Muhammad Rusli Arafat1, Hevi Dwi Oktaviani2
1,2Universitas Singaperbangsa Karawang
e-mail: [email protected] (corresponding author)
Article Info Article of OSC 2022
Article history: Abstract
The issue of personal data protection in Indonesia is currently a problem that requires special arrangements. During the Covid-19 pandemic, the cyber police recorded 182 cases of data theft reported by the public. This figure increased by 27.3% compared to the previous year which was 143 reports. There is no comprehensive regulation that guarantees cyber security in Indonesia, causing many cases of personal data theft. The government through the Personal Data Protection Bill (RUU PDP) seeks to ensure cyber security, especially for personal data that must be protected, one of the efforts to protect personal data is to provide criminal threats to every person and corporation that violates the protection of personal data. This study aims to analyze how the criminal threats in the PDP Bill as a means of preventing and eradicating criminal acts against the protection of personal data. The problems in this study will be analyzed using the theory of criminal law. To obtain comprehensive results, this research uses a normative juridical method with a statute approach, the data being collected through literature and document studies. Brief results of research findings in the form of criminal provisions are contained in CHAPTER XIII articles 61 to 69. It contains criminal threats for individuals (Natural Persons) and corporations (Legal Persons). There is an additional crime in the form of confiscation of profits and/or assets obtained or the result of a crime and payment of compensation, the criminal threat deviates from the provisions of Article 10 of the Indonesian Criminal Code.
Keywords: Cybercrime, Deep Web, Data Protection Received May 17th, 2022
Accepted June 05th, 2022 Published Nov 17th, 2022
Copyright © 2022
OSC 2022 - FHISIP Universitas Terbuka, Indonesia
The 4th Open Society Conference
INTRODUCTION
The development of information and communication technology changes people's behavior globally and causes the world to become borderless, the social changes that occur change significantly and take place so quickly. The use of computer technology that continues to evolve has led to a process of convergence between information technology, media, and communication to eventually produce a new facility known as the internet, as well as being the beginning of the birth of civilization in cyberspace. The internet has created a world of computer-based communication that offers a new virtual reality (indirect and unreal) making all areas of people's lives inseparable from the existence of the internet. Through the world of the internet or what is often referred to as cyberspace, all forms of community creative activities can be carried out in a borderless manner that can penetrate various national borders in the world. The development of information technology is not only able to create a global world but has also developed a new living space for the community, namely the life of virtual communities (cyber communities).
With the existence of internet technology, people can feel the benefits both in the economic, educational, social, and other fields. The utilization of the Internet affects the development of science and science which can be easily accessed. Thus so much information can be received quickly. Access to information that can be obtained easily has a positive or negative impact. The positive side of the rapid development of information and communication technology is that the management of large amounts of data can be managed properly, quickly, effectively, and efficiently and minimize errors. The negative side of the development of technology and information can harm the community, such as data misuse, theft of personal data, sales of personal data, fraud, and others.
The Covid-19 pandemic situation that hit Indonesia added to the negative side of the development of information and communication technology. From the beginning of the pandemic until now it is known that there are various modes of crime that often occur in the community. Not only conventional crimes such as theft, fraud, and robbery, what is happening is even cybercrime (cybercrime) has also become a type of crime that has increased quite high, with very diverse modes, such as data theft, and account burglary, or carding.
Based on data from the Indonesian National Police, in 2020, there were at least 937 reported cases. Of the 937 cases, there were three cases with the highest number, namely cases of provocative, hate content and hate speech, which was reported the most, around 473 cases.
Then followed by online fraud with 259 cases and pornographic content with 82 cases. For cases of data theft during the Covid-19 Pandemic, the cyber police recorded 182 cases of data theft reported by the public. This figure increased by 27.3% compared to the previous year which was 143 reports. With so many cases of data theft as described previously, there needs to be government efforts to prevent and overcome these crimes.
Cyber security arrangements in Indonesia are contained in the Information and Electronic Transactions (ITE) Law Number 11 of 2008 as amended through the ITE Law Number 19 of 2016. This law includes rules for several violations, such as distributing illegal content, data protection violations, unauthorized access to computer systems to obtain information, and an illegal and unauthorized expropriation or eavesdropping on other computer or electronic systems. To minimize and overcome cyber threats, it is necessary to strengthen cyber security, where the level of urgency of cyber security is directly proportional to the level of dependence on utilization in cyberspace. There is no comprehensive regulation that guarantees cyber security in Indonesia, causing many cases of personal data theft. The government through the Personal Data Protection Bill (RUU PDP) seeks to ensure cyber security, especially for personal data that must be protected.
