https://dinastires.
org/JLPH Vol.
No.
1, 2025
DOI: https://doi.
org/10.
38035/jlph.
https://creativecommons.
org/licenses/by/4.
Legal Liability of Fintech Operators for Personal Data Misuse in the Context of Unlawful Acts: Analysis of the Case of NS Versus AdaKami Pietro Grassio Eko Yulio1*.
Jesslyn Janet Cen2.
Theresia Aurellia Gunawan3.
Telly Augustine4 Universitas Pelita Harapan.
Indonesia, pietro.
ekoyulio@lecturer.
Universitas Pelita Harapan.
Indonesia, jjanetcen@gmail.
Universitas Pelita Harapan.
Indonesia, theresiaurel@gmail.
Universitas Pelita Harapan.
Indonesia, tellywarren188@gmail.
Coresponding: pietro.
ekoyulio@lecturer.
Abstract: The rapid development of financial technology .
in Indonesia creates opportunities for financial inclusion while simultaneously raising concerns regarding consumer data protection.
One prominent case is the dispute between NS and AdaKami, which demonstrates alleged misuse of personal data by debt collectors in debt collection practices.
This research aims to analyze the fulfillment of the elements of tort .
erbuatan melawan hukum/PMH) as stipulated in Article 1365 of the Indonesian Civil Code and to assess the scope of legal liability borne by fintech providers as data controllers.
The study employs a normative juridical method with statutory and conceptual approaches, supported by a case study analysis.
The findings indicate that all elements of PMH are fulfilled, including the existence of unlawful acts contrary to the Personal Data Protection Law (PDP La.
, the Information and Electronic Transactions Law (ITE La.
, and prevailing moral standards.
the presence of fault in the form of intentional misconduct .
by debt collectors and negligence .
ulpa in custodiend.
by AdaKami in supervising third parties.
the occurrence of material and immaterial losses.
causal relationship between the act and the harm suffered by the consumer.
These findings affirm that fintech providers are not only contractually liable but also delictually liable through the application of strict liability in safeguarding personal data.
Nevertheless, although the legal framework is already established through the Civil Code and the PDP Law, its implementation remains ineffective due to weak regulatory oversight and the heavy burden of proof imposed on consumers.
Accordingly, this research underscores the necessity of strengthening consumer protection in fintech through strict liability enforcement, enhanced supervisory mechanisms, and the establishment of accessible and consumer-oriented dispute resolution systems.
Keywords: Tort.
Legal Liability.
Personal Data Misuse.
Fintech.
Consumer Protection.
INTRODUCTION
The development of financial technology (AufintechA.
has had a significant impact on the civil law system in Indonesia.
One notable innovation is peer-to-peer lending (AuP2P 778 | Page https://dinastires.
org/JLPH Vol.
No.
1, 2025
, better known as online lending.
This service provides easier access to faster, more efficient financing, reaching people who were previously underserved by formal financial However, this development also presents complex legal issues.
From an economic perspective, the total accumulation of P2P lending disbursements continues to increase, reaching more than IDR 657 trillion nationally to date.
1 This growth reflects the high demand for alternative financing, especially among the unbanked.
2 However, on the other hand, the rise of online lending has caused significant social losses.
These social losses come from high interest rates and intimidating collection practices, which cause serious psychological pressure for borrowers and parties not directly related to the loan.
This pressure triggers anxiety, prolonged stress, and a loss of peace of mind.
In addition, there are also social losses in the form of negative stigma from the surrounding community.
Data shows that the P2P lending industry in Indonesia is growing rapidly.
Based on a report by the Financial Services Authority (OJK), as of July 2025, there were 96 licensed and officially supervised P2P lending operators.
3 From an economic perspective, the total accumulated P2P lending continues to increase, reaching more than IDR 657 trillion nationally to date.
This growth reflects the high demand for alternative financing, especially among the However, on the other hand, the rise of online lending has caused significant social This harm comes from high interest rates and intimidating collection practices, which cause serious psychological pressure for borrowers and those not directly involved in the loan.
This pressure triggers anxiety, prolonged stress, and a loss of peace of mind.
In addition, there are also social losses in the form of negative stigma from the surrounding community towards individuals known to be involved in online loans, which has the potential to damage social relationships and personal reputation.
The phenomena that arise in the practice of online lending include misuse of personal data, excessive and intimidating debt collection practices, and actions that have the potential to harm parties who have never taken out a loan.
These conditions pose serious problems in the framework of consumer protection and demand clear legal responsibility from the organizers.
The legal relationship between fintech operators and consumers must be based on legal certainty and adequate protection, as digital-based transactions are prone to creating an imbalance of bargaining power between consumers and companies.
