Juridical Analysis of Legal Protection of Personal Data in terms of Legal Certainty

Personal data is individual data that is stored, cared for, and kept true and also protected by confidentiality. There are various kinds of rules governing personal data in Indonesia but there is no one rule that specifically regulates personal data itself. The purpose of this study is to analyze the protection of personal data in terms of legal certainty. The problem in this research is how the legal protection of personal data is viewed from the Legal Certainty Principle, as well as the ius constituendum for personal data regulation in Indonesia. This study uses normative legal research using statutory and case approaches. Collection of legal materials through the method of literature study, with primary, secondary, and tertiary legal materials. The conclusion from the results of this study shows that the current regulations still do not really provide concrete protection because personal data itself does not have laws that specifically regulate and bind it. The suggestion from this study is that there are efforts to optimize agencies or institutions that have authorization in terms of enforcing data protection laws in Indonesia.


A. INTRODUCTION
One of the phenomena that is growing rapidly in Indonesia is about the field of Electronic Information and Transactions which we often hear and call by the name of ITE (Electronic Information and Transactions). 1 This research was carried out by research since November 2021 which is based on the Draft Law on the protection of personal data. currently the data protection law has been legalized with the family of Law 27 of 2022 concerning Personal Data Protection.
The development of Information Technology today has developed very significantly which seems to be a double-edged knife, 2,3 because in addition to contributing extraordinarily to the improvement of welfare, human civilization, and progress which is also an effective means that results in unlawful acts. 4 The problem that arises is about the misuse of information technology for the evil interests of certain individuals called Cyber Crime (Cyber Crime) which results in losses to many people. This proves, behind the positive things obtained there is also a negative point that becomes a concern for everyone who is exposed to the freedom and openness of the internet.
Cybercrime was born in a new legal era which is the development of a crime that occurs on computers. 5 The word or designation is taken from the term Cyber Law which is internationally used with legal designations related to the use of information technology. 6 Cyber Crime has violated the rules contained in criminal law. Cyber Crime will create a problem or imbalance in the procedure of investigation, investigation, and proof according to a conventional point of view where the procedure is different from investigation or evidence in conventional criminal cases. 7 It can be said that this Cyber Crime is a recent or modern crime. 8 E-ISSN : 2776-9674 ISSN : 2776-9259 ILREJ, Vol 3, No. 1, 2023 Juridical Analysis of Legal Protection of Personal Data in terms of Legal Certainty | 98 In this case, one form of cybercrime is a crime against personal data owned by humans. 9,10 All humans must have data or documents that concern themselves or themselves that are very guarded. From what has happened so far, generally the personal data is misused for someone's personal interests and disseminated in cyberspace through social media without consent or without the knowledge of the person concerned who has the data. Of course this is contrary to the contents of Article 32 Paragraphs (2) and (3)  Generally, crimes committed online in cyberspace or social media aim to seek benefits against the perpetrators of crime. 11 The misused and disseminated data published in cyberspace or the world of electronic media is very valuable. These data are prone to leakage in the public through cyberspace and can be misused by irresponsible people. Various kinds of personal data as known are in the form of NIK, KK, Identity KTP, Work Document Files or other important files as well as in the form of videos or recordings or photos and in other forms. Data owned by someone is confidential data and is fully guarded because it is our personal privacy. The definition of personal data is not stated in the ITE Law. But in terms of official interpretation of privacy rights is stated in the content of Article 26 paragraph (1) of the ITE Law which states "Unless otherwise stipulated by laws and regulations, the use of any information through electronic media that concerns a person's personal data must be carried out with the consent of the person concerned". The ITE Law, namely Article 45 CHAPTER XI in Criminal Provisions Paragraph (1) states "Any person who fulfills the elements as referred to in Article 27 paragraph (1), paragraph (2), paragraph (3), or paragraph (4) shall be sentenced to a maximum imprisonment of 6 (six) years and/or a maximum fine of Rp. 1,000,000,000.00 (one billion rupiah)".
Regarding sanctions, in the Personal Data Protection Bill (RUU PDP) there are changes stipulated in Article 61, which states: 1. Any Person who intentionally obtains or collects Personal Data that does not belong to him with the intention to benefit himself or others unlawfully or may result in losses to the Personal Data Owner as referred to in Article 51 paragraph (1) shall be punished with a maximum imprisonment of 5 (five) years or a maximum fine of Rp50,000,000,000.00 (fifty billion rupiah). 2. Any Person who intentionally and unlawfully discloses Personal Data that does not belong to him as referred to in Article 51 paragraph (2) shall be punished with a maximum imprisonment of 2 (two) years or a maximum fine of Rp20,000,000,000.00 (twenty billion rupiah). 3. Any Person who intentionally and unlawfully uses Personal Data that does not belong to him as referred to in Article 51 paragraph (3) shall be punished with a maximum imprisonment of 7 (seven) years or a maximum fine of Rp70,000,000,000.00 (seventy billion rupiah). Although the ITE Law has regulated personal data and sanctions for violators, it is not comprehensive. One of the things that is still a problem, for example, is related to solving cases in cross-border personal data leaks, which until now has not been able to be overcome by the government. Some examples of personal data leakage cases in Indonesia include: 1. The leak of a number of data on Social Security Organizing Agency (BPJS) participants sold on Raid Forums for 0.15 Bitcoin in May 2021; 2. The leak of Cermati (as many as 2.9 million users) and Lazada (as many as 1.1 million user data) data sold on the Raidforums site at the end of 2020; 3. Data sales of 2 million BRI Life customers at a price of $ 7,000 or around Rp 101.6 million circulating on Twitter; and some other cases. This condition then gave rise to the birth of the PDP Bill, in order to regulate specifically and in detail related to personal data protection which is currently still spread in several laws and regulations such as the Banking Law, ITE Law, Consumer Protection Law, and other laws. In addition, the purpose of the formulation of the PDP Bill is also to provide a legal basis for Indonesia to maintain state sovereignty, state security, and protection of personal data belonging to Indonesian citizens wherever the personal data is located to ensure legal certainty.
Based on the background of the problem described in this case, the author conducted an in-depth study or research on personal data, entitled: "Juridical Analysis of Legal Protection of Personal Data Reviewed from the Principle of Legal Certainty".

