Bestuur
E-ISSN 2722-4708 | P-ISSN 2302-3783
Vol.
No.
August, 2024, pp.
The Regulations of the Supervisory Officer Personal Data Protection-Based Accountability Principle Wardah Yuspin a,1 *.
Trisha Rajput b,2.
Abhinayan Basu Bal b,3.
Kelik Wardiono a,4.
Absori a,5 a Faculty of Law.
Universitas Muhammadiyah Surakarta.
Surakarta.
Indonesia.
b School of Business.
Economics and Law.
University of Gothenburg.
Gothenburg.
Sweden.
wy204@ums.
id 2 trisha.
rajput@law.
se 3 abhinayan.
basu@law.
se 4 kw268@ums.
id 5 abs154@ums.
*Corresponding author
ARTICLE INFO
Article history Received: December 15, 2023 Revised: June 15, 2024 Accepted: June 25, 2024 Keywords Comparison.
Indonesia.
Personal Data Protection.
Sweden.
ABSTRACT
This study examines The Model of Regulations Supervisory Officer Personal Data Protection-Based Accountability Principle: Lessons from Sweden.
This study is a qualitative approach by reviewing and analyzing legal aspects and comparing laws.
Even though Indonesia has a personal data protection law, misuse of personal data is still excessive.
Owing to accountability basis PDP supervision arrangements have not been properly implemented.
Meanwhile.
Sweden was chosen as a comparison country since it was one of the first countries to have a personal data protection law.
The result shows that in Sweden, personal data is regulated in the General Data Protection Regulation and the personal data supervisor well implemented the principle of accountability therefore it worked effectively.
Meanwhile in Indonesia, given that a data protection supervisor has not been established.
Protection of personal data is still carried out by each agency appointed by law on a sectoral basis and it deemed less effective in providing personal data protection.
Therefore, the personal data supervisor with a single rule and direct responsibility to the president is the perfect model for Indonesia.
This is an open-access article under the CCAeBY 4.
0 license.
Introduction The era of globalization has given information technology a significant status because it can create parts of the world without boundaries, distance, space, or time and can increase work productivity and time efficiency.
1 Information technology changes the lives of the community and leads to rapid socio-cultural, economic, and legal changes.
2 Protecting personal data has been more vital than ever with the increasing number of cell phone and Vibhushinie Bentotahewa.
Chaminda Hewage, and Jason Williams.
AoThe Normative Power of the GDPR: A Case Study of Data Protection Laws of South Asian CountriesAo.
SN Computer Science, 3.
, 1Ae18 https://doi.
org/10.
1007/s42979-022-01079-z Deborah Hicks.
AoInformation Technology.
Change and Information ProfessionalsAo Identity Construction: A Discourse AnalysisAo.
Proceedings ASIST Annual Meeting, .
https://doi.
org/10.
1002/meet.
https://doi.
org/10.
20961/bestuur.
bestuur_journaleditorial@mail.
BESTUUR
Vol.
No.
August, 2024, pp.
ISSN 2722-4708
internet users.
3 Some cases have emerged, especially those related to the leakage of personal data and resulting in fraud or criminal acts of pornography, forcing the discourse on the importance of laws of personal data protection.
4 This action relates to the concept of 5 The concept itself is the idea of maintaining personal integrity and dignity.
Based on the data that the author analyzes, it can be seen that the data on personal data leakage in Indonesia was relatively high in 2020, while in 2021, the cases decreased slightly, namely 85,763.
However, in 2021 towards 2022, there was an increase in data regarding stolen personal data of 109.
47, and in 2023, there was also an increase of 143.
The Swedish Data Protection Authority said that since GDPR came into force on May 25, 2018, it has received 3,000 complaints and 3,500 reports of privacy breaches.
Most of the complaints relate to video surveillance and direct marketing.
It says that six out of ten reported privacy breaches are caused by human activity.
In August 2020, details of bank vaults, alarm systems, and security arrangements for Swedish authorities were leaked online after a security company was hacked, local media reported on Tuesday.
A total of 19 gigabytes of information and about 38,000 files were stolen from the Gunnebo security group by one or more hackers in August, according to the Dagens Nyheter newspaper.
7 In November 2020, it said on Tuesday that Sweden's largest insurance company.
Folksam, accidentally leaked the personal data of around one million customers to some of the world's largest technology companies.
Folksam, which insures 50% of homes and individuals in Sweden, shares the data with tech giants such as Facebook.
Google.
Microsoft, and LinkedIn.
Rahime Belen Saglam.
Jason R.
Nurse, and Duncan Hodges.
AoPersonal Information: Perceptions.
Types and EvolutionAo.
Journal of Information Security and Applications, 66.
March .
, 103163 https://doi.
org/10.
1016/j.
Marie Helen Maras and Alex Alexandrou.
AoDetermining Authenticity of Video Evidence in the Age of Artificial Intelligence and in the Wake of Deepfake VideosAo.
International Journal of Evidence and Proof, 3 .
, 255Ae62 https://doi.
org/10.
1177/1365712718807226
Michaela Padden and Andreas ynjehag-Pettersson.
AoProtected How? Problem Representations of Risk in the General Data Protection Regulation (GDPR)Ao.
Critical Policy Studies, 15.
, 486Ae503 https://doi.
org/10.
1080/19460171.
Vera Zinovieva.
Mikhail Shchelokov, and Evgeny Litvinovsky.
AoLegal Issues of Protection of Personal Data: Cases of Transport Data LeaksAo.
Transportation Research Procedia, 68 .
, 461Ae67 https://doi.
org/10.
1016/j.
Tiago Cruz and others.
AoA Cybersecurity Detection Framework for Supervisory Control and Data Acquisition SystemsAo.
Ie Transactions on Industrial Informatics, 12.
, 2236Ae46 https://doi.
org/10.
1109/TII.
Wardah Yuspin et.
al (The Regulations of the Supervisory Officer Personal Data ProtectionA) BESTUUR Vol.
No.
August, 2024, pp.
ISSN 2722-4708
In 2021, around 500 Coop supermarket stores in Sweden were forced to close due to the "colossal" impact of a cyber-attack that affected the organization worldwide.