5 In practice, consumers are in a weak position, both in terms of access to information and the ability to negotiate the terms and conditions of service use.
Therefore, fintech innovation should not only be viewed as an instrument of financial inclusion, but also as a legal object that carries potential risks.
The case between NS and PT Pembiayaan Digital Indonesia (AuAdaKamiA.
is a concrete example of this problem.
NS, who never applied for a loan through the AdaKami platform, received more than 300 collection calls in one month, including threats to humiliate him on social media.
6 These actions caused both material and immaterial losses, which ultimately Asosiasi Fintech Pendanaan Bersama Indonesia.
Tentang Asosiasi Fintech Pendanaan Bersama Indonesia (AFPI).
Retrieved 1 Oktober 2025, from https://afpi.
Unbanked are individuals or groups who have no access whatsoever to formal banking services, such as savings accounts, debit cards, credit cards, or bank loans.
They generally live outside the traditional financial system and tend to rely on alternative services such as cash, cheques, or informal loans.
Tim Hukum Online.
Daftar 96 Pinjaman Online Berzin OJK per Juli 2025.
Retrieved 1 Oktober https://w.
com/berita/a/daftar-96-pinjaman-online-berizin-ojk-per-juli-2025lt621069c4f3934/.
Rohmah.
Y & Khodijah.
Resiko dan dampak sosial judi dan pinjaman online pada remaja.
Dimensia: Jurnal Kajian Sosiologi, 13, 85-92.
https://doi.
org/10.
21831/dimensia.
Situngkir.
L & Napitupulu.
Kepastian Hukum atas Perjanjian Elektronik dalam Layanan Fintech.
Jurnal Dimensi Hukum.
https://law.
id/index.
php/jdh/article/view/644.
Ibrahim.
Digugat Rp2 Miliar.
Begini Respons Pindar AdaKami.
Retrieved 1 Oktober 2025, from https://infobanknews.
com/digugat-rp2-miliar-begini-respons-pindar-adakami/.
779 | Page https://dinastires.
org/JLPH Vol.
No.
1, 2025
prompted NS to file a civil lawsuit on the grounds of unlawful acts (AuPMHA.
as stipulated in Article 1365 of the Civil Code (AuKUHPerdataA.
Article Civil Code AuAny unlawful act that causes harm to another person obligates the person whose fault caused the harm to compensate for the harm.
Ay8 From these provisions, it can be understood that any action, whether active or negligent, that causes harm to others can be subject to legal liability.
9 In the context of fintech, this is important because operators are required to ensure that no party is harmed as a result of weak verification systems, misuse of personal data, or errors in billing mechanisms.
Thus, the legal issues in the NS case not only concern the relationship between individuals and fintech companies, but also concern the fundamental principles of personal data protection, the validity of legal relationships, and the accountability of operators in the digital financial ecosystem.
RESEARCH METHOD
In legal studies, research methods can be divided into several types.
Legal research falls into two broad categories, namely normative legal research and empirical legal research.
Both have different characteristics, but in academic practice they are often combined to obtain comprehensive analytical results.
Normative legal research: Normative legal research is research that views law as positive norms that apply in society.
The focus of this research is on the analysis of legislation, doctrine, legal principles, and court decisions.
It is more theoretical and conceptual in nature, because the objects of study are legal texts or official documents that have been formulated by legislators and judicial institutions.
In other words, normative research answers the question of how the law should be .
as solle.
Second, empirical legal research: Unlike normative research, empirical legal research treats law as a social phenomenon that exists within society.
As explained by Peter Mahmud Marzuki, empirical research examines the actual implementation of law, including the behavior patterns of law enforcement officials, public compliance, and the social impact of the application of certain regulations.
The data sources in empirical research do not only come from documents, but can also be in the form of interviews, observations, or primary data that reflect legal practices in everyday life.
Thus, empirical research answers the question of how the law works in reality .
as sei.
In the development of legal methodology, these two approaches can be combined into empirical normative legal research.
This model not only analyzes legal texts and doctrines conceptually, but also examines how these legal norms are applied in practice.
This combination is necessary when legal issues cannot be separated from the social context and concrete facts in the field.
Based on this framework, this study uses an empirical normative The choice is based on the characteristics of the issue under study, namely the case of NS v.
PT Pembiayaan Digital Indonesia (AdaKam.
This case not only requires a normative study of applicable legal norms, such as Article 1365 of the Civil Code, the ITE Law, the Hasan.
Duduk Perkara Korban Teror Pinjol hingga Akhirnya Gugat Rp 2 Miliar ke AdaKami.