B. METHOD
The type of research that the author uses is the type of Normative Law research. Normative Legal Research is legal research based on literature carried out or carried out by examining sources or library materials or secondary data. 12 The objective of Normative Legal Research is to enable researchers to find solutions to existing problems or cases and make decisions based on the applicable positive law. 13

C. RESULTS AND DISCUSSION 1. Juridical Analysis of Legal Protection of Personal Data Reviewed from the Principle of Legal Certainty
Due to legal uncertainty, a law on personal data protection was created. In this case it does not happen without cause, but because there is no harmonization of laws and regulations 12 Tunggul Ansari and Setia Negara, "Normative Legal Research in Indonesia: Its Originis and Approaches," Akhmad Afridho  governing with regard to personal data protection in Indonesia. 14 Danrivanto Budhijanto explains that: "the protection of personal rights as human rights will enhance human values, improve relations between individuals and their communities, increase independence or autonomy to exercise control and obtain services, and increase tolerance and from discriminatory treatment, in addition to limiting the power of the government". 15 There are several regulations in Indonesia regarding the protection of personal data there are so many, for example Law Number 36  There are about fourteen laws in Indonesia that contain these provisions, but there is not a single legal framework that regulates all personal data protection. This causes the regulation to be sectoral and have varying interpretations or relationships to personal data, resulting in data leakage. Articles 28G and 28J of the 1945 Constitution stipulate that the Personal Data Protection Bill is a constitutionally mandated state obligation to build a safer digital environment for Indonesian residents. The PDP Bill can serve as an important legal umbrella to protect individuals' personal data. To achieve a more comprehensive legal instrument, it is necessary to regulate the PDP Bill. The PDP Bill provides for the types of personal data, personal data subjects, personal data control requirements, data, and data transfers, as well as sanctions, dispute resolution, international cooperation, and the role of government and society in the PDP. 16 Data protection regulations are believed to be less effective because they are still fragmented in a multi-sectoral context so that they do not provide optimal protection, but the protection must also consider the position of the state through state institutions / institutions that also act as regulators, facilitators, and users. Substantively, the PDP Bill is also likely related to the wiretapping capabilities possessed by certain K/L based on the authority granted by law to certain state organizations. 14 Fitria Esfandiari AlFath Anggara, Herwastoeti, "Harmonization of Legal Based on research conducted by the author, there is an explanation of each law on personal data protection in Indonesia that is currently in force, namely:

