The scandal of Facebook and Cambridge Analytica has ignited debates about data privacy enforcement. The pressing question is twofold. First, it is about compliance and enforcement mechanisms against Facebook and CA and similar entities. Second, it is about compensation for the Facebook users as well as assurance for the future, that data misuse like this will not happen again. Indonesia is no exception to these questions.
There is an ongoing class action lawsuit against Facebook’s California headquarters and Jakarta office and CA in London. The Institute for the Development of Indonesian Information Society Empowerment, and Indonesia ICT Institute has filed the lawsuit to the South Jakarta District Court. The first trial is set for the third week of August 2018.
The central issue of the lawsuit is on Facebook users’ data misuse especially Indonesian users. As Facebook is recognized as an electronic system provider under the Electronic Information and Transaction Law, the plaintiffs argue Facebook is subject to Indonesian laws. Cambridge Analytica also is believed to obtain personal data of Indonesian users because the Facebook policy on third-party apps allowed them to do so.
This lawsuit is paramount because it will hold the critical answers to the questions of first, whether our current legal rules are adequate for a data privacy related case. Second, how far can Indonesian authorities including the courts ensure compliance through effective measures against Facebook and CA and similar outfits? Third, what are possible compensations for Indonesian citizens as Facebook users whose personal data was abused?
To this date, relevant legislation about data privacy is the above cyberlaw, where one core provision is the importance of consent for any use of personal data utilizing the electronic medium. The implementing regulation is the ministry regulation no. 20/2016 on Personal Data Protection in Electronic Systems.
In this lawsuit, the plaintiffs refer further to the Governmental Regulation No. 82/ 2012 on the Operation of Electronic Systems and Transactions, the basis for their charges of Facebook’s wrongdoing of not notifying Indonesian users of the data misuse.
The plaintiffs also demand consumer protection and disclosure of public information and refer to the constitutional right to communication and obtaining information.
Further, the plaintiffs call on the government to block Facebook and suspend its operational activities in Indonesia. The plaintiffs also demand compensation for material and immaterial loss for Indonesian citizens.
The plaintiffs’ arguments seem valid as they raise the central issues of the scandal of Facebook and CA and protection of Indonesian users.
Nevertheless, there are at least two aspects of the case that might affect its degree of significance to Indonesia.
First is the extraterritorial effect of this lawsuit. While Facebook has an office in Indonesia, CA does not. At the very least collecting evidence would need cooperation between Indonesian authorities with those in the United Kingdom and the United States.
Secondly, CA, part of a bigger business group, has reportedly begun proceedings of insolvency both in the UK and the US. By the time of trials here, CA may have ceased to exist.
Further, as Indonesian courts generally do not recognize jurisprudence, any ruling may not largely impact further legal protection of personal data in Indonesia. Nevertheless, we need to keep our eyes on the case, at least as a learning experience in the hopes of better efforts towards protection of our privacy in cyberspace.