Retrieved 1 Oktober 2025, from https://w.
co/ekonomi/duduk-perkara-korban-teror-pinjolhingga-akhirnya-gugat-rp-2-miliar-ke-adakami-2063619.
Kitab Undang-Undang Hukum Perdata.
Article 1365.
Suari.
A & Sarjana.
Menjaga Privasi di Era Digital: Perlindungan Data Pribadi di Indonesia.
Jurnal Analisis Hukum.
https://journal.
id/index.
php/JAH/article/view/4484 Soekanto.
, & Mamudji.
Penelitian Hukum Normatif: Suatu Tinjauan Singkat.
Jakarta:
Rajawali Pers.
Ibid.
Marzuki.
Penelitian Hukum.
Jakarta: Kencana.
780 | Page https://dinastires.
org/JLPH Vol.
No.
1, 2025
Personal Data Protection Law, and POJK on fintech lending, but also requires an empirical study of concrete facts, such as debt collection practices, alleged misuse of personal data, and the social and psychological impacts experienced by victims.
The legal materials used include:
Primary legal materials: Civil Code.
Law No.
11 of 2008 concerning Electronic Information and Transactions.
Law No.
27 of 2022 concerning Personal Data Protection, and POJK No.
40/POJK.
05/2022.
Secondary legal materials: legal doctrines and literature, including Rosa Agustina (Unlawful Acts.
UI Press, 2.
Munir Fuady (Unlawful Acts: A Contemporary Approach.
Citra Aditya Bakti, 2.
, and R.
Setiawan (Principles of Civil Law.
Binacipta, 1.
Tertiary legal materials: official OJK reports, publications from the Indonesian Joint Funding Fintech Association (AFPI), and credible mass media reports.
By combining normative and empirical analysis, this study aims to provide a more comprehensive picture of the legal responsibilities of fintech operators in terms of unlawful acts, while identifying gaps between regulations and practices in the field.
Problem statement How were the elements of PMH applied in the case of NS's intimidation by AdaKami? To what extent can the misuse of personal data in fintech lending practices result in legal liability for platform operators under the Personal Data Protection Law and the Civil Code? Analysis Facts & Circumstances The dispute between NS and Adakami as the Defendant began with intensive debt collection efforts by debt collectors.
NS received dozens of phone calls every day on his cell phone, totaling 310 calls in one month, even outside of working hours.
In the collection process, the debt collector not only demanded payment, but also threatened to embarrass NS on social media if the loan was not repaid immediately.
However.
NS never applied for a loan from AdaKami.
This fact raises strong suspicions that there has been misuse of personal data, either from AdaKami's internal or external systems.
Logically, it is impossible for someone's personal data to be registered on a fintech platform without a registration, verification, and approval In relation to this matter.
NS has taken non-litigious measures by sending two summonses to AdaKami.
The summonses contained objections to the debt collection tactics, which were considered unlawful because they not only collected on loans that never existed, but also disturbed personal peace and caused serious psychological distress.
However, since the formal notices did not receive an adequate response.
NS subsequently filed a civil lawsuit with the South Jakarta District Court under Case Number 852/Pdt.
G/2025/PN JKT.
SEL.
In this lawsuit.
NS is seeking damages of Rp2,005,000,000, consisting of:
Material losses amounting to IDR 5,000,000, including transportation costs for preparing reports, costs for sending summonses, transportation costs for attending court hearings, and advance litigation costs.
Immaterial losses amounting to Rp2 billion, arising from fear, psychological pressure, declining health, and excessive anxiety.
NS was even forced to work from home (WFH) in order to maintain stable blood pressure due to the stress he experienced.
In addition.
NS also requested that the Financial Services Authority (OJK), as a codefendant, revoke AdaKami's operating license, given the alleged misuse of personal data and collection practices that were considered to have violated the law and harmed consumers.
AdaKami, through its Chief of Public Affairs.
Karissa Sjawaldy, stated that the company would follow the applicable legal procedures and affirmed its commitment to follow 781 | Page https://dinastires.
org/JLPH Vol.
No.
1, 2025
up on complaints in accordance with the consumer protection mechanisms regulated by the OJK.
Legal Analysis (Article 1365 of the Civil Cod.
Elements of an Act The first element of an unlawful act .
nrechtmatige daa.
is the existence of a concrete act by a legal subject.
An AuactAy is not limited to positive acts such as debt collection or signing a contract, but also includes omissions that result in harm to others.
This view broadens the scope of AuactsAy in civil law, so that even a passive attitude that causes harm can be the basis for legal liability.
In line with this.
Subekti emphasized that every manifestation of human will, whether in the form of actual actions or negligence, is the starting point for the possibility of unlawful This means that civil law not only protects society from active actions that violate rights, but also from negligence that causes harmful consequences.