a. Health
There are several regulations related to medical records, hospital information systems, hospital and patient responsibilities, etc. In accordance with the rules of Article 52 paragraph (2) in the Health Law that, "health workers must adhere to professional standards and patient rights in carrying out their duties". Article 57 paragraph (1) of the Health Law, which stipulates that, "every individual has the right to confidentiality of his personal health situation as disclosed to health care practitioners". In this article, patients have guarantees of protection of their personal data in the form of medical history, but this Health Law does not regulate recovery arrangements for rights holders (in this case patients) to protect patient rights. In this Law, there are no administrative or criminal sanctions for violating the confidentiality of the patient's medical history. According to the authors, the Health Law is less specific, and has not provided adequate protection for personal data in the context of protecting privacy rights. 17,18 b. Banking Law No. 10/1998) regulates matters relating to banking secrets, based on the principle of confidentiality, which requires banks to retain all data and information relating to customers, including personal information. Article 1 paragraph (28) of the Banking Law defines bank secrecy as all information relating to depositors and deposits. When conducting transactions, customers are required to provide relevant personal data.
Article 40 of the Banking Law and Article 41 of Law Number 21 of 2008 concerning Sharia Banking state that banks are obliged to keep information about depositors and deposits confidential, with some exceptions. So customer privacy protection does not only apply to data (savings or other bank products), but also to customer personal data, which includes identity-related personal data.
Through "OJK Circular Letter Number 14/SEOJK.07/2014 concerning Confidentiality and Security of Consumer Data and/or Personal Information, OJK contains a detailed list of consumer personal data and/or information that must be kept confidential, including name, address, telephone number, date of birth and/or age, and/or birth mother's name (specifically for individual customers), as well as a list of ownership and commissioners including identity documents in the form of Identity (specifically for corporate customers)".

c. Telecommunications
The protection of the right to privacy in the field of telecommunications and information technology is limited to the confidentiality of a person's personal information 17  and communication, which is guaranteed by the provisions of Law No. 36 of 1999 on Telecommunications which prohibits eavesdropping. In this regulation, however, telecommunication operators are authorized to record conversations to show the correctness of using telecommunication facilities at the request of telecommunication service users. In accordance with Law Number 11 of 2008 concerning Electronic Information and Transactions, provisions have emerged regarding personal data protection in the field of telecommunications and information technology, and more generally in the implementation of electronic systems. In accordance with Article 26 paragraph (1) of the ITE Law that, "every transfer of a person's personal data must first seek the consent of the data owner (prohibition of arbitrary transfer of personal data)". Furthermore, Article 26 paragraph (2), "If a person's personal information is transferred arbitrarily, the data owner may file a claim for compensation to the court". However, the complexity of the evidentiary process in Indonesian civil courts makes it difficult for the public (data owners) to legitimately refute claims of leakage of their personal data.

d. Human Rights
Personal data is included in the section of human rights that must be protected. 19,20 In Law No. 39 of 1999 concerning Human Rights. The spirit of personal data protection can at least be seen through Article 21 which states that: "Everyone has the right to personal integrity, both spiritual and physical, and therefore must not be the object of research without his consent". Although the protection of personal data can at least be seen through Article 21 which states that: "Everyone has the right to personal integrity, both spiritual and physical, and therefore must not be the object of research without his consent". In addition, the existence of the Human Rights Law basically only provides a foundation or becomes a basis related to the protection, promotion, enforcement, and fulfillment of human rights in general.