Coop Sweden said it closed over half its 800 stores on Friday after point-of-sale cashiers and self-service checkouts stopped working.
Hackers did not target the supermarket - but is one of a growing number of organizations indirectly affected by attacks on major software suppliers that companies use.
Cyber researchers say around 200 businesses have been affected by a "colossal" disease of ransomware attacks, most of which impacted the US.
The Swedish Authority for Privacy Protection's (IMY) role is to uphold personal data protection, monitoring that they are handled correctly and avoiding falling into the wrong This is an increase of 26 percent compared to 2020, which only saw 4,588 reports.
IMY received around 5,330 reports of personal data breaches, of which 70 percent came from the public sector and around 25 percent from the private sector.
In 2023.
IMY received reports that personal data theft in Sweden had decreased significantly from the previous year.
The emergence of personal data protection is a form of respect for the right to privacy.
The genesis of the protection of the right to privacy is contained in the Indonesian constitution, namely the Constitution of the Republic of Indonesia 1945, especially Article 28G which states that the law guarantees the protection of personal rights because they are included as human rights against all fear.
Based on these provisions, which are strong recommendations for protecting human rights, this article can be used as a reference for forming more specific regulations regarding the protection of personal data.
Based on that constitution, the protection of personal data becomes part of the protection of human rights.
These rules are then explained clearly in various existing regulations.
Regarding regulations on personal data protection, there are 30 rules that regulate the protection of personal data.
9 Referring to the delegation of supervisory authority over the protection of personal data to government agencies, so far the protection of personal data is partially regulated in various statutory regulations and is also accompanied by certain institutions that have the authority to act as personal data supervisors, for example in the telecommunications law, supervisory institutions are determined in the form of the Indonesian Telecommunications Regulatory Body (BRTI), for the Human Rights Law, the supervisory authority is National Human Right Commision (Komnas HAM).
This practices Pasquale Cantiello.
Michele Mastroianni, and Massimiliano Rak.
AoA Conceptual Model for the General Data Protection RegulationAo, in Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatic.
, 2021, 12956 LNCS, 60Ae77 https://doi.
org/10.
1007/978-3-030-87010-2_5
Aysem Diker Vanberg.
AoInformational Privacy Post GDPRAeEnd of the Road or the Start of a Long Journey?Ao.
International Journal Human Rights, .
, 52Ae78 https://doi.
org/10.
1080/13642987.
Wardah Yuspin et.
al (The Regulations of the Supervisory Officer Personal Data ProtectionA) BESTUUR Vol.
No.
August, 2024, pp.
ISSN 2722-4708
clearly conflict with international standards which emphasize the importance of an independent institution which can supervise all kinds of actions involving the use of personal data.
Another problem that also arises related to the existence of all these institutions is the reality that each of these bodies acts only on sectoral issues contained in the relevant sectoral law, and is not supported by supervisory authority that crosses issue boundaries.
The absence of a mechanism like this will certainly cause problems in the future, if there is an intrusion on personal data.
Furthermore, another weakness of the supervisory mechanism for personal data protection in Indonesia is that there is no uniformity in the mechanism for carrying out supervision between agencies.
12 Observing at the current situation of legal enforcement mechanisms which are expected to provide guaranteed protection for personal data which tends to show deficiencies, the establishment of a personal data monitoring agency is an inevitable agenda in grounding personal data protection in a more concrete Indonesian legal framework.
Thus, through a special agency that has the authority to supervise all forms of personal data, it is hoped that it will not only be able to overcome these gaps, but will be the first step for improving personal data protection mechanisms in the future.
The absence of personal data supervisor in Indonesia is not the only problem that arise, the lack of accountability principle also become a major problem on the personal data Some problem implementation of the Accountability Principle ascends when the government programs related to digitalization, such as e-KTP to e-health14, to the widespread misuse of personal data of consumers of online application-based transportation 15 With the limitations of existing regulations, has implications for inadequate recovery for victims whose rights have been violated.
This then became the basis for urging the implementation of the PDP Law with the hope that it can provide a sense of security in the use of personal data, especially digitally.
The key concept of personal data protection is accountability, it means that data carried out in a manner that complies with the law if the data is processed lawfully, fairly and transparently with respect to the data subject.
17 This means that all data controllers may Januardo Sulung Partogi Sihombing and others.
AoThe Regulation of Legal Protection for Poor Communities Toward Justice in Indonesia and the NetherlandsAo.
Journal of Human Rights.
Culture and Legal System, 4.
, 331Ae53 https://doi.
org/10.
53955/jhcls.
Shakila Bu-Pasha.
AoCross-Border Issues under EU Data Protection Law with Regards to Personal Data ProtectionAo.
Information and Communications Technology Law, 26.
, 213Ae28 https://doi.
org/10.
1080/13600834.
Safira Widya Attidhira and Yana Sukma Permana.
AoReview Of Personal Data Protection Legal Regulations In IndonesiaAo.
Awang Long Law Review, 5.
, 280Ae94 https://doi.
org/10.
56301/awl.
Alexander Wodi.
AoThe EU General Data Protection Regulation (GDPR): Five Years After and the Future of Data Privacy Protection in ReviewAo.
SSRN Electronic Journal, 2023 https://doi.
org/10.
2139/ssrn.
Hendra Hendra and others.
AoE-Health Personal Data Protection In IndonesiaAo.
Jurnal Hukum Kesehatan Indonesia, 1.
, 121Ae31 https://doi.
org/10.
53337/jhki.
Ewa Kulesza.
AoThe Protection of Customer Personal Data as an Element of EntrepreneursAo Ethical ConductAo.
Annales.
Etyka w yciu Gospodarczym, 21.
, 27Ae44 https://doi.
org/10.
18778/18992226.
Claudia Quelle.
AoEnhancing Compliance under the General Data Protection Regulation: The Risky Upshot of the Accountability- and Risk-Based ApproachAo.
European Journal of Risk Regulation, 9.
, 502Ae26 https://doi.
org/10.
1017/err.
Valentin Rupp and Max von Grafenstein.
AoClarifying AuPersonal DataAy and the Role of Anonymisation in Data Protection Law Including and Excluding Data from the Scope of the GDPR (More Clearl.
through Wardah Yuspin et.
al (The Regulations of the Supervisory Officer Personal Data ProtectionA) BESTUUR Vol.