In the context of the NS case, this element of AuactionAy is very clear and undeniable.
There were 310 phone calls recorded in one month, made by debt collectors on behalf of AdaKami.
These calls not only violated norms of propriety because they were made outside of working hours, but were also accompanied by threats to humiliate NS on social media.
These actions were no longer merely the fulfillment of collection obligations, but had turned into intimidating actions that exceeded reasonable limits.
This situation can be classified as abuse of rights, which occurs when a person or legal entity exercises their rights excessively, thereby violating the principles of propriety, fairness, and the social function of law.
14 Debt collectors do have the right to collect debts, but in NS's case, this right was exercised without a valid legal basis because NS never entered into a loan agreement and was subjected to methods that caused psychological and social distress.
Therefore, the element of Auan actAy in Article 1365 of the Civil Code has been clearly fulfilled in this case.
In fact, when compared to the classical doctrine that requires a concrete act that gives rise to legal consequences, the debt collector's actions against NS demonstrate the most concrete form of an unlawful act, as there is an active act in the form of telephone harassment and a potential omission on the part of the corporation that failed to protect the personal data security of its consumers.
Elements of Unlawful Acts In its early development, the doctrine of unlawful acts .
nrechtmatige daa.
in Indonesia was interpreted narrowly as acts that directly violated written laws and regulations.
This paradigm is rooted in the classical understanding of civil law that emphasizes formal legality, namely that an act is considered unlawful only if it contradicts positive legal norms that are explicitly formulated in the law.
This monumental ruling expands the concept of unlawful acts by stating that unlawful acts are not limited to violations of legal norms, but also include actions that:
Contrary to laws and regulations.
Violating the subjective rights of others.
Contrary to moral norms, and Contrary to propriety in society.
The expansion of this doctrine confirms that civil law has the function not only of maintaining formal certainty, but also of protecting fundamental values in society.
Thus, the Subekti.
Pokok-Pokok Hukum Perdata.
Jakarta: Intermasa.
Kalmanjunior.
Misbruik van Recht: Penyalahgunaan Hak dalam Hukum.
Retrieved 1 Oktober 2025, from https://pekerja.
com/info/misbruik-van-recht-penyalahgunaan-hak-dalam-hukum/.
782 | Page https://dinastires.
org/JLPH Vol.
No.
1, 2025
parameter of Auagainst the lawAy is not only normative-formal in nature, but also material and When related to the case of NS v.
AdaKami, the element of Auagainst the lawAy can be said to be fulfilled in several important aspects:
Absence of a valid agreement Based on Article 1320 of the Civil Code, one of the requirements for a valid agreement is the existence of an agreement between the parties.
Since NS never entered into a loan agreement with AdaKami, the contractual relationship that forms the legal basis for the collection never came into existence.
Thus, the collection action against NS was carried out without a valid legal basis.
The collection is not only contractually flawed, but also violates the principle of consensualism, which is the main pillar of contract law.
Violation of the UU PDP Article 20 of the PDP Law explicitly stipulates that all processing of personal data must be based on the consent of the data owner.
The fact that NS's phone number and identity were entered into the AdaKami system without his consent indicates a serious violation of his right to privacy.
Privacy here is not merely a moral right, but a legal right protected by law.
Thus, this action can be classified as an unlawful act in the context of personal data Violation of the UU ITE Article 29 of Law No.
11 of 2008 concerning Electronic Information and Transactions .
nd its amendment.
prohibits the sending of threats or terror through electronic media.
The fact that there were 310 intimidating phone calls clearly fulfills the elements of an act prohibited by law.
Thus, in addition to violating civil norms, this act also has the potential to fall under the realm of criminal acts within the framework of the UU ITE.
Contrary to the principles of propriety and decency Although AdaKami may argue that these actions are part of a debt collection mechanism, the methods used, namely threats of public exposure and telephone terror outside of working hours, clearly contradict the sense of propriety that exists in society.
Civil law recognizes the principle of propriety as a moral standard that must be adhered to by every legal subject in exercising their rights and obligations.
The principle of propriety serves as a social Thus, the element of AuunlawfulnessAy in the NS case is not only fulfilled normatively .
ecause it violates various applicable law.
, but also materially and sociologically.
Normatively, the debt collector and AdaKami have violated the Civil Code, the PDP Law, and the ITE Law.
Sociologically, the practice of terror and intimidation through electronic media causes unrest, disturbs individuals' sense of security, and undermines public trust in the fintech At this point, it is important to emphasize that civil law not only serves to maintain contractual certainty, but must also protect the interests of the wider community from the misuse of financial technology.
