Law And Personal Data: Offering Strategies For Consumer Protection In New Normal Situation In Indonesia

Purpose of the study: The benefits of the internet during a pandemic bring opportunities for cybercrimes, such as online data theft and leakage of consumers’ personal data. For this reason, the objectives of this study are 1) to determine the phenomenon of misuse of consumer’s personal data amidst COVID-after19 in Indonesia and 2) to describe strategies in preparing consumer personal data protection as the key to the success of the new normal in Indonesia. Methodology: This study used non-doctrinal research. To describe the phenomenon of misuse of consumers’ personal data amidst COVID-19 in Indonesia, the data were collected by distributing questionnaires to internet users in Indonesia and applying qualitative methods employing survey data collection techniques with stratified multi-stage random sampling technique. Results: It was found that the consumers’ personal data in Indonesia is still unprotected, so the conception adopted by the European Union and the OECD can be used as a reference for Indonesia in making a Law on Personal Data Protection. Applications of this study: To raise the people's awareness in protecting online personal data and encourage the government to educate society on cyber security through the National Cyber and Crypto Agency Novelty/ Originality of this study: This paper analyzes the protection strategy of e-commerce consumers during the new normal situation in Indonesia. The originality is that it discusses amidst Covid 19 cyber security.


INTRODUCTION
COVID-19 pandemic has affected the world in many ways. From an economic point of view, there have been dramatic changes in consumer behavior. Although many businesses have experienced an unprofitable decline, online shopping has increased significantly in the United States, with a 91% increase (Krishnan, 2020). %) and Italy (31%) (Clapp, 2020); this is good news for e-commerce. The internet development in countries such as the United States, Britain, Germany, and the Netherlands has also made the internet a favorite marketing medium or channel (Nasution et al., 2018). In other words, the internet provides benefits during a pandemic. Besides, for academic purposes, the utilization of social media applications, such as Google meet and zoom, is beneficial, in which teachers can carry out online lectures and be supported by e-books. During times of pandemics, the government has also stipulated that the work of every employee from the public and private sectors be done at home. In this case, the internet makes work easier in many aspects (Vishwambar, 2020).
Specifically, the behavior of consumers or the community has adjusted the conditions to overcome a pandemic and survive during a pandemic (Sivarasa, 2014). People are no longer fixated on brands but are more focused on obtaining goods online. This condition brings opportunities for cybercrime. Criminal is directly related to using computers, illegal prohibitions against other people's computer systems or databases, manipulation or theft of data stored online, or sabotaging equipment and data, known as cybercrime (Lubis, 2016). At least three dangers arise from the use of the internet regarding data storage, among others, an increase in the quantity of data that is not matched by an increase in data storage capacity, which results in a lack of accuracy when classifying data. Secondly, this interconnected electronic data means that many people can have access to some information and then use it for their own purposes. In the end, there will be very little control over who the data users are.
Third, there is technocratic behavior that uses databases for the purpose of social control, such as taking medical databases to regulate people's behavior (Gellert, 2015). Therefore, the urgency of this research is the emergence of a problem amid government policies to protect the public from the COVID-19 pandemic with increased use of the internet, threatening personal data protection in several sectors, including: a.
Health sector Singapore currently has an application called "TraceTogether" to monitor patients infected with COVID-19. Indonesia has also started using a similar application called "Peduli Lindungi". The government assures that the application's confidentiality is guaranteed as mandated in Government Regulation Number 71/2019 concerning Electronic Systems and Transactions, stating that the government is obliged to destroy application user data during the pandemic. The government also guarantees that the data will not be accessible to third parties.
However, a phenomenon of cases in a 31-year-old woman and her 64-year-old mother from