No.
August, 2024, pp.
ISSN 2722-4708
only process data according to the purposes for which it was obtained and taking into account the rights of data subjects.
18 The principle of accountability relates to the principle of responsibility of each party related to the processing of personal data.
Therefore, the roles of each data processing party are regulated.
19 Data processing parties must demonstrate compliance with PDP requirements, all parties must be proactive in processing data in accordance with the law, maintaining processed personal data, providing notifications regarding personal data leaks, and providing updates regarding data processing carried out to data subjects.
20 All of the principles above aim to provide security for all data processing Data processing is a complicated process because it relates to a person's personal information, therefore PDP exists as a legal patronage that protects citizens' rights to be protected from data leaks in data processing.
Economic analysis of law looks at the efficiency aspect to minimize the costs of operating legal .
that have been prepared so as not to cause high economic costs and 22 This article will discuss the relevance of using an economic approach to personal data protection practices.
As a law regulating economic issues, the personal data protection law requires the help of other sciences outside the law to interpret the meaning of legal rules.
Using the rule of reason principle in the PDP Law is a proof process that requires the help of non-legal factors such as economics.
Personal data protection cases are one of the legal cases that are complicated to handle compared to other legal cases, where analysis from an economic perspective is necessary to help when carrying out the evidentiary process for many instances.
Because personal data is closely related to economic factors, as mentioned earlier, personal data is considered the new gold, a precious and costly commodity.
Moreover, existing personal data can be used for data theft related to economic losses incurred or to win elections in Indonesia.
So, related to personal data, many non-legal factors such as economics also influence legal development, mainly because personal data has very high economic value using Richard Posner's theory that the principles of economics are used in the use of law because it is a tool for analyzing and answering questions about the law.
Furthermore, it is said that the economic approach to law is intended to concentrate on how economic thinking is related to the rule of law.
Refining the Concept of Data ProtectionAo.
Computer Law and Security Review, 52.
, 105932
https://doi.
org/10.
1016/j.
Alan Dahi and Marcelo Corrales Compagnucci.
AoDevice Manufacturers as Controllers Ae Expanding the Concept of AuControllershipAy in the GDPRAo.
Computer Law & Security Review, 47 .
https://doi.
org/10.
1016/j.
Talita Maria Tsekoura and Fereniki Panagopoulou.
AoGDPR: A Critical Review of the Practical.
Ethical and Constitutional Aspects One Year after It Entered into ForceAo.
International Journal of Human Rights and Constitutional Studies, 7.
, 35 https://doi.
org/10.
1504/IJHRCS.
Yuliannova Lestari and M.
Misbahul Mujib.
AoOptimizing Personal Data Protection Legal Framework in Indonesia .
Comparative Law Stud.
Ao.
Supremasi Hukum: Jurnal Kajian Ilmu Hukum, 11.
, 203
https://doi.
org/10.
14421/sh.
Blessing Mutiro.
AoThe Future of EU Data Protection Law for Collectives: A Reverse Brussels EffectAo.
European Data Protection Law Review, 9.
, 409Ae17 https://doi.
org/10.
21552/edpl/2023/4/7 Andriyanto Adhi Nugroho.
Atik Winanti, and Surahmad Surahmad.
AoPersonal Data Protection in Indonesia: Legal PerspectiveAo.
International Journal of Multicultural and Multireligious Understanding, 7.
, 183 https://doi.
org/10.
18415/ijmmu.
Filippo Lory and others.
AoAn AI Framework to Support Decisions on GDPR ComplianceAo.
Journal of Intelligent Information Systems, 61.
, 541Ae68 https://doi.
org/10.
1007/s10844-023-00782-4 Richard A Posner.
AoLaw and Economics in Common-Law.
Civil-Law, and Developing NationsAo.
Ratio Juris, 17.
, 66Ae79 https://doi.
org/10.
4013/rechtd.
Wardah Yuspin et.
al (The Regulations of the Supervisory Officer Personal Data ProtectionA) BESTUUR Vol.
No.
August, 2024, pp.
ISSN 2722-4708
The Economic Analysis of Law theory developed by Richard Posner can be used as an analytical tool in data protection.
It can also help in solving personal data protection Based on this reality, the legal issue related to the economic approach in personal data protection law is regarding the relevance of using an economic approach to personal data theft, especially concerning data theft, which has recently increased.
According to Posner, the role of law must be seen in terms of value, utility, and efficiency.
Posner defines efficiency as the allocation of resources where value is maximized.
Next.
Posner expressed his views on using economic theory in law by saying that many legal doctrines are best understood and explained as efforts to increase resource efficiency, a system for maximizing society's wealth.
The use of resources .
roduction factor.
must be carried out rationally and efficiently.
Resources are said to be used efficiently if all available resources are fully utilized, and the mode of use is such that there are no other modes of use that would increase the prosperity of society.
To understand efficiency issues, two definitions of efficiency are usually used to assess the use of resources, namely productive efficiency and allocative efficiency.
Economic analysis of law looks at the efficiency aspect in determining choices in human The concepts of choice and rationality result in people having to incur costs because they have to abandon one option to pursue another that they consider better.
25 When compared to previous studies, this study displays a difference, in which this research only discusses the comparison of Data Protection Acts between Indonesia, and Sweden on the scope of the Personal Data Protection Supervisory Agency.
Based on the background above, the problem discussed in this study is what is suitable model for personal data protection supervisory agency for Indonesia.
Research Method The research method in this research is qualitative legal research.
26 This research is descriptive and aims to explain a legal event or legal condition.
27 The legal materials used in this study were secondary data sources by emphasizing and adhering to the juridical aspects, comprising legal materials or primary legal materials which include Law No.
27 of 2022 concerning Personal Data Protection Act (PDPA) as well as the GDPR that applies in European Union countries including Sweden on May 25, 2018.
28 This research examined law with the object of legal norms and it studies legal aspects and legal comparisons.
29 At this stage, the method of interpretation of the legal system is applied by investigating the similarities and differences in the legal system of rules related to personal data, there by obtaining a form of personal data monitoring body that is compatible with the Indonesian legal state.