The doctrine of unlawful acts allows judges to respond to new acts that harm society even if they are not specifically regulated by law.
15 Within this framework, the NS case clearly shows how the development of fintech has given rise to new modes of legal violations that must still be corrected through PMH instruments.
Elements of Error The element of fault is an essential component of PMH.
Fault is essentially subjective liability arising from malicious intent .
or negligence .
A person is considered Salam.
Perkembangan Doktrin Perbuatan Melawan Hukum Penguasa.
Jurnal Nurani Hukum.
https://w.
net/profile/Syukron-Salam/publication/331327545.
783 | Page https://dinastires.
org/JLPH Vol.
No.
1, 2025
guilty if they can be legally blamed for their actions, either because they intended the consequences or because they failed to take into account the consequences that should have been foreseeable.
The measure of negligence is the standard of a prudent person .
onus pater familia.
that every legal subject should adhere to.
In the context of the NS v.
AdaKami case, fault cannot be reduced to only one party.
There are two interrelated levels of fault.
First, at the operational level, debt collectors who made 310 calls within a month, including outside working hours, and even threatened to publish the information on social media, clearly acted intentionally .
Such threats could not have been made without a conscious intention to psychologically pressure the victim.
This falls under the category of dolus directus, which is full intent aimed at achieving a specific result.
In the framework of civil law, such actions are no longer merely debt collection, but a form of terror that is contrary to positive law, propriety, and the sense of justice of the community.
Second, at the managerial level.
AdaKami as a corporation can be considered to have committed serious negligence .
ulpa in custodiend.
The fact that NS's personal data could be used for the loan process, even though he never registered, indicates a fundamental weakness in the data verification and protection mechanism.
In the digital age, personal data is a legal asset that must be protected with high security standards.
Failure to protect personal data cannot be viewed as merely a technical error, but rather as a legal negligence that carries civil liability 16 This is in line with the fact that corporations are required to ensure that there is an effective monitoring system for collection partners and other third parties.
17 If the monitoring mechanism does not work, then the negligence can be qualified as structural negligence, which gives rise to direct corporate liability.
Within the framework of legal liability, the debt collector's fault cannot be separated from AdaKami's fault.
The doctrine of vicarious liability states that a corporation is responsible for the actions of persons acting for and on its behalf.
The debt collector in this case acted as an extension of AdaKami.
Therefore, the intentional acts .
of the debt collector and the negligence .
of AdaKami's management must be viewed as a single entity that forms the basis of the corporation's civil liability.
It is important to emphasize that this case reflects a double failure: failure at the individual level .
ebt collecto.
who acted with malicious intent, and failure at the institutional level (AdaKam.
which neglected its obligations of supervision and data protection.
This double failure shows that the problem is not merely a deviation by individuals, but an indication of systemic weaknesses in the governance of fintech lending in Indonesia.
If the court only stops at a formal normative assessment without comprehensively exploring the dimensions of this error, then the verdict risks not addressing the root of the problem.
Therefore, the analysis of errors in this case must be directed towards the understanding that fintech is not only a business entity, but also a legal entity that bears a social obligation to protect consumers and the public from losses arising from data misuse and abusive collection practices.
Loss Elements Loss is one of the essential elements in PMH.
Without loss, there is no legal basis for filing a claim for compensation.
Loss in the context of PMH is divided into two forms:18 Material losses, which are losses that can be calculated concretely in monetary terms.
Syofyan.
Nazmi.
, & Arfiani.
Tanggung Gugat Pemerintah Atas Kebocoran Data Pribadi Masyarakat Dalam Perspektif Undang-Undang Pelindungan Data Pribadi.
Nagari Law Review.
https://nalrev.
id/index.
php/nalrev/article/view/1032.
Article 62 ayat .
POJK 22/2023.
Prasetio.
& Dwinanto.
Di Mana Pengaturan Kerugian Konsekuensial dalam Hukum Indonesia?.
Retrieved 3 Oktober 2025, from https://w.
com/klinik/a/di-mana-pengaturankerugian-konsekuensial-dalam-hukum-indonesia--lt4da27259c45b9/.
784 | Page https://dinastires.
org/JLPH Vol.
No.
1, 2025
Immaterial losses, which are non-economic losses, such as mental anguish, fear, health problems, or damage to reputation.
Civil law protects not only economic interests, but also personal interests .
, including the right to peace, honor, and privacy.
Material Losses: In NS's case, material losses can be identified from various expenses incurred as a result of debt collection harassment.
Based on the lawsuit that has been filed, these losses include:
Transportation costs for filing a police report, sending a summons, and attending court hearings, estimated at Rp5,000,000.
