various digital services makes life easier. For example, shopping activities can be carried out through Tokopedia, digital money payments through OVO, and flight ticket bookings through Traveloka. The main requirement to be able to use the application is to have an account. Where the account registration process will be successful if you enter complete and accurate personal data.

Behind the sophistication of technology, there is a phenomenon that often occurs, namely leakage of privacy data. This phenomenon is caused by hacking by irresponsible individuals who aim for financial benefit. There are still many people who do not realize and underestimate data privacy.

A case of using data privacy by irresponsible individuals was experienced by a man who disclosed his information on Twitter. Through the penetration testing (pentest) backbox methodology, the cellphone number and email address have been registered on the CIMBNiaga, OVO, Traveloka, Shopee, and Air Asia platforms. After being traced, it turned out that he had never registered himself on the company’s digital platform. He only registered his complete personal data with the telco company in order to create an account from an application. Thus, based on information from the results of the backbox pentest methodology, it is concluded that there is an individual who hacks the telco company to obtain personal data from customers.

The private data owned by customers is not leaked and if it does, it can be threatened with administrative or criminal sanctions.

Privacy data registered on a digital platform is a document that must be kept confidential. This is because the information from users’ private data is often used to gain financial benefits. In fact, it can be said that the price of data privacy is equivalent to ownership of fixed assets. An example can be taken from a comparison between the Gojek and Garuda Indonesia companies. In terms of ownership of fixed assets, the Garuda Indonesia company has more assets than the Gojek company. However, Gojek’s fixed assets are considered higher due to the booming data valuation. Based on the practice, companies keep various types of data, including confidential data, top-secret data, ordinary data, and data that can be published. Questioning a case that occurred in a telco company, the leaked data was confidential data. This means that the private data owned by customers is not leaked and if it does, it can be threatened with administrative or criminal sanctions.

Talking about the legal procedures carried out for the leakage of Privacy Data will certainly go a long way. Starting from the process of investigation, investigation, determination of witnesses, suspects, and trials in court, it is suspected that they involved many parties. Before stepping into the realm of law, it is better to examine the rights of personal data owners, namely:

• right to the confidentiality of his personal data;
• The right to file a complaint to resolve a personal data dispute over the failure to protect the confidentiality of his personal data by an electronic system operator to the Minister;
• The right to obtain access or opportunity to change or update personal data without disturbing the personal data management system, to obtain historical personal data submitted to the electronic system administrator, unless otherwise stipulated by the provisions of laws and regulations; and
• The right to request the destruction of certain individual data given to electronic systems managed by electronic system operators, unless otherwise stipulated by the provisions of laws and regulations.

Meanwhile, in the provisions of Law Number 19 of 2016 Law Number 11 of 2008 concerning Electronic Information and Transactions it explicitly states that every Personal Data owner and Electronic System Operator can file a complaint with the Minister for the failure to protect the confidentiality of personal data. The complaint must follow the application procedure in order to be processed, as follows.

• Complaints are made no later than 30 working days after the complainant finds out about the failure to protect the confidentiality of personal data;
• Complaints are submitted in writing and must be equipped with supporting evidence;
• The dispute resolution official/institution is obliged to respond to complaints no later than 14 working days from the time the complaint is received which at least contains a complete or incomplete complaint;
• Complaints that are incomplete must be completed by the complainant no later than 30 working days from the time the complainant receives the response and if it exceeds the time limit, the complaint is deemed canceled;
• The dispute resolution official/institution is obliged to handle the settlement of the complaint starting 14 working days after the complaint is received completely;
• Settlement of disputes on the basis of the complete complaint is carried out by deliberation or through other alternative resolution efforts in accordance with the provisions of laws and regulations; and
• The dispute resolution official/institution that handles complaints can provide recommendations to the Minister for the imposition of administrative sanctions on the Electronic System Operator even though complaints can or cannot be resolved by deliberation or through other alternative resolution efforts.

Questioning the dispute resolution procedure begins with deliberation. If there is no agreement or reconciliation, the owner of the Misused Privacy Data can file a civil suit for the failure to protect the confidentiality of Personal Data. During the law enforcement process, the impact is experienced by Electronic System Operators. This is because law enforcement officers are obliged to confiscate related Personal Data based on statutory regulations and not confiscate all electronic systems. The perpetrator of hacking the Privacy Data who is proven in court will be subject to criminal sanctions or administrative sanctions. Questioning administrative sanctions will be imposed in stages, including verbal warnings, written warnings, temporary suspension of activities; and / or, and announcements on the website.

Every Indonesian citizen can report his privacy data leaked by irresponsible persons to the Ministry of Telecommunications and Information (Kominfo). The report can be made through the official Kominfo website, there are 5 channels you can use. 

1. Negative Content Complaints Service. You can submit website or website content that contains pornography, violence against children, internet security, terrorists, SARA, illegal investment, fraud, gambling, drugs and food, drugs, and Intellectual Property Rights (IPR)

2. Public Complaint Application. Report any information or actions indicating violations within the Ministry of Communication and Information Technology

3. Online Complaints of the Directorate General of SDPPI (Resources and Operation of Post and Information Technology). Complaint services related to telecommunication licensing, radio frequency spectrum, certification and testing of telecommunication tools and equipment, and radio operator certification.

4. Online Complaints Directorate General PPI (Post and Information Technology Administration). Complaint service for broadcasting operation licensing, postal and telecommunication licensing

5. LAPOR (the Indonesian word for Reporting). Online People’s Aspirations and Complaints Service.

In addition, you can report directly through lapor.go.id the process may take more than 10 days.

1. Write a Report. Report your complaint or aspiration clearly and completely
2. Verification Process. Within 3 days, your report will be verified and forwarded to the relevant authorities
3. Follow-up Process. Within 5 days, the agency will follow up and reply to your report
4. Give Feedback. You can respond back to the reply provided by the agency within 10 days
5. Done. Your report will continue to be followed up until it is resolved

Sources: Hukum Perseroan Terbatas, Perlindungan Data Pribadi, UU ITE Data Pribadi – Perusahaan