45 OSC 2022 Theme 1: Cyber Security Challenges In Law Perspective ISBN: 978-602-392-329-8 e-ISBN: 978-602-392-330-4
The 4th Open Society Conference
The Personal Data Protection Bill regulates the threat of criminal penalties for any person or corporation that violates the provisions as stipulated in Article 61 to Article 66 of the PDP Bill. Punishment certainly has several purposes, including giving retaliation to the perpetrators of crimes, providing a deterrent effect, and preventing the occurrence of criminal acts.
Legislative policy formulation/policy can be interpreted as a policy to formulate Positive Law to be better and also to provide guidance not only to legislators but also to courts that apply the law and also to the organizers or implementers of court decisions.
The formulation policy/legislative policy in determining the punishment system is a policy process that goes through several stages. First, the stage of determining the criminal by making laws; Second, the stage of giving the punishment by the authorized body; and third, the stage of implementing the crime by the competent implementing agency (muladi and Arif, 2010).
The sub-system of the criminal system occupies a strategic position in the regulation of the threat of punishment or the criminal system. The criminal system is a field in criminal politics.
Criminal Politics is a rational effort by society to tackle crime. In this study, the author focuses on research at the stage of determining the crime by the legislators.
This research will explain the basic issues regarding the criminal plan for perpetrators who commit criminal acts as regulated in the PDP Bill which will be enacted to protect personal data in Indonesia. This criminal plan is a basic problem because it is motivated by the many cases of personal data theft and is an effort by the government to provide cyber security guarantees in Indonesia. The challenge of cyber security assurance, especially in protecting personal data in the digital era as it is now, is a serious problem faced by the government and must immediately be taken seriously and create the expected cyber security. The sentencing plan in the PDP Bill will be the subject of discussion in this research so that it will be understood the extent to which the goal of protecting personal data through the PDP Bill is by looking at the criminal threats in the regulated articles.
Starting from the problems mentioned above, the formulation of the problem in this study is, how is the criminal threat in the PDP Bill as a means of preventing and eradicating criminal acts against the protection of personal data? Related to this research, previously someone has conducted research with the title Legal Protection of Personal Data as Privacy Rights (Sekaring, 2021) This research focuses on finding the essence of legal protection of personal data as privacy rights and forms of legal protection of personal data as privacy rights in Indonesia.
Research title, Personal Data Protection Legislation Formulation in the Industrial Revolution 4.0 (Erlina, 2020) This research focuses on personal data protection regulations that must be ratified in Indonesia immediately. Research title, Juridical Analysis of Online Marketplace Privacy and Liability Policies in Protecting Users' Personal Data in Cases of Data Leakage (Maichle, 2021) This research focuses on online marketplace privacy policies related to personal data protection and forms of online marketplace accountability in a preventive and repressive manner against leaks data.
The title of the research, Protection of Online Consumers' Personal Data During E-Commerce Transactions in Indonesia (I Putu Bayu Mahendra, 2021) This research focuses on the importance of protecting the right to privacy and personal data when transacting on the internet. The title of the research, The Urgency of the Bill (RUU) on the Protection of Personal Data (Moh Hamzah Hisbulloh, 2021) This research focuses on the urgency of the Personal Data Protection Bill.
The 4th Open Society Conference
METHODOLOGY
This research is research on criminal threats in the bill on the protection of personal data.
The method used in this study is a normative juridical research method (Soerjono Soekanto and Sri Mahmudji, 2003), this study examines the literature related to the issues studied and, in this study, uses a statutory approach. The statutory approach is an approach that is carried out by examining all laws and regulations related to the legal issues being handled (Peter Mahmud Marzuki, 2010). In addition to the statutory approach, this research also uses a conceptual approach. The legal materials used in this study are primary legal materials consisting of laws and regulations related to the issues studied and secondary legal materials in the form of literature and journals related to the issues studied. All legal materials were collected by document study technique and then analyzed by descriptive analysis technique.
RESULTS AND DISCUSSION
Criminal Sanctions in the Personal Data Protection Bill
Criminal law is a law that has a special nature, namely in terms of sanctions. Everyone who is dealing with the law, will always think that the law leads to something that binds one's actions in the community. In its regulation, the law has provisions about what to do and what not to be (forbidden) to do, along with the consequences that will arise for both (Adami Cahzawi, 2011). Criminal law has differences when juxtaposed with other laws, these differences include, among others, negative sanctions which are referred to as a misery or crime. Criminal sanctions have various forms and types, such as confiscation of property through fines, deprived of their freedom of life because they have to undergo punishment in the form of confinement or imprisonment, not only that, but criminal sanctions can also take a person's life through the death penalty.