Healthcare costs related to treatment for high blood pressure and anxiety resulting from prolonged stress.
This material loss indicates the existence of a direct economic loss that can be calculated The conditions for a loss to be compensated are that the loss is actual and reasonably foreseeable.
20 Thus.
NS's claim for material loss has a strong basis because there is evidence of direct expenses incurred as a result of the unlawful acts it experienced.
This material loss indicates the existence of a direct economic loss that can be calculated The conditions for a loss to be compensated are that the loss is actual and reasonably foreseeable.
Thus.
NS's claim for material loss has a strong basis because there is evidence of direct expenses incurred as a result of the unlawful acts it experienced.
Immaterial losses should be viewed as real losses because emotional distress can reduce a person's quality of life.
Furthermore, consumer protection should cover non-economic aspects, as violations of privacy rights and intimidating threats have the potential to damage human dignity.
From a personal data protection perspective, the leakage or misuse of personal data that leads to digital intimidation not only causes economic losses, but also immaterial losses that have a long-term impact on the mental health of victims.
Additionally, sociologically.
NS's case reveals a broader form of social harm.
Based on a report by Infobanknews, the terror perpetrated by both illegal and legal fintech debt collectors has created social unrest and reduced public trust in the fintech industry.
23 Thus, the immaterial losses experienced by NS are not only individual in nature but also have an impact on the social sphere because they worsen the stigma against digital financial services.
The losses in the NS case must be understood comprehensively, not merely in economic Material losses can indeed be calculated concretely, but immaterial losses are far more significant because they touch on fundamental individual rights, namely the right to security, peace of mind, and personal dignity.
In Munir Fuady's perspective, acts that violate personal rights must be viewed more seriously because they concern fundamental aspects of human dignity.
Furthermore, a legal approach that focuses only on material losses will reduce the reality of the victims' suffering.
In the context of fintech, immaterial losses are even more Subekti.
Pokok-Pokok Hukum Perdata.
Jakarta: Intermasa.
Ikromi.
Analisis Perlindungan Hukum terhadap Pihak yang Dirugikan Akibat Perbuatan Melawan Hukum dalam Perjanjian.
AL-DALIL: Jurnal Ilmu Sosial.
Politik.
Dan Hukum, 2, 78Ae85.
https://ejournal.
id/index.
php/al-dalil/article/view/771.
Auli.
Tujuan dan Dasar Hukum Perlindungan Konsumen.
Retrieved 3 Oktober 2025, from https://w.
com/klinik/a/hukum-perlindungan-konsumen-lt62dfc65f7966c/.
Rodrigues.
Understanding Data Breach from a Global Perspective: Incident Visualization Data Protection Law Review.
Journal Data.
https://w.
net/publication/377865371_Understanding_Data_Breach_from_a_Global_Perspective _Incident_Visualization_and_Data_Protection_Law_Review Ibrahim.
Digugat Rp2 Miliar.
Begini Respons Pindar AdaKami.
Retrieved 4 Oktober 2025, from https://infobanknews.
com/digugat-rp2-miliar-begini-respons-pindar-adakami/.
785 | Page https://dinastires.
org/JLPH Vol.
No.
1, 2025
dominant because the misuse of personal data and digital threats can cause long-term Therefore, the court should award significant immaterial compensation as a form of recognition of the victims' suffering and as a deterrent effect for business actors to improve their consumer protection governance.
Thus, the element of loss in the NS case is not only fulfilled, but also shows that there is a gap in legal protection in Indonesia, particularly in relation to personal data protection and collection mechanisms in the fintech industry.
Elements of Causality The element of causality .
ausal verban.
in unlawful acts (PMH) is an important requirement for establishing a link between the perpetrator's actions and the losses suffered by the victim.
Without a causal relationship, it is impossible for a party to be held legally liable.
Causality in PMH is determined through two main approaches:
The Conditio Sine Qua Non theory, which states that an act is considered a cause if, without that act, the loss would not have occurred.
The Adequate Causation theory, which states that an act is only considered a cause if that act could reasonably cause the loss suffered by the victim.
The judge must assess whether there is a logical, reasonable, and appropriate connection between the perpetrator's actions and the victim's losses, including considering the risk factor .
oreseeability of ris.
in the act.
In the NS case, the cause-and-effect relationship can be clearly explained through a series of events:
Misuse of NS's personal data entered into the AdaKami system without consent.
Debt collectors made 310 phone calls accompanied by threats of publication on social Direct consequences: NS suffered health problems in the form of high blood pressure, stress, anxiety, and financial losses due to transportation costs, summons fees, and legal fees.
Based on the conditio sine qua non theory, if NS's personal data was not processed illegally by the fintech company, then the debt collection harassment would not have occurred.
