UNAIR NEWS The recent exposure of a syndicate in Surabaya揝idoarjo that sold personal data for online gambling transactions involving billions of rupiah has once again raised alarms over Indonesia檚 cybersecurity. The case highlights not only data breaches but also the weak enforcement of the Personal Data Protection Law (PDP Law).
Dr. Faizal Kurniawan, S.H., M.H., LL.M., a law lecturer at , said the main problem lies in the gap between legal provisions and on-the-ground practices. Although Article 20 of the PDP Law requires data controllers to protect information from misuse and illegal access, weak oversight continues to allow such crimes to thrive.
淭he law clearly guarantees every person the right to data protection. Yet sensitive information, including banking customers records, is still being sold to fuel digital crimes such as online gambling, he said.
Law enforcement still reactive
Kurniawan noted that enforcement of personal data violations remains reactive. Authorities typically act only after major cases surface, rather than taking preventive measures.
淎rticle 67 of the PDP Law provides for up to five years in prison and fines of up to Rp5 billion. But in practice攍ike in the Cambridge Analytica case攍egal sanctions often come too late, after the social damage has already occurred, he explained.
He added that cases involving cross-border networks, such as online gambling syndicates, make prosecution even more difficult. Without strong international cooperation, such groups will continue exploiting legal loopholes.
Strengthening digital safeguards
On the security front, Kurniawan stressed the need to apply the principle of privacy by design outlined in Article 20 of the PDP Law. Banks and digital platforms, he said, must strengthen safeguards with encryption, multi-factor authentication, access controls, internal audits, and incident response plans.
淚n the event of a breach, data controllers are required to notify owners within 72 hours. This is the minimum step needed so victims can act quickly, he said.
Role of individuals and public awareness
Kurniawan added that individuals must also take responsibility for protecting their personal data. Avoiding phishing scams, withholding OTPs, and securing PINs are basic but essential steps.
淭he PDP Law allows people to request copies of their personal data. Citizens should not remain passive攖hey have the right to demand transparency from institutions managing their data, he said.
He stressed that public education must be strengthened so people understand their rights and responsibilities in the digital age.
Long-term strategic steps
As a long-term strategy, Kurniawan recommended accelerating the creation of an independent supervisory authority, setting minimum technical standards, and enhancing public literacy as well as forensic capacity.
淲ithout strong regulation and public awareness, similar cases will keep repeating, he concluded.
Author: Rosali Elvira Nurdiansyarani
Editor: Khefti Al Mawalia
