Indonesia's Current Stance Regarding The Disclosure of Customers' Personal Data in The Capital Market

Thank you for your question!

The question posed by Mr./Ms. C pertains to Indonesia's policy regarding the disclosure of customers’ personal data in the capital market. This encompasses the role of the Indonesian government in safeguarding customers' personal data from potential misuse that may lead to criminal activities, such as identity theft, document forgery, credit card fraud, and other illegal conducts.

Personal data protection is becoming more of a concern in today's Industry Revolution 4.0. The rising development of information technology-based industries has made people realize the importance of maintaining the privacy of their personal data from various threats of data misuse. Moreover, numerous activities across various sectors, including finance, necessitate access to information and personal data.. The advancements of information and electronic technology within the financial sector can be seen from the increasing number of e-commerce and financial technology (fintech) companies that have occurred. E-commerce companies are companies that provide online buying and selling platforms, whereas fintech companies are centered on innovating financial services through modern technology. 

Fintech is classified into several categories, one of which is based on the supervision of the Financial Services Authority (Otoritas Jasa Keuangan, hereinafter referred to as "OJK"). OJK supervises 2 (two) categories of fintech, one of which is Fintech 2.0 Digital Financial Institution, which covers 3 (three) industrial sector domains, namely banking, capital market, and non-bank financial industry. In the capital market, the business domains regulated by OJK include e-stocks, bonds, mutual funds, and trading.

As one of the benchmarks of a country's economic progress, the capital market provides a meeting place for sellers and buyers with opportunities and risks of profit and loss, as well as a means for companies to meet long-term funding needs by selling shares or issuing bonds. In transacting in the capital market, buyers and sellers are entitled to protection of their personal data. Furthermore, interest in capital market investment in the banking sector is increasing, particularly due to the sector's dominant role in the capitalization of shares in the capital market. Bank BCA, Bank BRI, Bank Mandiri, Bank BNI, and Bank Permata are 5 (five) public companies in the banking sector that can conduct a public offering of shares in the capital market. Although shares can be traded openly, the protection of people's personal data must be well maintained. In carrying out capital market activities, the dissemination of customers' personal data becomes a legal issue that needs to be addressed. 

All forms of dissemination of customers' personal data, ranging from identity theft, document forgery, credit card fraud, bank account breaches, digital wallet breaches, to online extortion, are certainly a concern for the community. Therefore, the dissemination of personal data is categorized as a criminal offense whose punishment is specifically regulated in various laws and regulations, such as Indonesian Law Number 27 of 2022 on Personal Data Protection, Indonesian Law Number 11 of 2008 on Electronic Information and Transactions, and Indonesian Law Number 23 of 2006 on Population Administration. 

Therefore, in response to this question, we shall refer to the legal provisions found in Indonesian Law Number 27 of 2022 on Personal Data Protection (PDP Law), which is a manifestation of Article 28G of the 1945 Constitution of the Republic of Indonesia stating that: "Every person shall be entitled to protection of his her own person, family, honor, dignity, and property under his/her control, as well as be entitled to feel secure and be entitled to protection against threat of fear to do or omit to do something being his/her fundamental right." Additionally, we also refer to OJK Regulation (POJK) Number 22 of 2023 concerning Consumer and Public Protection in the Financial Services Sector (POJK No. 22 of 2023). The provisions regarding the protection of consumer data and information are stipulated in Article 19 Paragraph (1) of POJK No. 22 of 2023, wherein PUJK are obligated to maintain the confidentiality and security of consumer data and/or information (PUJK means Financial Services Business Actors). 

The Indonesian government has taken a stand on the issue of revealing customers’ personal data in the capital market by issuing various regulations with the threat of criminal sanctions for the violators. The dissemination of personal data that is threatened with criminal sanctions is specifically regulated in Article 67 of the PDP Law which states that, “Every Person who intentionally and unlawfully obtains or collects Personal Data that does not belong to him/her with the intention of benefiting himself/herself or others which may result in the loss of Personal Data Subjects as referred to in Article 65 paragraph (1) shall be punished with a maximum imprisonment of 5 (five) years and/or a maximum fine of Rp5,000,000,000.00 (five billion rupiah).” In addition, Article 70 of the PDP Law also regulates the liability for criminal conducts of personal data protection committed by corporations, which can be imposed on the management, controllers, commanders, beneficial owners, and/or corporations, with sanctions in the form of fines and additional punishment. In this case, there are several exceptions in the protection of personal data which are the rights of Personal Data Subjects, one of which is for the purpose of supervising the financial services sector which includes banking, capital markets, insurance, financing institutions, pension funds, technology-based regulation, financial technology, and other technology-based which are under the supervision of Bank Indonesia, OJK, and the Deposit Insurance Corporation (Lembaga Penjamin Simpanan).