Nahshon Perez.
AoPosnerAos AuLaw and EconomicsAy and Politics: Bringing State-Skepticism Back InAo.
Journal of Social Philosophy, 49.
, 589Ae609 https://doi.
org/10.
1111/josp.
Kelik Wardiono and Wardah Yuspin.
AoThe Sharia Microfinance and the Counter-Hegemonic Movement:
Examining the Legal Norms Regulating Aspects of Institutional and Business Activities in SurakartaAo.
Humanities and Social Sciences Reviews, 7.
, 45Ae51 https://doi.
org/10.
18510/hssr.
Daniar Supriyadi.
AoThe Regulation of Personal and Non-Personal Data in the Context of Big DataAo.
Journal of Human Rights.
Culture and Legal System, 3.
, 33Ae69 https://doi.
org/10.
53955/jhcls.
Gregory Voss and Kimberly A.
Houser.
AoPersonal Data and the Gdpr: Providing a Competitive Advantage for u.
CompaniesAo.
American Business Law Journal, 56.
, 287Ae344 https://doi.
org/10.
1111/ablj.
Vasyl Kopcha.
AoMethodology of Legal Phenomenon Research: Concept.
Structure.
ToolsAo.
Law Review of Kyiv University of Law, 1, 2020, 54Ae58 https://doi.
org/10.
36695/2219-5521.
Wardah Yuspin et.
al (The Regulations of the Supervisory Officer Personal Data ProtectionA) BESTUUR Vol.
No.
August, 2024, pp.
ISSN 2722-4708
Results and Discussion The Model of Regulations Supervisory Officer in Sweden In 2016, the European Union, for instance, agreed on a package of regulations, the General Guidelines for General Data Protection Regulation, commonly called the GDPR.
This success recompensed the pioneering initiative carried out for the past two decades.
This instrument requires the treatment of limited data in the corridor of respecting privacy and the individual rights of the data owner .
ata subjec.
, so that the information collected cannot be used for purposes other than the initial purpose that the user knows when registering for a digital service.
31 In cross-border data transfer and placement, the GDPR stipulates that cross-border data transfer activities can only be carried out in limited countries with adequate standards.
The European Union has General Data Protection (GDPR) implementing personal data protection rules on 25 May 2018.
33 The principle of transparency states that citizens can access, change, and delete their data from the company's customer data anytime.
Companies are also asked to be transparent about why they collect data and how they will use it.
35 Companies are also asked to be transparent about why they collect data and how they will use it.
The protection of personal data in the GDPR regarding race, ethnicity, politics, health, gender36, and sexuality applies.
Adequate privacy protection regarding data and personal can create a public trust to provide personal data for various interests of the greater community without being abused or violating their rights.
38 Therefore, this law will balance the rights of individuals and Chris Jay Hoofnagle.
Bart van der Sloot, and Frederik Zuiderveen Borgesius.
AoThe European Union General Data Protection Regulation: What It Is and What It MeansAo.
Information and Communications Technology Law, 28.
, 65Ae98 https://doi.
org/10.
1080/13600834.
Nadezhda Purtova.
AoThe Law of Everything.
Broad Concept of Personal Data and Future of EU Data Protection LawAo.
Law.
Innovation Technology, .
, 40Ae81 https://doi.
org/10.
1080/17579961.
Silvio Simani.
Saverio Farsoni, and Paolo Castaldi.
AoSupervisory Control and Data Acquisition for Fault Diagnosis of Wind Turbines via Deep Transfer LearningAo.
Energies, 16.
, 3644
https://doi.
org/10.
3390/en16093644 Dara Hallinan.
AoBroad Consent under the GDPR: An Optimistic Perspective on a Bright FutureAo.
Life Sciences.
Society and Policy, 16.
, 1Ae18 https://doi.
org/10.
1186/s40504-019-0096-3 Emre Bayamlolu.
AoThe Right to Contest Automated Decisions under the General Data Protection Regulation: Beyond the so-Called AuRight to ExplanationAyAo.
Regulation and Governance, 16.
, 1058Ae 78 https://doi.
org/10.
1111/rego.
Bart Custers and others.
AoA Comparison of Data Protection Legislation and Policies across the EUAo.
Computer Law and Security Review, 34.
, 234Ae43 https://doi.
org/10.
1016/j.
Zlatana Knezevic and others.
AoGender-and Power Sensitivity.
Securitisation and Social Peace: Rethinking Protection for Children Exposed to Post-Separation ViolenceAo.
Journal of Gender-Based Violence, 6.
, 99Ae114 https://doi.
org/10.
1332/239868021X16212648592069
Marvin van Bekkum and Frederik Zuiderveen Borgesius.
AoUsing Sensitive Data to Prevent Discrimination by Artificial Intelligence: Does the GDPR Need a New Exception?Ao.
Computer Law and Security Review, 48 .
, 105770 https://doi.
org/10.
1016/j.
Brooke Willis.
Tunmin Jai, and Mitzi Lauderdale.
AoTrust and Commitment: Effect of Applying Consumer Data Rights on U.
ConsumersAo Attitudes toward Online Retailers in Big Data EraAo.
Journal of Consumer Behaviour, 20.
, 1575Ae90 https://doi.
org/10.
1002/cb.
Wardah Yuspin et.
al (The Regulations of the Supervisory Officer Personal Data ProtectionA) BESTUUR Vol.
No.
August, 2024, pp.
ISSN 2722-4708
communities whose interests are represented by the government.
39 Regulations regarding PDP will contribute significantly to creating order and progress in the information society.
The implementation of the PDPA requires the presence of a special commission whose task is to ensure the implementation of the Law.
41 The PDPA has not regulated the establishment of a specific committee to oversee personal data protection but to realize personal data protection for data subjects.
42 The government assigns the Ministry of Communication and Information to handle data privacy issues.
43 The data controller and data processor carry out processing and collecting data.
In the GDPR stated that Personal Data Controllers are every person, public agency, and international organization that acts individually or collectively in determining goals and exercising control over the processing of Personal Data.