Criminal sanctions are punishments/sanctions that are deliberately given by the state through the criminal justice process (Bambang Waluyo, 2004). The sanction is imposed on every person who is legally proven to have violated the criminal law. Sentencing is a sentencing as a legitimate effort based on law to apply sanctions to someone who through the criminal justice process has been legally and convincingly proven guilty of committing a crime (P.A.F.
Lamintang, 2010). Thus, the criminal law regulates punishment and sentencing related to the process of imposing the sentence.
The word punishment comes from the word "straf" and the term punished comes from the word "gestraft". Mulyato argues that the two terms are conventional terms. He does not agree if the two terms are interpreted that way, he uses unconventional terms in interpreting the two terms above. Iya argues that the word punishment is defined as criminal so that "straf" is defined as criminal and punished is interpreted as threatened with punishment so that the word threatened with punishment is juxtaposed with the term "wordt genstraft".
Interpreting criminal (straf) according to positive law as special suffering. According to van Hammel, the suffering imposed by the competent authority to impose a criminal on behalf of the state as the person in charge of public law order for a violator, the suffering is imposed solely because the person has violated a legal regulation that must be enforced by the state.
Meanwhile, interpreting a crime (straf) as suffering inflicted on someone, that suffering by criminal law is associated with a violation of a norm, which with a judge's decision has been handed down for someone guilty.
Van Hammel and Simon (Barda Nawawi Arif, 1996), These two Dutch criminal law experts have the same view in providing limits on punishment, which in essence is suffering.
But it must be understood that suffering is not a goal, but only a tool used by the state to remind people not to commit crimes (Andi Hamzah, 1986). Indonesian criminal law experts also have
47 OSC 2022 Theme 1: Cyber Security Challenges In Law Perspective ISBN: 978-602-392-329-8 e-ISBN: 978-602-392-330-4
The 4th Open Society Conference
the same view in understanding and giving reasons for the concept of criminal. According to Prof. Sudarto, traditionally a crime can be defined as a misery imposed by the state on someone who violates the provisions of the law (Sudarto, 1996).
In formulating criminal law norms and formulating criminal threats, there are at least 3 (three) things to be achieved by the implementation of criminal law in society, namely:
1. Forming or achieving the ideals of an ideal society or society that is aspired to;
2. Maintaining and upholding noble values in society;
3. Maintaining something that is considered good (ideal) and followed by the community with negative norm formulation techniques.
The philosophy of punishment as a philosophical basis for formulating a measure or basis for justice in the event of a violation of criminal law. In this context, punishment is closely related to the criminal law enforcement process. As a system, the study of sentencing can be viewed from 2 (two) angles, namely the functional angle and the substantive norm angle.
From a functional point of view, the criminal system can be interpreted as the whole system (laws and regulations) for the functionalization/operationalization/concretion of criminals and the whole system (laws and regulations) that regulates how criminal law is enforced or operationalized concretely so that a person is sanctioned (law). From this point of view, the criminal system is identical to the criminal law enforcement system, which consists of the Material/Substantive Criminal Law sub-system, the Formal Criminal Law sub-system, and the Criminal Implementation Law sub-system.
From the point of view of substantive norms (only seen from substantive criminal law norms), the criminal system can be defined as the entire system of material criminal law rules/norms for sentencing; or The entire system of rules/norms of material criminal law for the awarding/imposition and execution of a crime. With this understanding, the entire statutory rules that exist in the Criminal Code as well as special laws outside the Criminal Code, are essentially a unified criminal system, which consists of "general rules" and “special rules”.
Based on general rules, namely those in the Criminal Code concerning criminal sanctions or types of punishment, there are only 2 types of criminal penalties, namely the main crime and additional punishment (M. Najih, 2014). The principal punishment is a punishment that can be imposed regardless of other penalties. Meanwhile, additional punishment is a punishment that can only be imposed together with the main punishment. Article 10 of the Criminal Code (KUHP) reads as follows: Criminal consists of:
1. Basic penalty ( hoofd straffen ) : a. Death Penalty;
b. Imprisonment;
c. The punishment of confinement;
d. Criminal fines.
2. Additional penalty ( bijkomende straffen ) : a. Revocation of certain rights;
b. Confiscation of certain goods;
c. Announcement of Judge's Decision.