Similarly, if the debt collector had not made 310 intimidating calls, then NS would not have suffered material and immaterial losses.
Thus, the element of causality is fulfilled.
From the perspective of adequate causation, it is reasonable and predictable that the actions of debt collectors who repeatedly make collection calls accompanied by threats will cause psychological distress, deteriorate health, and incur additional costs for the victim.
Therefore, the causal relationship in this case is not merely technical, but also logical and The issue of causality in the NS case highlights the systemic vulnerability in the governance of fintech in Indonesia.
On the one hand.
AdaKami may argue that the misuse of personal data originated from an irresponsible third party, so they cannot be held directly However, from the perspective of culpa in custodiendo .
egligence in supervisio.
, fintech operators must still be responsible for the security of personal data within their systems.
Any processing of personal data without consent gives rise to legal liability, even if the misuse is committed by an external party.
This is in line with Article 44 of POJK 10/2022, which requires fintech operators to ensure the security of consumer data and prohibits the use of collection methods that involve intimidation.
Thus, the causal relationship is not severed Nadiva & Kamal.
Kausalitas dalam Perbuatan Melawan Hukum pada Perjanjian Kredit Telah Diasuransikan.
Jurnal Magister Hukum Udayana.
https://w.
net/publication/391218079_Kausalitas_dalam_Perbuatan_Melawan_Hukum_pada_Pe rjanjian_Kredit_yang_Telah_Diasuransikan.
786 | Page https://dinastires.
org/JLPH Vol.
No.
1, 2025
simply because of the involvement of a third party, as the primary obligation to maintain data security lies with the operating corporation.
Furthermore, sociologically, the NS case shows a complex causal relationship: personal data leak Ie entry into the fintech system Ie collection by debt collectors Ie digital intimidation Ie psychological, health, and financial losses.
25 Each link in this process strengthens the evidence of a complete cause-and-effect relationship.
Therefore, it can be concluded that the causal relationship in the NS case is not only normatively fulfilled through classical doctrine, but also has a real empirical dimension in Normatively, the fulfillment of this element means that AdaKami can be held civilly liable under Article 1365 of the Civil Code.
Empirically, this case underscores the importance of improving data security standards in the fintech industry as an effort to prevent similar losses in the future.
Analysis of Legal Liability for Platform Operators based on the Personal Data Protection Law and Civil Code in the Misuse of Personal Data The misuse of personal data in fintech lending practices essentially raises fundamental questions about the extent to which platform operators can be held legally accountable.
Normatively, personal data is now considered part of an individual's human rights and privacy rights that must be protected by law.
Personal data is a representation of a person's identity that is inherent and constitutional in nature, so processing it without a legal basis constitutes a serious violation.
27 Law No.
27 of 2022 concerning Personal Data Protection (PDP La.
has confirmed that data processing can only be carried out with the explicit consent of the data owner28, and requires personal data controllers to ensure the security and accountability of the data they manage29.
In the context of the NS v.
AdaKami case, it appears that NS's identity was entered into the online loan system even though he never registered or applied for credit.
The fact that he received more than 310 intimidating calls from debt collectors indicates that his data was processed and used without a legal basis.
From the perspective of the PDP Law.
AdaKami is positioned as a data controller that remains responsible for all forms of data misuse, even if the unlawful acts were committed by a third party working for it.
Fintech should be subject to the principle of strict liability, which is absolute liability without the need to prove direct fault, given the platform's dominant position in controlling and processing consumer data.
With this principle, victims such as NS are not burdened with the obligation to prove the source of the data leak, because legally the responsibility lies with the fintech operator.
In addition to the normative basis in the PDP Law, fintech operators can also be held civilly liable under Article 1365 of the Civil Code concerning unlawful acts (PMH).
PMH
contains five elements: the existence of an act, unlawfulness, fault, loss, and causality.
30 In the case of NS, these elements are clearly fulfilled.
First, there was a concrete act in the form of Respati.
R & Djumena.
Lanjutan Kasus Gugatan Teror Pindar AdaKami.
Retrieved 4 Oktober 2025, from https://money.
com/read/2025/09/06/141500926/lanjutan-kasus-gugatan-terorpindar-adakam.
Munawaroh.
Pelindungan Data Pribadi dalam Penyelenggaraan Fintech.
Retrieved 4 Oktober 2025, from https://w.
com/klinik/a/pelindungan-data-pribadi-dalam-penyelenggaraanifintech-i-lt5c498fb94dc87/.
Luthfi.
Perlindungan Data Pribadi sebagai Perwujudan Perlindungan Hak Asasi Manusia.
Jurnal Sosial Teknologi.