Article 1 .
explains that a Personal Data Processor is any person, public agency, or international organization acting individually or collectively in processing Personal Data on behalf of a Personal Data Controller.
Data Controllers and Processors include individuals, public agencies, and international organizations.
In carrying out their duties, data controllers and data processors have obligations that should be fulfilled so that they are carried out according to the PDPA.
The responsibilities of data controllers are contained in Articles 20 to 50 of the Law.
Meanwhile, the obligations of Data Processors are contained in Article 51 and Article 52.
The establishment of an independent supervisory authority, for example, was emphasized by the European Union General Data Protection Regulation (EU GDPR)45 46/1995 and European Council Convention 108,46 almost 90% of European countries adhere to this model, including Sweden.
47 To ensure security in data processing carried out by controllers and data processors, the GDPR has established an independent personal data protection supervisory agency consisting of the European Data Protection Board (EDPB) Francis Aldhouse.
AoA Reflection on the Priorities of a Data Protection AuthorityAo.
Computer Law and Security Review, 34.
, 816Ae23 https://doi.
org/10.
1016/j.
Panchapawn Chatsuwan and others.
AoPersonal Data Protection Compliance Assessment: A Privacy Policy Scoring Approach and Empirical Evidence from ThailandAos SMEsAo.
Heliyon, 9.
, e20648 https://doi.
org/10.
1016/j.
Ali Alibeigi.
Abu Bakar Munir, and Adeleh Asemi.
AoCompliance with Malaysian Personal Data Protection Act 2010 by Banking and Financial Institutions, a Legal Survey on Privacy PoliciesAo.
International Review of Law.
Computers and Technology, 35.
, 365Ae94 https://doi.
org/10.
1080/13600869.
Hanne Syrum.
Ragnhild Eg, and Wanda Presthus.
AoA Gender Perspective on GDPR and Information PrivacyAo.
Procedia Computer Science, 196.
, 175Ae82 https://doi.
org/10.
1016/j.
Nur Fatimatuz Zuhroh and Tony Dwi Susanto.
AoAnalysis of the Driving Factors for the Implementation of Personal Data Protection in Local GovernmentsAo, in AIP Conference Proceedings (American Institute of Physics Inc.
, 2.
MMCDLxII, 2021 https://doi.
org/10.
1063/5.
Livia Puljak.
Anamarija MladiniN, and Zvonimir Koporc.
AoWorkload and Procedures Used by European Data Protection Authorities Related to Personal Data Protection: A Cross-Sectional StudyAo.
BMC Research Notes, 16.
, 1Ae7 https://doi.
org/10.
1186/s13104-023-06308-z Katarzyna Kolasa and others.
AoFuture of Data Analytics in the Era of the General Data Protection Regulation in EuropeAo.
PharmacoEconomics, 38.
, 1021Ae29 https://doi.
org/10.
1007/s40273-02000927-1 Alessandro Mantelero.
AoThe Future of Data Protection: Gold Standard vs.
Global StandardAo.
Computer Law and Security Review, 40.
, 1Ae5 https://doi.
org/10.
1016/j.
Awatef Issaoui.
Jenny ynrtensjy, and M Sirajul Islam.
AoExploring the General Data Protection Regulation (GDPR) Compliance in Cloud Services: Insights from Swedish Public Organizations on Privacy ComplianceAo.
Future Business Journal, 9.
https://doi.
org/10.
1186/s43093-023-00285-2 Wardah Yuspin et.
al (The Regulations of the Supervisory Officer Personal Data ProtectionA) BESTUUR Vol.
No.
August, 2024, pp.
ISSN 2722-4708
and Data Protection Authorities (DPA).
48 This aligns with the primary objective of establishing the GDPR to protect personal data and respect the use of personal data principles responsibly and openly.
DPA is an independent government agency with the main task of overseeing personal data per what is contained in the GDPR.
These institutions must be spread across every European Union country.
The basis for establishing the DPA has been stated in Article 51 in the GDPR relating to personal data controllers state that Each Member State shall provide one or more independent public authorities responsible for enforcing the standards of this Regulation to protect the fundamental rights and freedoms of individuals in regulating and facilitating the free flow of personal data within the Union.
The existing personal data supervisory authority is an independent institution whose main task is to supervise the traffic and security of personal data.
This institution is referred to DPA.
Referring to Article 52 GDPR, the personal data protection authority must at least meet the independence requirements, namely that each supervisory authority must act with complete independence in carrying out its duties and exercising its authority under the law.
Apart from that, the personal data supervisory agency must have human resource independence where the State must ensure that each Supervisory Authority selects its staff in accordance with the law or members of the supervisory authority concerned.
Apart from that, financial independence is also something that must be fulfilled by personal data monitoring institutions.
51 Where here financial control must not affect independence.
Therefore, the state must ensure that each Supervisory Body subject to financial control does not affect its independence and has its own public annual budget which can be part of the state budget.
Article 52 of the GDPR explains that at least five categories of independent data protection authority bodies exist.
This article can be adopted as a principle for establishing a personal data protection authority in Indonesia.
In addition, the formation of a personal data protection authority in Indonesia can be granted the status of an auxiliary state's organ.
While the DPA's duties and powers have been stipulated in Article 57 of the GDPR, some of the DPA's tasks include supervising and enforcing GDPR, raising public awareness about the importance of maintaining the confidentiality of personal data, facilitating public and data controller consultations about the problems being experienced by parties who handle personal data conflicts, and continuing to innovate in developing networks for parties who have an essential role in personal data protection.
In addition, the DPA also has the authority to demonstrate its position as an independent supervisory institution expressly.
This authority includes the authority to carry out investigative and corrective activities and impose sanctions or fines on data controllers and processors.
Rik Crutzen.
Gjalt Jorn Ygram Peters, and Christopher Mondschein.
AoWhy and How We Should Care about the General Data Protection RegulationAo.
Psychology and Health, 34.
, 1347Ae57 https://doi.
org/10.
1080/08870446.
Jukka Ruohonen and Kalle Hjerppe.
AoThe GDPR Enforcement Fines at GlanceAo.
Information Systems, 106 .
, 101876 https://doi.
org/10.
1016/j.
Gybor Jynos Dudys.
Andrys Gyyrgy Kovycs, and Myrton Schultz.