RESEARCH METHOD
This study used non-doctrinal research. The non-doctrinal approach allows the researchers to analyze the law from other scientific disciplines' perspectives and employ those disciplines in drafting the law (Salim, 2017). It has grown in design and significance over the years (Creswell, 2003;Tashakkori & Teddlie, 1998, 2003. In this study, to describe the misuse of consumers' personal data amidst COVID-19 in Indonesia, the data were collected from distributing questionnaires to internet users in Indonesia and qualitative methods using survey data collection techniques with stratified multi-stage random sampling technique. The population of this survey was Indonesian citizens in nine major cities. The number of samples in this survey was 400 respondents with a margin of error of +/-4.9% at a 95% level of confidence. Concerning stratification, the voter population was grouped by regency/city. Furthermore, the samples were selected in stages in each stratum (district/city). In stage 1, the primary sampling unit (PSU) in this survey was randomly selected at the proportionate village/kelurahan level in each regency/city. In stage 2, from each selected village/kelurahan, the existing RT (Neighborhood Association) population was registered to be randomly selected. Survey data collection (determination of respondents and interviews in the field) was carried out on November 1-9, 2020. Data sources used were primary data sources and secondary data sources. The data validity employed triangulation, and the data analysis technique utilized qualitative data analysis.

Protection of Consumer's Personal Data in Indonesia
As a strategic country in international trade, Indonesia has pretensions to have adequate personal data protection regulations following international standards. However, despite being part of APEC, to date, Indonesia has never had any special rules regarding personal data protection. In fact, Article 28 of the 1945 Constitution of the Republic of Indonesia concerns the development of personal rights, family, honor, dignity, and property.
To see these provisions as provisions regarding privacy and personal data, privacy is the right to enjoy life and respect feelings and thoughts. It corroborates Warren and Brandeis's opinion in the book "The Right to Privacy" (Greneaf, 2014).
Privacy protection is closely related to fulfilling personal data rights. The relationship regarding privacy and personal data protection is emphasized by Westin, defining privacy as the right of an individual, group, or institution to determine whether information about them will be communicated to other parties. The definition put forward by Westin is called information privacy since it involves personal information.
Privacy protection is part of personal data protection directly mandated by the  phishing attempts. The next position was Singapore (30.21%), Malaysia (15.16%), the JURNAL JURISPRUDENCE Vol. 11, No. 1, 2021, pp.82-99 p-ISSN: 1829e-ISSN: 2549-5615 Website: http://journals.ums.ac.id/index.php/jurisprudence 88 Philippines (13.23%), and Thailand (7.41%). The report said the most popular phishing targets were financial institutions, email services and internet service providers. Compared with other countries, especially in Southeast Asia, which are members of ASEAN, Indonesia is the country most left behind in preparing privacy data protection tools for its citizens, both in terms of time and variations in protection. Thus, this research was conducted using two indicators to see consumer data security on the internet (CISSREC, 2017). The first indicator is consumer satisfaction with security privacy on the internet, and the second is consumer awareness of information security.
a. Consumer Satisfaction with Security Privacy on the Internet 1). Have you ever posted your personal photos on social media? 62% of respondents answered that they had uploaded personal and family photos on social media. 31% answered that they uploaded personal photos, 14% answered that they had uploaded family photos, while 8% answered that they never uploaded personal photos on social media.
2). What kind of data is posted on the internet? Have you ever posted your personal photos on social media ? 3). Are you aware that entering personal data online will have the potential to interfere with your privacy? Figure 4. The respondents' awareness on entering personal data online 74% of respondents stated that they understood and were aware that entering personal data into online applications or services has the potential to interfere with privacy. 13% said it was OK, while the remaining 13% said they did not know. Are you aware that entering personal data online will have the potential to interfere with your privacy? 4). Did you read the user's privacy policy in every online service? Figure 5. Whether respondents have read the user's privacy policy 45% of respondents answered that they only occasionally read the privacy policies of users of each online service. Only 30% of the respondents answered that they read carefully.
20% answered that they never read at all. Meanwhile, 5% answered that they did not know.

5).
Do you know about personal data protection regulations? Figure 6. Whether respondents know about personal data protection regulations 85% of respondents answered that they did not know about personal data protection regulations. Only 15% of respondents answered that they knew the regulations to regulate personal data protection. Do you know about Personal Data Protection regulations?
Based on the above data exposure, it can be seen that internet service users' concerns about the insecurity of SMS/internet banking in Indonesia were not followed by awareness to explore further the regulations governing personal data protection. Entering personal data into applications or online applications should be done with awareness and understanding of the risks. In this study, understanding the risks was not followed by understanding the user's privacy policy in each online service used.
b. Consumer Awareness on Information Security 1). How often do you change the online application password?