OJK as the supervisor of the capital market activities also issued OJK Regulation Number 22 of 2023 on Consumer and Public Protection in the Financial Services Sector . The second part of Paragraph 3 of POJK No. 22 of 2023 further regulates the protection of consumer data and information which requires PUJK to maintain the confidentiality and security of consumer data and/or information. PUJK's obligation is carried out by applying the basic principles of processing personal data protection as stipulated in the provisions of laws and regulations regarding personal data protection. PUJK that violate the specified obligations may be subject to administrative sanctions, including administrative fines. Indonesia has a very firm stance against the dissemination of customers’ personal data that could lead to criminal conducts in the capital market relative to a maximum of Rp15,000,000,000.00 (fifteen billion rupiah). 

However, there are some conditions where personal data can be accessed by the authorities for the benefit of the state. As stated in Article 40 of Indonesian Law Number 10 of 1998 jo. Indonesian Law Number 7 of 1992 on Banking (Banking Law), banks are prohibited from providing customer information. However, the provisions in this article are exempted by Articles 41 - 44 of the Banking Law, one of which is on the basis of taxation interests, the minister is authorized to issue a written order to the bank to provide information (Article 41).

Indonesia maintains a firm stance regarding the dissemination of customers’ personal data  that could lead to criminal conducts in the capital market. This commitment has been evident as the financial sector continues to advance in the field of information technology and/or electronic technology, which, among other impacts, has led to the emergence of e-commerce and financial technology (fintech). The rapid growth of the financial sector in the current digital era has indeed brought significant benefits to Indonesian society, but it has also created opportunities for criminals to engage in various types of digital crimes, one of which is the misuse of customers' personal data. Therefore, the Indonesian government has taken decisive steps to protect customers' personal data. The Indonesian government’s stance can be clearly seen in the regulations issued, notably in Article 67 and 70 of Indonesian Law Number 27 of 2022 on Personal Data Protection. Article 67 regulates criminal conduct for individuals who intentionally obtain or use personal data for personal gain, while Article 70 establishes criminal sanctions for corporations that violate personal data protection. Additionally, POJK Number 22 of 2023 concerning the Consumer and Public Protection in the Financial Services Sector also contributes by mandating PUJK to maintain the confidentiality of consumer data and enforce administrative sanctions for the violations. Through these legal foundations, Indonesia is committed to ensuring the security and protection of personal data by ensuring that the rights of customers are well protected.

Thus the results of our analysis, may it provide enlightenment! 

*The answers to ALSA Legal Assistance's questions do not have permanent and binding legal force, and cannot be used as evidence in court. ALSA Legal Assistance and ALSA LC UGM cannot be sued or prosecuted for any statements, errors, inaccuracies, or deficiencies in any content submitted on the ALSA Legal Assistance website.

For further legal opinion, it is advisable to contact a professional who has expertise in the field.

*Our answers have been reviewed by Alfatika Aunuriella Dini, S.H., M.Kn., Ph.D.

Bibliography: 

RegulationsThe 1945 Constitution of the Republic of Indonesia.

Indonesian Law Number 27 of 2022 on Personal Data Protection.

OJK Regulation Number 22 of 2023 on Consumer and Public Protection in the Financial Services Sector (POJK No. 22/2023).

Journals

Anggraeni, Setyawati Fitri. “Polemik Pengaturan Kepemilikan Data Pribadi: Urgensi untuk Harmonisasi dan Reformasi Hukum di Indonesia.” Jurnal Hukum & Pembangunan 48, no. 4 (2023). 

Yuking, Ana Sofa. “Urgensi Peraturan Perlindungan Data Pribadi dalam Era Bisnis Fintech.” Jurnal Hukum & Pasar Modal 8, no 16 (2018).

Thesis

Marhaeni, Ferdawati Mega. “Tinjauan Yuridis Tindak Pidana Penyebaran Data Pribadi (Doxing) Di Media Sosial.” Skripsi Sarjana Universitas Borneo Tarakan, Tarakan, 2022.

Others

Ibrahim, Muhamad. “Awas! Data Pribadi Bocor jadi Ancaman Serius bagi Negara”. https://infobanknews.com/awas-data-pribadi-bocor-jadi-ancaman-serius-bagi-negara/.