In general, a formulation of a crime should at least contain the following formulations: (1) the legal subject who is the target of the norm (addresses at norm); (2) prohibited actions (strafbaar), either in the form of doing something (commission), not doing something (omission) and causing consequences (events caused by behavior); and (3) criminal threats (strafmaat), as a means of imposing the enforcement or compliance with these provisions (Chairul Huda, 2011). One of the things that have caught the attention of experts and the public, in general, is related to the formulation of "criminal threats" or "strafmaat". By borrowing the
The 4th Open Society Conference
term David Givens, that crime both before and after it is committed always gives "crime signals" (David Givens, 2009), then the state declares the same as "criminal". “Crime signals”
are stated by the legislators before a crime with a “criminal threat”, while after the crime is carried out through a “criminal imposed” by the judge. This is a representation of "disgrace"
against a crime and its maker.
Going deeper into the discussion of this research, what is meant by special rules is the PDP Bill as special rules, although it is still in the form of a bill, this law is interesting to study, especially in the section on criminal provisions that contain criminal threats. Researchers conducted a study on the formulation of criminal acts regulated in the PDP Bill. In short, it can be stated that in the PDP Bill there are irregularities regarding the rules of punishment. The regulation of criminal threats in the PDP Bill is a deviation from the criminal rules stipulated in the general rules contained in Article 10 of the Criminal Code.
The following is an analysis of the criminal provisions in the PDP Bill.
Table 1. Formulation of Crime in the PDP Bill
Article Formulation of Criminal Imprisonment Criminal Fines
61
(1) Any Person who knowingly obtains or collects Personal Data that is not his own with the intention of unlawfully benefiting himself or herself or another person or may result in a loss to the Personal Data Owner as referred to in Article 51 paragraph (1).
sentenced to a maximum
imprisonment of 5 (five) years
or a maximum fine of
Rp50.000.000.000 (fifty billion rupiah)
(2) Any Person who intentionally and against the law discloses Personal Data that does not belong to him as referred to in Article 51 paragraph (2)
sentenced to a maximum
imprisonment of 2 (two) years
or a maximum fine of
Rp20.000.000.000 (twenty billion rupiah).
(3) Any Person who intentionally and against the law uses Personal Data that does not belong to him as referred to in Article 51 paragraph (3)
sentenced to a maximum
imprisonment of 7 (seven) years
or a maximum fine of
Rp700.000.000.000 (seventy billion rupiah).
62
Any Person who intentionally and unlawfully installs and/or operates a visual data processing or processing device in a public place or public service facility that may threaten or violate the protection of Personal Data as referred to in Article 52
sentenced to a maximum
imprisonment of 1 (one) years
or a maximum fine of
Rp10.000.000.000 (ten billion rupiah).
49 OSC 2022 Theme 1: Cyber Security Challenges In Law Perspective ISBN: 978-602-392-329-8 e-ISBN: 978-602-392-330-4
The 4th Open Society Conference
63 Any person who intentionally and against the law uses a visual data processing or processing device installed in a public place and/or public service facility used to identify a person as referred to in Article 53
sentenced to a maximum
imprisonment of 1 (one) years
or a maximum fine of
Rp10.000.000.000 (ten billion rupiah).
64
(1) Any Person who intentionally falsifies Personal Data with the intention of benefiting himself or another person or which may cause harm to others as referred to in Article 54 paragraph (1)
sentenced to a maximum
imprisonment of 6 (six) years
or a maximum fine of
Rp60.000.000.000 (sixty billion rupiah).
(2) Any Person who intentionally sells or buys Personal Data as referred to in Article 54 paragraph (2)
sentenced to a maximum
imprisonment of 5 (five) years
or a maximum fine of
Rp50.000.000.000 (fifty billion rupiah)
Based on the table above, the act that is punishable by a criminal offense is intentionally obtaining or collecting Personal Data that does not belong to him with the intention of benefiting himself or another person against the law or may result in loss of the Personal Data Owner, intentionally disclosing Personal Data that does not belong to him, intentionally and against the law using Personal Data that does not belong to him, intentionally and against the law installing and/or operating visual data processing or processing equipment in public places or public service facilities that can threaten or violate the protection of Personal Data, intentionally and against the law using processing or data processing tools visuals posted in public places and/or public service facilities that are used to identify a person, intentionally falsify Personal Data with the intention of benefiting oneself or others or which may cause harm to others, and intentionally selling or buying data a Private.
