Independent Supervisory Authority to Protect Social Media Users' Personal Information in Indonesia

Given the lack of a specific institution in Indonesia that oversees the protection of personal data, the importance of protecting personal data is frequently debated. Along with technological developments that continue to occur, it will be directly proportional to the legal risks caused. Hence, these developments need to be balanced with existing legal rules to minimize the occurrence of criminal cases, one of which is the misuse of technology today, which is related to property rights to personal data, especially personal data on social media. This paper uses a normative research method that aims to determine the essence of the formation of legal products and independent authority institutions in Indonesia in maximizing protection and law enforcement against misuse of personal data. Based on the results of the study, it is known that the urgency of establishing this independent authority greatly influences the protection of the misuse of personal data, especially personal data on social media.

The novelty of this research is an independent data protection authority is one of the public institutions tasked with ensuring the protection of personal data and the compliance of controllers and processors of personal data, both individuals and private entities, as well as public institutions, with data protection laws and regulations. Analysis of the ideal format of an independent authority that is not under the government, with the task of socializing, supervising, handling administrative disputes, mediating, and providing recommendations regarding protecting personal data.
Based on the explanation above, it can be seen that the discussion regarding the supervisory authority for the protection of personal data is critical to put forward, considering that Indonesia currently does not have a particular institution that oversees the protection of personal data as a whole. The debate about the importance of protecting personal data often cannot be separated from the issue of information disclosure. Up until now, no writing has explicitly explained the essence of the establishment of an independent supervisory authority in protecting the personal data of social media users and legal protection of the personal data of social media users. As a result, the authors attempts to explain in this paper how important the establishment of an independent supervisory authority in the protection of personal data for social media users is, as well as how legal protection for personal data of social media users is.