AoPersonal Data as ConsiderationAo.
Santander Art Culture Law Review, .
, 215Ae42 https://doi.
org/10.
4467/2450050XSNR.
Ari Wibowo.
Widya Alawiyah, and Azriadi.
AoThe Importance of Personal Data Protection in IndonesiaAos Economic DevelopmentAo.
Cogent Social Sciences, .
https://doi.
org/10.
1080/23311886.
Charles Raab and Ivan Szekely.
AoData Protection Authorities and Information TechnologyAo.
Computer Law and Security Review, 33.
, 421Ae33 https://doi.
org/10.
1016/j.
Wardah Yuspin et.
al (The Regulations of the Supervisory Officer Personal Data ProtectionA) BESTUUR Vol.
No.
August, 2024, pp.
ISSN 2722-4708
Apart from the DPA, there is the European Data Protection Board (EDPB), a personal data protection supervisory body established to oversee the implementation of the GDPR at the European Union level.
This supervisory body has a composition of members from each personal data monitoring agency at the national level (DPA).
EDPB has the competencies regulated in Article 56 of GDPR.
53 Apart from that.
EDPB also has quite crucial tasks.
These tasks include namely, first, providing direction regarding GDPR, which contains rules and recommendations, and carrying out an understanding of GDPR uniformity.
second, ensuring consistency in the implementation of GDPR rules in European Union member countries.
third, ensuring that there is a cooperative relationship among DPA members in each European Union member country.
fourth publish periodic guidelines on the main concepts and implementation of the GDPR.
fifth handle complaints regarding receipt of reports of GDPR violations and carry out investigative activities related to said sixth providing facilities for data protection issues.
seventh be the first party if there are questions related to data protection in each European Union country.
The EU GDPR also mandates explicitly the establishment of an independent supervisory authority, including the APEC Privacy Framework, which also emphasizes the establishment of personal data protection enforcement agencies or institutions, with the model assigned to each country, whether in the form of Privacy Enforcement Authorities, multiagency enforcement bodies, a network of designated industry bodies, courts, and tribunals, or a combination of various models.
56 An independent supervisory authority, also known as the DPA, is a public agency responsible for monitoring the application of regulations and protecting individuals' fundamental rights and freedoms concerning the processing of personal data.
57 Article 4 .
of the EU GDPR states that supervisory authority means an independent public authority that a Member State establishes under Article 51.
58 Although the EU GDPR requires establishing a supervisory authority, it does not explicitly mandate the adoption of a single supervisory authority model.
Gaurav Natarajan Ramani.
AoOne Size DoesnAot Fit All: The General Data Protection Regulation Vis-y-Vis International Commercial ArbitrationAo.
Arbitration International, .
, 613Ae30 https://doi.
org/10.
1093/arbint/aiaa032 Md Zahurul Haq.
AoHow Does the General Data Protection Regulation (GDPR) Affect Financial Intelligence Exchange with Third Countries?Ao.
Journal of Money Laundering Control, 27.
, 158Ae70 https://doi.
org/10.
1108/JMLC-09-2022-0137
Ira S.
Rubinstein and Nathaniel Good.
AoThe Trouble with Article 25 .
nd How to Fix I.
: The Future of Data Protection by Design and DefaultAo.
International Data Privacy Law, 10.
, 37Ae56 https://doi.
org/10.
1093/idpl/ipz019 Bambang Sugeng Rukmono.
Pujiyono Suwadi, and Muhammad Saiful Islam.
AoThe Effectiveness of Recovering Losses on State Assets Policy in Dismissing Handling of CorruptionAo.
Journal of Human Rights.
Culture and Legal System, 4.
, 299Ae330 https://doi.
org/10.
53955/jhcls.
Tomy Pikulyk and Peter tarchoO.
AoPublic Registers with Personal Data under Scrutiny of DPA RegulatorsAo.
Procedia Computer Science, .
, 1170Ae79 https://doi.
org/10.
1016/j.
Frederik Zuiderveen Borgesius and others.
AoThe GDPRAos Rules on Data Breaches: Analysing Their Rationales and EffectsAo.
SCRIPTed: A Journal of Law.
Technology & Society, 20.
, 352Ae82 https://doi.
org/10.
2218/scrip.
Nguyen Binh Truong and others.
AoGDPR-Compliant Personal Data Management: A Blockchain-Based SolutionAo.
Ie Transactions on Information Forensics and Security, 15 .
, 1746Ae61 https://doi.
org/10.
1109/TIFS.
Wardah Yuspin et.
al (The Regulations of the Supervisory Officer Personal Data ProtectionA) BESTUUR Vol.
No.
August, 2024, pp.
ISSN 2722-4708
The EU GDPR allows countries to form a single or multiple supervisory authority.
60 The EU GDPR emphasizes the independence of supervisory authorities so that these bodies can carry out their duties and exercise their powers in complete autonomy, which is a crucial component of protecting natural persons concerning the processing of their data.
61 It is, therefore, mandatory for countries to designate one or more independent public authorities as supervisory authorities to be responsible for monitoring the application of data protection laws62, protecting the fundamental rights and freedoms of individuals about processing, and facilitating cross-border data flows.
63 Supervisory authorities must contribute to the consistent application of data protection regulations.
Suppose a country establishes several supervisory authorities at once.
In that case, the country must develop a legal mechanism to ensure the effective participation of the supervisory authority in the consistency mechanism as stipulated in the EU GDPR.
65 The country should designate a supervisory authority as the sole point of contact for effective participation in the compliance mechanism to ensure speedy and smooth cooperation with the other supervisory authorities, particularly the EU Council and EU Commission.
66 The designated supervisory authority represents the Board and shall establish mechanisms to ensure compliance by other authorities with the rules relating to compliance mechanisms.
Acording to the implementation of the duties of the personal data supervisor in Sweden, it has effectively carried out its duties.
68 This is proven by the implementation of the principle of accountability in the supervision of personal data.
69 In this case it can be said that each part in the processing of personal data is responsible for carrying out its respective functions to protect the personal rights of the data subject.
70 The duties of the personal data supervisory body in Sweden, it has effectively carried out its duties.
This is proven by the implementation of the principle of accountability in the supervision of personal data.