Figure 7. The frequency in changing passwords
Respondents who changed the passwords for applications or online services used were 58%. 7% of them answered that they changed them every three months, 5% answered that they changed them every month, and 12% answered that they changed them every six months. Then, 47% of respondents used the same password for every application or online service, while 53% answered that they did not use the same password for every application.
2). Are you sure about the security of e-commerce in Indonesia today?  Are you sure about the security of ecommerce in Indonesia today?
Based on the above research results, it can be seen that awareness of the importance of privacy was not followed by an awareness of maintaining privacy in online applications or services (data backup or changing passwords periodically). Awareness of the importance of privacy was also not accompanied by a desire to know the regulations governing personal data. In addition, the security of SMS/internet banking or e-commerce in Indonesia was not accompanied by efforts to avoid misuse of personal data. This lack of awareness to protect privacy occurred since users had not experienced the abuse of personal data in online applications or services.

Comparison of Consumer Personal Data Protection in Indonesia and Other Countries
The The United States, Canada, and Australia use the term personally identifiable information (PII), while countries in Europe and Indonesia (Article 26 paragraph (1) of the ITE Law) use the term personal data. Furthermore, it is not only the use of the term that is different; the interpretation of the terminology of personal data also contradicts the legal JURNAL JURISPRUDENCE Vol. 11, No. 1, 2021, pp.82-99 p-ISSN: 1829e-ISSN: 2549-5615 Website: http://journals.ums.ac.id/index.php/jurisprudence 94 system in the United States and Europe. They do not have specific instruments that rigidly interpret the meaning of personal data, but they provide three opportunities for an approach to describe the term: by using a tautological approach, a non-public approach and a specific type of approach) (Schwartz and Solove, 2011). Meanwhile, the European region already has a legal rumen called the Convention for the Protection of Individuals concerning Automatic Processing of Personal Data 1981 (Convention 108) (Djafar, 2019) and Directive 95/46/EC or known as the European Union Data Protection Directive 1995 (DP Directive) (Djafar, 2019), which point of Article 2 letter (a) of these two instruments describes personal data as "information relating to an identified or identifiable one."

