Preventing misuse of personal data protection law against civic space

Many of us are cheering the enactment of personal data protection law. We recognised it as significant progress in protecting privacy and creating an enabling environment for business and civil society. However, civil society may be concerned about the risk of data protection law misuse against civil liberties. How big is the risk of personal data protection law being weaponised against civic space, especially freedom of speech, expression and information, and how we can prevent it? This article will discuss it further.

Weak exemption rule 

While data protection law is essential as an enabling factor for civil society, data protection law may be misused to bar freedom of information and expression, especially in critical activities like investigative journalism and investigation of corruption and human rights activism. In addition, it may also threaten the protection of whistle-blowers. 

The main reason for this concern is the failure of data protection law to exempt journalism activities from the provision of data protection. Unlike other data protection laws, like in the EU and Anglo Saxon countries, our data protection laws did not include journalism activities from the exemption provision. Since it serves the public interest, journalism activities shall be exempt from personal data protection. 

Indeed, there is some provision concerning exemption. Article 15 states that personal data protection is exempted for defence and national security interests, law enforcement process, public interest in the context of state administration, the oversight purpose in the context of the financial service sector, monetary, payment system, and financial system stability that occurred in the context of state administration, 

However, these exemption provisions in personal data protection law may contain the risk of misinterpretation. For instance, the notion of national security and public interest in the context of state administration may be interpreted and politicised in a way which negatively affects civic space. We have a long experience with that. Without clear guidance on the interpretation of national security and public interest, corrupt authorities or law enforcement agencies may monopolise the interpretation in their favour and misuse these provisions to silence critics. 


Press freedom, public participation and NGOs are vulnerable to becoming a target of criminalisation attempts using data protection law. It could come from 2 ways: firstly, where they have works of an investigation targeting corrupt public officials, individuals or corporations, and secondly, their inability to ensure their obligation in processing data, especially when gathering data for monitoring works. 

Personal data protection law may bar investigative journalism works. It is because Investigative journalism relies on confidential information. Individuals or institutions who do not want their data leaked will likely use this law to attack the media or journalists. In Europe, a CSO is threatened with a civil lawsuit requesting a massive sum of money in damages by a political figure. Therefore it is essential to underline that investigative journalism shall be exempt from personal data protection law.

Personal data protection law may be misused to scrutinise independent, critical NGOs. Like other legal entities, NGOs are the subject of personal data protection law. NGOs must comply with personal data protection laws. In addition, to comply with the law, NGOs must appoint a Data Protection Officer. Their inability or failure to protect personal data may put them in trouble. In some countries, there has been a tendency to misuse personal data protection laws to limit freedom of expression. In Europe, for example, even though they have a robust data protection regime (the GDPR), some member countries, like Romania in the case of Teleorman leaks, misused the law to silence NGOs and media. Therefore, NGOs must quickly adapt and take necessary measures to comply with the law. 

Preventing measures

In order to prevent misused personal data protection law to crack down on civil liberties, some measures should be taken, and I would propose some crucial steps as follow:

Firstly, ensuring the independence of the Indonesia Data Protection Authority (DPA) is highly crucial. They are vulnerable to political interference, especially involving the ruler. The scope of authority of the DPA is broad, and its work procedure and mechanism will be governed by government regulation. So, civil society needs to monitor the formulation of that government regulation. However, as DPA will act as an administrative body and quasi-judicial, they should become subject to remedy mechanisms. Their decision may be challenged before an administrative court or PTUN. 

Secondly, Safeguarding the DPA through a transparent mechanism. When assessing claims involving data processing operations for legitimate purposes, like journalism and research activities, it must be put in place. 

Thirdly, guiding interpretation of vague words in the provisions. A presence of guidance in balancing personal data protection and freedom of expression and information is also needed. Through this guidance, they may carefully analyse the case involving contested interpretation in some circumstances. 

Lastly, do not leave the police to enforce and interpret the personnel data breach case alone. Learning from the implementation of ITE laws, often, police arbitrarily interpret and misuse the law to criminalise critical voices and dissents.

written by Nurkholis Hidayat