In this case it can be said that each part in the processing of personal data is responsible for PaweC Hajduk.
AoThe Powers of the Supervisory Body in the GDPR as a Basis for Shaping the Practices of Personal Data ProcessingAo.
Review of European and Comparative Law, 45.
, 57Ae75 https://doi.
org/10.
31743/recl.
Valery Stepenko and others.
AoEU Personal Data Protection Standards and Regulatory FrameworkAo.
Journal of Applied Security Research, 17.
, 190Ae207 https://doi.
org/10.
1080/19361610.
Christian Meurisch and Max Myhlhyuser.
AoData Protection in AI ServicesAo.
ACM Computing Surveys, 2021, 1Ae38 https://doi.
org/10.
1145/3440754
Julian Wagner.
AoThe Transfer of Personal Data to Third Countries under the GDPR: When Does a Recipient Country Provide an Adequate Level of Protection?Ao.
International Data Privacy Law, 8.
318Ae37 https://doi.
org/10.
1093/idpl/ipy008 Apostolos Malatras and others.
AoPan-European Personal Data Breaches: Mapping of Current Practices and Recommendations to Facilitate Cooperation among Data Protection AuthoritiesAo.
Computer Law & Security Review, 33.
, 458Ae69 https://doi.
org/10.
1016/j.
FangBing Zhu and Zongyu Song.
AoSystematic Regulation of Personal Information Rights in the Era of Big DataAo.
SAGE Open, 12.
, 1Ae11 https://doi.
org/10.
1177/21582440211067529
Francesco Vigna.
AoCo-Regulation Approach for Governing Big Data: Thoughts on Data Protection LawAo.
ACM International Conference Proceeding Series, 59Ae63 https://doi.
org/10.
1145/3560107.
Heru Setiawan and others.
AoDigitalization of Legal Transformation on Judicial Review in the Constitutional CourtAo.
Journal of Human Rights.
Culture and Legal System, 4.
, 263Ae98 https://doi.
org/10.
53955/jhcls.
Eric Lachaud.
AoWhat GDPR Tells about CertificationAo.
Computer Law and Security Review, 38 .
, 105457 https://doi.
org/10.
1016/j.
Stephen Breen.
Karim Ouazzane, and Preeti Patel.
AoGDPR: Is Your Consent Valid?Ao.
Business Information Review, 37.
, 19Ae24 https://doi.
org/10.
1177/0266382120903254
Al Sentot Sudarwanto and Dona Budi Budi Kharisma.
AoComparative Study of Personal Data Protection Regulations in Indonesia.
Hong Kong and MalaysiaAo.
Journal of Financial Crime, 29.
, 1443Ae57 https://doi.
org/10.
1108/JFC-09-2021-0193
Wardah Yuspin et.
al (The Regulations of the Supervisory Officer Personal Data ProtectionA) BESTUUR Vol.
No.
August, 2024, pp.
ISSN 2722-4708
carrying out its respective functions to protect the personal rights of the data subject.
71 This is supported by data on personal data theft in Sweden amounting to 3,500 throughout 2023.
From this figure, it can be seen that there was a sharp decline in the number of data thefts from the previous year.
This figure is much lower than Indonesia, where the figure continues to rise until it reaches almost 150 million cases throughout 2023.
The typical penalties imposed for breaches of the Swedish Penal Code resulting in prosecution are a fine and compensation awarded to the victim.
72 Acceptable rates vary according to the degree of crime and income of the person responsible for the offense.
March 2022, an employee of the Swedish Police who had conducted several unauthorized searches of the Police Data Registry was sentenced to pay a fine of SEK 22,5000 .
EUR 2,.
and fees to the Victims of Crime Fund (Sw.
Brottsofferfonde.
The Model of Regulations Supervisory Officer in Indonesia In the context of the global economy, personal data protection has actually become an important instrument for conducting international trade.
This guarantee of protection is a necessity for international economic cooperation partners, such as the Organization for Economic Cooperation and Development (OECD)73.
Asia-Pacific Economic Cooperation (APEC) which has formed special instruments to protect personal data in implementing international transactions.
74 Indonesia, as a strategic country in international trade has the pretension to have adequate personal data protection regulations in place with international Even though Indonesia already has personal data protection regulations, when compared with other countries, especially in the region Southeast Asia, which is part of ASEAN.
Indonesia is a country that is lagging behind in preparing data privacy As human activities become more digitally connected, personal data intrusions become increasingly high.
This is coupled with a condition where the majority of Indonesian people feel that personal data is not something that must be protected, so they easily share their personal data without realizing the importance of protecting that data.
Reports regarding the increase in personal data leaks in Indonesia continue to increase, in 2023 alone there will be an increase of 50 million cases of personal data theft from the previous year.
This condition makes the accountability of the existing personal data protection law questionable.
Because after the enactment of the personal data protection law, reports of data theft have increased in number.
The principle of accountability has been mentioned and is the basis for the pattern of accountability in the PDP Law.
76 It is stated that what is meant by the principle of Ester Herlin-Karnell.
AoEU Data Protection Rules and the Lack of Compliance in SwedenAo.
Nordic Journal of European Law, 3.
, 95Ae103 https://doi.
org/10.
36969/njel.
Chlotia Garrison and Clovia Hamilton.
AoA Comparative Analysis of the EU GDPR to the USAos Breach NotificationsAo.
Information and Communications Technology Law, 28.
, 99Ae114 https://doi.
org/10.
1080/13600834.
Ran Zhuo and others.
AoThe Impact of the General Data Protection Regulation on Internet InterconnectionAo.
Telecommunications Policy, 45.
https://doi.
org/10.
1016/j.
Mark Phillips.
AoInternational Data-Sharing Norms: From the OECD to the General Data Protection Regulation (GDPR)Ao.
Human Genetics, 137.
, 575Ae82 https://doi.
org/10.
1007/s00439-018-1919-7 Vina Himmatus Sholikhah.
Noering Ratu Fatheha Fauziah Sejati, and Diyanah Shabitah.
AoPersonal Data Protection Authority: Comparative Study between Indonesia.
United Kingdom, and MalaysiaAo.