e. Trade
The Trade Act does not provide for the obligation to safeguard personal (customer) data. However, in the provisions of Article 65 paragraph (3) of the law, it is affirmed that in doing business by utilizing an electronic system (e-commerce), every merchant must refer to the applicable rules in the ITE Law. That is, the requirements relating to the protection of personal data are also absolutely binding for all transactions involving electronic systems. Furthermore, Article 66 of the Trade Act mandates that. "Establishment of Government Regulations on Trading Through Electronic Systems". This regulation must also regulate the protection of consumer personal data, referring to existing laws and regulations, especially the ITE Law and the Consumer Protection Law.   -ISSN : 2776-9674 ISSN : 2776-9259 ILREJ, Vol 3, No. 1, 2023 Juridical Analysis of Legal Protection of Personal Data in terms of Legal Certainty | 103 In terms of obtaininglegal certainty regarding the validity of personal data ownership, the approach that must be studied first is an analysis regarding the classification of personal rights to property rights to review the scope of the current personal data regulation in Indonesia to ensure it has been accommodated or not. First, refer to the Second Book of the Civil Code ("KUHPer"). The objects can be grouped into 4 (four) categories, namely: Tangible objects, Intangible objects, Moving objects, Immovable objects".
Meanwhile, when viewed from its characteristics, the characteristics of property rights are: It is an absolute right and protected against other third parties; The party (person) who controls an object has the right to the object; In the context of debt repayment, property rights give the right to precedence over the repayment of debts; Property rights give a person the right to bring a lawsuit". As with the Criminal Code, personal data can be classified as objects without restriction. This is because personal data can be characterized as an intangible object, and if it is part of big data, it can have economic value, giving the holder of personal data rights that can be protected from third parties.

g. Public Information Disclosure
In terms of assessing legal certainty regarding the validity of personal data ownership, the approach that must be studied first is an analysis regarding the classification of personal rights to property rights to review the scope of the current personal data regulation in Indonesia to ensure it has been accommodated or not. First, refer to the Second Book of the Civil Code ("KUHPer"). The objects can be grouped into 4 (four) categories, namely: Tangible objects; Intangible objects; Moving objects; Objects do not move".
Meanwhile, when viewed from its characteristics, the characteristics of property rights are: "It is an absolute right and protected against other third parties; The party (person) who controls an object has the right to the object; In the context of debt repayment, property rights give the right to precedence over the repayment of debts; Property rights give a person the right to bring a lawsuit". As with the Criminal Code, personal data can be classified as objects without restriction. This is because personal data can be characterized as an intangible object, and if it is part of big data, it can have economic value, giving the holder of personal data rights that can be protected from third parties.

Ius Constituendum on Personal Data Protection Arrangements in Indonesia a. Protection of Personal Data in Other Countries
Regarding personal data regulations in Indonesia, it is necessary to review the regulations of other countries as a reference or comparison related to applicable rules including, the first is the Singapore Personal Data Protection Act ("PDPA"). The PDPA was officially adopted on July 2, 2014. These lawful provisions give individuals the ability to protect their "personal data". "The current regulations also clearly mention violations covering the third to sixth sections" of the PDPA. In terms of making E-ISSN : 2776-9674 ISSN : 2776-9259 ILREJ, Vol 3, No. 1, 2023 comparisons with Singapore. This is based on Singapore having arrangements on Personal Data Protection as well as in Indonesia. However, this comparison aims to make some more comprehensive arrangements arranged in Singapore can also be applied in Indonesia where there are still weaknesses. Thus, this comparison is intended to ensure that Singapore Law knows the basic principles that will be implemented in Indonesia.
The second is the European Union's GDPR or General Data Protection Regulation, in its rules GDPR regarding personal data refers to any information relating to a living individual. Personal data is always protected, regardless of how it is stored. The General Data Protection Regulation (GDPR) ensures that all data is protected. According to GDPR, any information relating to an identifiable individual is referred to as "personal data." This includes information such as name, address, email address, and other contact information." The third is the PIPA in South Korea or the Personal Information Protection Act in article 7 of the PIPA states: The Personal Information Protection Commission (hereinafter referred to as the commission) will be established under the Presidential Office to consider and resolve issues regarding data protection. The Commission independently performs the functions within its authority.

