As Indonesian Tech Booms, Data Protection Lags

Why hasn't Southeast Asia's Silicon Valley passed any data regulation?

There are 50 technology unicorns (tech companies worth over USD 1 billion) in Southeast Asia, a fifth of which are born and bred in Indonesia. However, local regulators have found it hard to keep up with the tech gold rush, raising questions over how long Indonesia can maintain this success without meaningful oversight.

Indonesia became an emerging market leader in tech during the 2010s. The majority of the population is below the age of thirty, following sustained economic recovery after decades of dictatorship ended in the 1990s. In addition, comprehensive state-owned efforts to build telecommunications infrastructure have ensured that more than 70% of Indonesians have reliable internet access. All this has made Indonesia a fertile ground for start-ups to flourish.

Deep-pocketed investors are following the big numbers in Indonesia. In August 2021, local e-commerce platform Bukalapak broke the record for Indonesia’s largest IPO, with a USD 1.5 billion listing. In October 2021, the local stock trading app Ajaib reached a billion-dollar valuation after just two funding rounds. Market observers expect Indonesia to produce another 10 tech unicorns by 2025. Within this period, the country’s digital economy is also primed to quadruple in value to USD 146 billion.

Tech sector growth outstrips regulation

Despite this growth, investors and consumers have begun to feel the lack of effective data regulation and cybersecurity legislation. Data from Indonesia’s National Cyber and Crypto Agency show that data breaches are rising steadily, with 888 million hacking attempts – a disproportionate number compared to western economies – recorded in that same period. By way of comparison, the UK recorded roughly 400,000 cyberattacks throughout 2021, while the US has an estimated 800,000 hacking attempts per year.

Separately in August 2021, a teenage hacker broke into the country’s Covid-19 track-and-trace app to collect the personal and health information of 279 million Indonesians (both living and dead), which he then sold online in exchange for Bitcoin. Local unicorns have not been spared either. In May 2020, personal and login details for 91 million users of the e-commerce firm Tokopedia were found to be on sale through the Dark Web.

One of the most egregious breaches involved the local travel booking firm Traveloka. In April 2021, many users found that a Traveloka payment affiliate had signed them up for accounts with the affiliate without consent, and recorded payments on Traveloka's platform as debt on their books. Users did not know they had these accounts, nor did they receive related emails or invoices. They only found out after they failed to obtain bank loans because the digital debts affected their credit scores. Although Traveloka cancelled their debts soon after, journalists discovered that the company had been aware of this problem since 2019 and had done little to correct it.

Neither Traveloka nor its affiliate have been investigated for this breach. In fact, Indonesian authorities have not looked into any of the abovementioned incidents. Why?

Indonesia can't agree on how to regulate data privacy

While Indonesia has some laws governing technology and online activity, none has been considered effective in protecting personal data and privacy. Since the early 2010s, bills on cybercrime and personal data protection have remained in a state of administrative limbo in the House of Representatives, Indonesia’s lower house of parliament.

This is because there is no consensus over the authority under which the proposed laws would be enforced. On the one hand, the country's Ministry of Communication and Information Technology wants an in-house cybercrime agency to implement the provisions in the bill. But many local representatives believe there should be an independent regulator, similar to the anti-graft watchdog KPK. Both sides have repeated their respective arguments in the House for years, with no clear political will to push through substantial reforms.

As of August 2022, discussions on an Indonesian data protection bill is ongoing, with the government pledging to carry out personal data protection practice and enforcement through various efforts, in the meantime. But this is merely a band aid over a gaping hole.

Where does this leave tech companies and investors?

Given this regulatory impasse, local tech companies in Indonesia have virtual free rein on how they use their customers' data.

However, wise investors understand that their Indonesian user base is young, globally-connected and increasingly aware of their digital rights (even if local legislation still trails behind). Until the Indonesian government agrees on a data security agenda, global investors and their local partners should seek advice from data privacy advocates, cybersecurity experts and due diligence providers in order to protect the integrity of their brand and maintain data confidentiality obligations to staff.