431Ae436.
https://sostech.
id/index.
php/sostech/article/view/336.
Article 20 UU PDP.
Article 12 UU PDP.
Yasin.
Kausalitas sebagai Elemen Krusial Gugatan PMH.
Retrieved 4 Oktober 2025, from https://w.
com/stories/article/lt683cdcbc0ba27/kausalitas-sebagai-elemen-krusial-gugatanpmh/.
787 | Page https://dinastires.
org/JLPH Vol.
No.
1, 2025
310 phone calls accompanied by threats of publication that exceeded reasonable debt collection Second, the act was unlawful because there was no valid agreement (Article 1320 of the Civil Cod.
between NS and AdaKami, and it violated Article 20 of the PDP Law on data processing consent and Article 29 of the ITE Law, which prohibits sending threats or terror through electronic media.
Third, the element of fault is fulfilled both in the form of intent .
by the debt collector and negligence .
ulpa in custodiend.
by AdaKami in maintaining the security of personal data.
Fourth, the element of loss is proven both materially, in terms of transportation costs, legal costs, and potential health costs, as well as immaterially in the form of psychological pressure, fear, and deterioration of NS's health.
Fifth, there is a direct causal relationship between the act of terror in debt collection and the losses suffered by NS.
Thus, the civil lawsuit filed by NS based on PMH has a strong legal basis.
Although regulations are in place, the effectiveness of legal protection is still First, the newly enacted PDP Law is not yet fully effective because the personal data supervisory agency mandated by the law is not yet functioning optimally.
This makes it difficult for victims to pursue administrative channels.
Second, the Civil Code as the basis for PMH is still general in nature and requires complex proof of causality in court, which is a heavy burden for individual consumers.
Third, the characteristics of digital transactions create an inequality of bargaining power between consumers and corporations, where consumers are always in a weak position when dealing with fintech providers who control data, systems, and billing mechanisms.
31 In the NS case, even though AdaKami argued that it never received a loan application from NS, legal responsibility still attaches due to its negligence in maintaining the integrity of the data verification system.
The fact that NS's identity could be used by a third party to apply for a loan is sufficient proof of a weakness in security controls that can be qualified as legal negligence.
Thus, it can be concluded that the misuse of personal data in fintech lending practices not only raises ethical issues, but also gives rise to real legal liability for platform operators.
The PDP Law provides a normative basis with the principles of consent and accountability, while Article 1365 of the Civil Code provides instruments for victims to claim compensation.
However, the effectiveness of protection still depends on implementation and seriousness of The case of NS v.
AdaKami shows that without the application of strict liability principles and a rapid dispute resolution mechanism, legal protection for victims of fintech lending will only be symbolic.
Therefore, in the future, there is a need to strengthen specific regulations regarding fintech lending practices and law enforcement that favors consumers as the most vulnerable party.
CONCLUSION
Based on the results of the analysis, it can be concluded that the case of NS against AdaKami has fulfilled all elements of unlawful acts as referred to in Article 1365 of the Civil Code.
The element of unlawful acts is fulfilled through the actions of the debt collector who made 310 telephone calls accompanied by threats, which not only violate the provisions of the Personal Data Protection Law and the Electronic Information and Transactions Law, but also the principles of propriety, morality, and public interest.
The element of fault is proven through the existence of intent .
by the debt collector and negligence .
ulpa in custodiend.
by the organizer in carrying out its supervisory obligations towards third parties.
The element of loss is also evident, both material and immaterial, with a direct causal relationship between the act and the loss suffered by NS.
From a legal liability perspective, the misuse of personal data Ciek Julyati Hisyam.
Zakiyah Rodja.
Nuraini Salsabila, & Nadya Patricia Lubis.
Transformasi Sosial-Ekonomi dalam Era Ekonomi Digital: Analisis Sosiologi Ekonomi terhadap Dinamika Platform Online.
JURNAL
ILMIAH
EKONOMI,
MANAJEMEN,
BISNIS
DAN
AKUNTANSI,
01Ae13.
https://ejurnal.
id/index.
php/jemba/article/view/86.
788 | Page https://dinastires.
org/JLPH Vol.
No.
1, 2025
in the billing process proves that as an electronic system operator and data controller.
AdaKami bears strict liability for the security and use of consumers' personal data.
Although legal norms for protection are available in the Civil Code and the Personal Data Protection Law, their implementation has not been optimal due to weak supervision and the burden of proof that still weighs on consumers.
Thus, this case emphasizes the importance of treating fintech operators not merely as a means of financial inclusion, but as legal entities with an inherent obligation to ensure the protection of personal data and provide effective legal certainty for consumers.
BIBLIOGRAPHY