The definition of what is meant by every person as the subject of a criminal act of protecting personal data is an individual or a corporation, this is as regulated in Article 1 point 6 of the PDP Bill. Furthermore, in Article 1 point 7, what is meant by the corporation is an organized collection of people and/or assets, both legal entities and non-legal entities following statutory regulations. In the Criminal Code Bill, it is explained that corporations include legal entities in the form of limited liability companies, foundations, cooperatives, state-owned enterprises, regionally-owned enterprises, or the equivalent, as well as associations both legal and non-legal entities or business entities in the form of firms. limited partnership, or it is equivalent in accordance with the provisions of the legislation. Based on Article 23 of the PDP Bill, corporations that can be held criminally responsible are those who control personal data and processors of personal data. While personal data controllers and processors of personal data originating from public bodies and organizations/institutions cannot be held criminally responsible, however, these public bodies and organizations /institutions are only subject to administrative sanctions as regulated in Article 50 of the PDP Bill.
Two main types of crime can be imposed on the perpetrator/defendant who violates the protection of personal data, first, namely imprisonment and fines. The basic punishment
The 4th Open Society Conference
regulated in the PDP Bill is alternative so that the judge can choose one of the main crimes to be imposed on the perpetrator/defendant who violates the protection of personal data. The main punishment in the form of imprisonment in the PDP Bill does not recognize a specific minimum threat. The principal punishment regulated in Article 61 paragraph (1) is in the form of imprisonment for a maximum of 5 (five) years or a maximum fine of Rp50.000.000.000(Fifty billion rupiah), Article 61 paragraph (2) is in the form of imprisonment for a maximum of 2 (two) years or a maximum fine of Rp20.000.000.000 (two billion rupiahs), and Article 61 paragraph (3) is in the form of imprisonment for a maximum of 7 (seven) years or a maximum fine of Rp70.000.000.000 (seven billion rupiah).
The principal punishment regulated in Article 62 is in the form of imprisonment for a maximum of 1 (one) year or a maximum fine of Rp10.000.000.000 (ten billion rupiahs), Article 63 paragraph (2) is in the form of imprisonment for a maximum of 1 (one) year or a maximum fine of Rp10.000.000.000 (ten billion rupiahs), Article 64 paragraph (1) is in the form of imprisonment for a maximum of 6 (six) years or a fine of a maximum of Rp60.000.000.000 (sixty billion rupiahs), Article 64 paragraph (2) is in the form of imprisonment for a maximum of 5 (five) years or a maximum fine of Rp50.000.000.000 (five billion rupiah).
Article 65 of the PDP Bill regulates additional penalties. Additional penalties are penalties that can only be imposed together with the main punishment. Article 65 stipulates that in addition to being sentenced to punishment as referred to in Article 61 to Article 64 against individual defendants, additional penalties may also be imposed in the form of confiscation of profits and/or assets obtained or proceeds from criminal acts and payment of compensation.
Additional penalties are also intended for corporate actors, in Article 66 paragraph (4), namely, (1) confiscation of profits and/or assets obtained or proceeds from criminal acts; (2) freezing of all or part of the Corporation's business; (3) permanent prohibition on certain actions; (4) closure of all or part of the place of business and/or activities of the Corporation; (5) carry out obligations that have been neglected; and f. compensation payment.
Criminal provisions for corporations have different rules from crimes committed by individuals. In the event that the criminal acts as referred to in Article 61 to Article 64 are committed by the Corporation, the punishment may be imposed on the management, control holder, order giver, beneficial owner, and/or the Corporation. The only punishment that can be imposed on the Corporation is a fine. (3) The fine imposed on the Corporation is a maximum of 3 (three) times the maximum penalty imposed. Thus, against corporations, the principal punishment imposed is a fine, not a prison sentence.
CONCLUSION
Research on criminal threats in the bill on the protection of personal data in Indonesia shows that there are 7 (seven) acts of legal subjects that can be subject to criminal sanctions.
The PDP Bill only regulates actions that are active/deliberately committed, not yet stipulates actions due to someone's negligence. Criminal threats for perpetrators are alternative, namely the main punishment can be in the form of imprisonment or a fine. Imprisonment for personal data infringement does not have a special minimum penalty, the main punishment in the form of imprisonment for each act has a maximum difference in the punishment that can be imposed.
In addition to the main punishment in the PDP Bill, it also regulates additional penalties. These additional penalties, of course, deviate from the provisions stipulated in the general rules in book I of the Criminal Code. Criminal threats in the PDP Bill can later be imposed on any person, namely individuals or corporations who commit violations as referred to in Articles 61 to 64 of the PDP Bill. Specifically, corporate actors can only be sentenced to fines and cannot