b. Updating Personal Data Protection Law in Indonesia
Consider the many comparisons that can be found among the many countries that have been discussed in detail, including Singapore and South Korea, please note that there are several institutional model designs regarding personal data encryption, namely: First, it is referred to as an independent nation and institution. This scenario occurs in South Korea, where the basic plans and implementation strategies of violating organizations, problems with systems and regulations related to data protection, problems with coordinating the positions of public institutions in matters involving personal data protection, and legal knowledge and compliance issues related to data protection are major concerns. In addition, South Korea's PIPC also has legal independence; as a result, PIPC cannot be effectively intervened in executing commands.
Second, connect with other national business organizations. The aforementioned strategy can be done by raising concerns about the transmission of personal data to various governments that have been modified in view of their functions and risks. For example, this can be done by negotiating with various national governments that are currently part of the international treaty system for Indonesia, namely: "(1) Arrangements are made by the Ministry of Communication and Information; (2) Supervision shall be exercised by the Ombudsman; (3) Protection is carried out by Komnas HAM; (4) Law enforcement shall be carried out by the Police and the Prosecutor's Office; and (5) Conflict Resolution shall be conducted by the Public Information Commission". Authorities can be exercised by more than one institution under the GDPR. In the context of Indonesia's constitutional system, this situation can be overcome by giving encouragement to several institutions based on their respective levels of motivation. But E-ISSN : 2776-9674 ISSN : 2776-9259 ILREJ, Vol 3, No. 1, 2023 Juridical Analysis of Legal Protection of Personal Data in terms of Legal Certainty | 105 the question now is about the independence of the country that has been legalized and anglized by the President.
Third, as stated in the Personal Data Protection Bill, it is a manifestation of government unrest. its management of personal data is regulated in its entirety by the Government in this context. About supervision and protection is not specifically disclosed. This concept is not ideal as it contradicts various international laws relating to personal data security, including the APEC Privacy Framework (2015), the European Union's General Data Protection Regulation, the European Union's Modern Convention for the Protection of Individuals Relating to the Processing of Personal Data 1981 (Convention 108), and the United Nations Guidelines for the Regulation of Computerized Personal Data Files (1990). Therefore, the fourth operation is no longer used as a means to enforce the confidentiality of personal information in the Indonesian constitutional system. Citizens should be placed as a priority in the Personal Data Protection Bill as the embodiment of a state of law subject to the constitution. 21,22 The independence of an institution is something urgent in the protection of personal data based on international agreements. Therefore, the Personal Data Protection Act consistently identifies Independent Authorities as powerful organizations. However, as a precautionary measure to ensure that checks and balances continue to run, the authors recommend that an Appellate Commission be established to independently assess the Authority's concerns regarding Protected Personal Data. Based on the foregoing, the author proposes the establishment of the Personal Data Protection Authority Commission of the Republic of Indonesia (Komperdadi RI), which will have many concerns, including: "1) Implementation of personal data protection; 2) Issue policies, systems and regulations relating to data protection; 3) As a coordinator related to public and private institutions in terms of personal data processing; and 4) As a verifier of law enforcement related to personal data protection, in the sense that violations related to PDP must go through Komperdadi first before filing a lawsuit to the Court for civil cases or to the Police for criminal cases". In addition to Komperdadi RI, the author also suggests the establishment of a Personal Data Protection Appeal Commission that is affiliated with Kombad PDP and has the ability to respond to objections arising in response to Komperdadi's news release. However, the decision of Kombad RI is not merely an initiation decision so that it can raise objections to the PTUN. In more detail, the draft data privacy system of the Indonesian government is as follows: Based on Figure 1, there are three organizations that want to help protect data privacy: Komperdadi, Kombad PDP, and PTUN. The author proposes that the election commission be carried out based on the proposal of the President and the House of Representatives who conduct elections as an effort to maintain the independence of Komperdadi and Kombad PDP. The President's proposal must be three times the number of candidates submitted; For example, if there are five commissioners, the presidential candidate must be 3x (a total of 15 candidates). This is a step to ensure the independence of the PDP and Komperdadi in the Indonesian political system.

D. CONCLUSION
Based on research conducted by the author that data protection regulations in Indonesia are still scattered in laws sectors such as the ITE Law, the Banking Law, the Capital Market Law and Regulations Government and Ministerial Regulations and agencies directly related to data protection such as the Financial Services Authority and Bank Indonesia. so that a unified regulation is needed that accommodates data protection issues in Indonesia. Carry out optimization efforts for national data protection institutions or agencies that are overseeing and prosecute data protection violations.