Discussion
On the one hand, the internet has provided many benefits that increase development and information opportunities. On the other hand, it also provides new vulnerabilities for interventions in privacy. Circulation data in a digital format that no longer recognizes spatial and territorial boundaries makes it easier for a person's personal data to be exposed or transferred arbitrarily without the control of the data owner. Several cases related to the leakage of someone's personal data are rife.
For example, there is rampant product promotion, ranging from property, insurance, loan facilities, and credit cards. There are also many cases of violation of privacy, especially personal data, leading to fraud, even though consumers have never submitted their personal data to the product's producer concerned. The unclear nature of the perpetrator of the leakage or sale of personal data and the unclear legal mechanism provided by the law makes it difficult to complain about the losses suffered. Therefore, the discourse on strengthening personal data protection, including its mechanisms, is crucial to implement. However, even though the intrusion of personal data has become an actual and real problem, privacy violations have not yet become a popular issue among Indonesians. Even though as one of the countries with the largest active internet users globally, the Indonesian community should be encouraged to have more awareness of their privacy rights. The fact is that the majority of the public in Indonesia has not made personal data part of the property and human rights that must be protected, so it is often found that someone unconsciously indulges his privacy, including personal data about himself.
Moreover, data protection implies that individuals have the right to determine whether they will share or exchange their personal data. In addition, individuals have the right to determine the conditions for implementing the data transfer. It is vital that cases of violations of the right to privacy, especially personal data, are very frequent. In his report, the United Nations (UN) Special Rapporteur on the Promotion and Protection of the Right to Freedom of Opinion and Expression, Frank La Rue, emphasized the need for states to have laws that clearly describe the limitation of the right to privacy of individuals in certain situations.
The rules regarding this matter must be based on a special decision made by the state in accordance with the law. The increasing penetration of internet users in Indonesia, including the increasingly varied use of this technology in the development of electronic systems in the context of trade, banking, and public services such as health, makes the existence of personal data protection laws is increasingly important. Of course, understanding personal data protection is inseparable from the meaning of "data," which can be classified as "personal data," and what forms of protection can be given to the personal data concerned. Literally, data is the plural form of the word "datum," which means a piece of information in Latin or, in other words, data can be understood as a collection of datums that give birth to information.
Data must also contain a group of facts in the form of symbols [such as alphabets, numbers, images, or other special symbols] that represent ideas, objects, conditions, or situations, which can be compiled to be processed in the form of data structures, file structures, and databases.
Along with the development of data collection methods, various data type variables, among other things, are primary-secondary data, qualitative-quantitative data, and personal data emerged automatically. Especially in the context of personal data, nowadays, every country worldwide uses different terms between "personal information" and "personal data". However, substantively, the two terms have almost the same meaning, so the two terms are often used interchangeably. The United States, Canada, and Australia use the term personally identifiable information (PII) (Rosadi, 2009), while countries in Europe and Indonesia use the term personal data. Thus, for the purposes of this paper, the authors refer to the term personal data.
Furthermore, it is not only the use of different terms (OECD Guideline 1980). Based on the above research results, the personal data of consumers in Indonesia is still not protected so that, in line with the OECD's interpretation that sees personal data as identified or identifiable information regarding a person's personal, the conception of personal data adopted by the European Union and the OECD can be used a reference for Indonesia in drafting the Law on Personal Data Protection. Indonesia also can refer to the concept of personal data as outlined JURNAL JURISPRUDENCE Vol. 11, No. 1, 2021, pp.82-99 p-ISSN: 1829e-ISSN: 2549-5615 Website: http://journals.ums.ac.id/index.php/jurisprudence 96 in Article 1 paragraph (1) of the following Draft Law on Personal Data Protection, stating that "personal data is any data that is identified and/or identifiable, either directly or indirectly via electronic or non-electronic." Although referring to the two instruments mentioned above, in fact, the content related to the conception of personal data in the Draft Law on Personal Data Protection is different from one another. In the Draft Law on Personal Data Protection, added values are not found in legal instruments in the European Union and OECD.
The provisions of the Draft Law on Personal Data Protection expressly contain a clause "either directly or indirectly" and provide a limit on personal data whether formed "through electronic or non-electronic [means]." A comprehensive understanding of this added value is absolutely necessary so that the meaning of personal data is not obscure. Apart from the Draft Law on Personal Data Protection, the conception of personal data is interpreted differently by Article 1 paragraph (27) of Government Regulation Number 82 of 2012 concerning Implementation of Electronic Systems and Transactions (PP PSTE). The regulation defines data as certain individual data stored, maintained, and kept and its confidentiality protected. In terms of personal data protection, at least two methods are known to protect personal data, namely, first by physically safeguarding the personal data itself. In addition, the second method that can be taken to protect personal data is through the regulatory side, which aims to guarantee privacy against the use of personal data.
Regarding the second method, history has recorded that personal data protection or known as "data protection," was first used in laws in several countries in mainland Europe, namely Germany, Sweden, and France, in the 1970s. The personal data protection in several countries is entirely based on the urge to guarantee the right to privacy of each individual against such data, in line with the development of information and communication technology, and then the scope of its regulation extends to the public administration aspects.

CONCLUSION
In this study, concerns of internet service users about the insecurity of SMS/internet banking in Indonesia were not followed by awareness to explore further the regulations governing personal data protection. Entering personal data into applications or online applications should be done with awareness and understanding of the risks. However, understanding the risks was not followed by understanding the user's privacy policy in every online service used. Awareness of the importance of privacy was also not followed by an awareness of maintaining privacy in online applications or services (backup data or changing passwords regularly). Besides, awareness of the importance of privacy was not accompanied by a desire to know the regulations governing personal data. The security of SMS/internet banking or e-commerce in Indonesia was also not accompanied by efforts to avoid misuse of personal data. This lack of awareness to protect privacy occurred since users had not experienced the abuse of personal data on online applications or services. In other words, consumers' personal data in Indonesia is still unprotected. Therefore, in line with the OECD's interpretation of seeing personal data as identified or identifiable information regarding a person's personal details, the conception of personal data adopted by the European Union and OECD can be used as a reference for Indonesia in making the draft Law on Protection of Personal Data. Through the National Cyber and Crypto Agency, the government is obliged to encourage cyber security education in the community. It is because, in big cities, awareness of cybersecurity risks exists but has not been followed by preventive steps by the community itself. Through the National Cyber and Crypto Agency, the government must also standardize cybersecurity, especially for state institutions, banking, and other strategic sectors in the country, to ensure security for the public. Concerning this, there needs to be a cultural approach by including cybersecurity education early.