Indonesian Scholars Scientific Summit Taiwan Proceeding, 3 .
, 54Ae63 https://doi.
org/10.
52162/3.
Rina Shahriyani Shahrullah.
Jihyun Park, and Irwansyah Irwansyah.
AoExamining Personal Data Protection Law of Indonesia and South Korea: The Privacy Rights FulfilmentAo.
Hasanuddin Law Review, 10.
1Ae20 https://doi.
org/10.
20956/halrev.
Wardah Yuspin et.
al (The Regulations of the Supervisory Officer Personal Data ProtectionA) BESTUUR Vol.
No.
August, 2024, pp.
ISSN 2722-4708
accountability is that all parties involved in processing and monitoring Personal Data act responsibly so as to guarantee a balance of rights and obligations of the parties involved, including the Subject of Personal data.
However, evidently perceived, the sharp increase in personal data theft means that the principle of accountability is not appropriately implemented, where there has been massive a leak of personal data in several areas, such as data controllers, personal data holders and personal data users.
77 The authority to access personal data is carried out in various fields.
Starting from the fields of human rights, telecommunications media, defense and security, justice, health, population, trade and industry, to the economy including banking.
78 This diversity has many implications.
In an effort to realize personal data protection, the establishment of an independent supervisory institution is inevitable.
In this regard, independence in this context must also be understood as being free from all kinds of government interference.
Practices in the world even show the importance of monitoring personal data through independent Regulations that regulate its protective mechanisms.
The spread of regulations has resulted in overlapping mechanisms and authorities in protecting personal data itself.
Furthermore, another weakness of the supervisory mechanism for personal data protection in Indonesia is the lack of uniformity in the mechanism for carrying out supervision between these agencies, making efforts to protect personal data in all sectors of life uneven.
Observing at the existing condition of legal enforcement mechanisms that are expected to guarantee protection for personal data tend to show shortcomings.
Therefore, the establishment of a personal data supervisor is an inevitable agenda in grounding personal data protection in a more concrete Indonesian legal framework.
82 Thus, through a special agency that has the authority to supervise all forms of personal data, it is hoped that it will not only be able to overcome these gaps, but will be the first step for improving personal data protection mechanisms in the future.
83 Addressing the supervisor model the most suitable form of a supervisory agency to be implemented in Indonesia is a personal data supervisory agency with a single authority model.
84 By selecting this single Leanne Cochrane.
Lina Jasmontaite-Zaniewicz, and David Barnard-Wills.
AoData Protection Authorities and Their Awareness-Raising Duties under the GDPR: The Case for Engaging Umbrella Organisations to Disseminate Guidance for Small and Medium-Size EnterprisesAo.
European Data Protection Law Review, 6.
, 352Ae64 https://doi.
org/10.
21552/edpl/2020/3/6 Rina Arum Prastyanti and Ridhima Sharma.
AoEstablishing Consumer Trust Through Data Protection Law as a Competitive Advantage in Indonesia and IndiaAo.
Journal of Human Rights.
Culture and Legal System, 2 .
, 354Ae90 https://doi.
org/10.
53955/jhcls.
Aqil Athalla Reksoprodjo.
Muhammad Dachyar, and Novandra Rhezza Pratama.
AoA Decision-Making Model for Selecting Personal Data Protection Frameworks for Companies in IndonesiaAo.
Journal of System and Management Sciences, 14.
, 156Ae71 https://doi.
org/10.
33168/JSMS.
Raditya Andhikaputra and others.
AoUserAos Awareness of Personal Data Leakage in E-Commerce ApplicationAo, in E3S Web of Conferences, 2023.
CDXXVI https://doi.
org/10.
1051/e3sconf/202342602063 Sidik Prabowo and others.
AoA Data Protection Design for Online Exam Proctoring in Compliance with the Indonesian Personal Data Protection LawAo, in Lecture Notes in Networks and Systems (Springer Science and Business Media Deutschland GmbH, 2.
, 824 LNNS, 523Ae35 https://doi.
org/10.
1007/978-3-031-477157_36
Muhammad Faqih Adhiwisaksana and Tiurma M.
Pitta Allagan.
AoThe Competent Forum and the Applicable Law in Personal Data Protection With Foreign ElementAo.
Indonesian Journal of International Law, 20.
, 442Ae70 https://doi.
org/10.
17304/ijil.
Muhammad Deckri Algamar and Noriswadi Ismail.
AoData Subject Access Request: What Indonesia Can Learn and Operationalise in 2024?Ao.
Journal of Central Banking Law and Institutions, 2.
, 481Ae512 https://doi.
org/10.
21098/jcli.
Yulia Neta.
Agsel Awanisa, and Melisa Melisa.
AoThe Urgency of Independent Supervisory Authority Towards IndonesiaAos Personal Data ProtectionAo.
Constitutionale, .
, 21Ae42 https://doi.
org/10.
25041/constitutionale.
Wardah Yuspin et.
al (The Regulations of the Supervisory Officer Personal Data ProtectionA) BESTUUR Vol.
No.
August, 2024, pp.
ISSN 2722-4708
authority, the agency does not overlap its duties with others, and there is expected to be no conflict between the existing supervisory bodies if the other model is adopted.
Apart from that, the single authority model is an independent commission that reports to and is directly responsible to the president for subsiding red tape and its duties' effectiveness.
85 By having a centralized personal data supervisor, personal data traffic can be monitored properly.
Apart from that, with the existence of this agency hoped that personal data controllers can be fully responsible for all uses of personal data that are against the law.
Conclusion The supervisory agency for protecting personal data in this PDP law has been regulated, however there has yet to be an official establishment by the government regarding this Initially, this agency would soon be formed through a presidential regulation that had yet to be arranged.
Indonesia's ideal personal data supervisory agency is to make various comparisons with personal data supervisory agencies from other countries.
The most probable model is a single authority agency, where there is only one supervisor, thus more effective in carrying out its duties and authorities.
Concerning the institutional structure, this agency should be formed as a direct independent commission under the In terms of reporting and accountability, it can be performed faster.
The independence of this supervisory body needs to be used as a reference so that the goal of creating personal data security in Indonesia can be achieved.
References