B. Discussion 1. Independent Supervisory Authority In The Protection Of Personal Data Of Social
Media Users. An independent data protection authority is a public institution whose function is to protect personal data and ensure the compliance of personal data controllers and processors, both individuals and private entities, as well as public institutions, with data protection laws and regulations. This organization is a critical player in data protection efforts, serving as the spearhead of privacy and data protection regulators. The agency's primary role is not only to implement privacy and data protection policies but also to raise awareness, consult, and develop networks. 9 In general, there are two law enforcement models for personal data protection: the first with the establishment of an independent supervisory authority, and the second with the ministry. Five of the seven international treaties and standards relating to personal data protection require the establishment of an independent supervisory authority. 10 Personal data monitoring agencies are the most important factor in any country's efforts to protect its citizens' personal data. This is also the state's role in providing the public with a sense of security and comfort when using social media or other platforms that require the use of personal data to access the platform. Elsam's research, Measuring the Compliance of Information and Communication Technology Companies, stated several things about social media platforms' privacy policies, as follows: 11 a. In general, social media platforms already have a privacy policy, although the details and completeness are still very varied; b. Some platforms have listed third-party companies for them to share information about their consumers' personal data, but the names of these third-party companies are not listed; c. Some platforms do not state the retention period for consumer personal data, there are some that include, but still do not clearly explain the retention period for consumer personal data; d. Most platforms do not state the company's obligation to notify data subjects of data leaks; e. Most companies do not include a redress mechanism for consumers whose rights to privacy are violated as a result of data leaks; f. Some terms in the privacy policy are confusing, such as, 'including without limitation', 'relevant information', 'active users', 'enrich your experience', and so on; g. The appearance of the privacy policy is not attractive, communicative and easy to understand, only a few companies are able to explain with examples, besides that the Indonesian language used seems to be the result of machine translation.
The 2015 APEC Privacy Framework also emphasizes the need for each country to establish a personal data protection enforcement agency or agency with a model. The second reason is Indonesia's lax regulation of personal data protection in law enforcement. We must know the use of Law No. 8 of 1981 concerning the Criminal Procedure Code (KUHAP) as a guideline for criminal law enforcement and coercive measures. The Criminal Procedure Code only requires confiscation action with the permission of the head of the court (Article 38 paragraph (1) KUHAP). Still, it does not require the need to protect the user's data, even in the investigation process. Things such as in the act of confiscation carried out by investigators, where although not explicitly, but implicitly personal electronic data contained in electronic devices is one of the objects of confiscation as referred to in Article 39 paragraph (1) of the Criminal Procedure Code. Based on the presumption of innocence, personal data of social media users must be protected, not published or misused. Personal data is vulnerable to misuse by law enforcement for purposes other than law enforcement because there is no regulation governing personal data protection. Based on these two imperatives, an authority that regulates and ensures personal data protection, including in the context of law enforcement, must be established. 12 Personal data concerns human rights and privacy that must be protected, as stated in: a There are several reasons why it is important to protect personal data, including: a. Data is a high-value asset or commodity in the era of big data and the digital economy. It has been mentioned that the data volume in 2015 is estimated to reach 8 trillion GB and will increase 40 times in 2020. 13 and Data-driven AI applications are projected to contribute US$13 trillion to the global economy by 2030. 14 P-ISSN 2723-2638 Volume 3 Issue 1, January-June 2022 E-ISSN2745-9314 b. Violations of privacy and misuse of personal data are increasingly occurring, for example activities related to digital dossier, direct selling, location-based messaging, in addition, an example of a concrete case that has occurred relating to misuse of personal data is the Cambridge Analytica case that occurred in 2018 c. The public is not yet fully aware of the importance of protecting personal data. Public awareness of personal data protection is one of the important things given the significant increase in the number of internet users in Indonesia, but not all of them are aware of the importance of personal data protection; even based on research conducted by Apjil in 2017 more than 30% of Indonesian internet users are not aware that data can be retrieved. 15 Accessing other people's data can interfere with individual privacy rights by distributing personal data without the person's permission, which is a type of unlawful action. There are numerous cases of privacy violations in both cyberspace and the real world. One example is the rise in cyberspace privacy violations, particularly in social media applications. 16 Furthermore, it can be seen that the perpetrators' misuse of personal data on social media platforms is an unlawful act that is contrary to the personal rights of others, where personal data is one of one's privacy rights. 17 The debate over the supervisory authority for personal data protection is critical, given that Indonesia currently lacks an extraordinary institution that oversees personal data protection. It is critical to provide legal protection to victims; in order to do so, law enforcement must be carried out correctly. 18 Furthermore, the laws that govern must be comprehensively and explicitly regulated to provide legal certainty to protect personal data, such as how other parties may collect, store, and use data, as well as the exact steps or rules in the personal data security process. 19 In comparison to other countries that already have special rules governing personal data protection, Indonesia lags. Since 2010, Malaysia has had a Personal Data Protection Act. It has been in Singapore and the Philippines since 2012. Thailand, another Southeast Asian country, recently announced the passage of a Personal Data Protection Act. 20 As a result, special rules for personal data protection must be enacted quickly, and the existence of an independent supervisory authority will later maximize protection and law enforcement against misuse of personal data on social media or other types of platforms. 21

Legal Protection Of Personal Data Of Social Media Users
Social media has a positive impact on social life, one of which is as a tool to provide convenience in communicating and interacting between users without having to face to face, which is not limited by space and time. The rapid development of social media in the current era is marked by the emergence of various social media such as Facebook, Twitter, Instagram, Line, and other social media applications. Amid the widespread use of social media, user information on social media can be easily obtained, including user personal data information and other privacy matters. This, of course, can trigger a loophole for the misuse of personal data. Misuse of personal data becomes an effortless thing to happen, namely if the owner of personal data feels that other parties use the personal data listed or included in his social media without his permission for purposes that are considered disturbing, self-benefiting, endangering, or threatening others, which will undoubtedly provide loss to data owners. 22 Personal data protection is specifically about how the law protects how personal data is collected, registered, stored, exploited, and disseminated. Data can be said to be personal data if the data can be used to identify or identify a person. Jerry Kang argues that personal data is used to describe information closely related to someone who can distinguish the characteristics of each individual. 23 Personal data is defined as any actual and accurate personal data attached and identifiable to the person, according to Article 1 of the Regulation of the Minister of Communication and Information Technology Number 20 of 2016 concerning Protection of Personal Data in Electronic Systems, so personal data must be stored, cared for, and kept accurate and confidential. As a result, personal data must be safeguarded. 24 As a state of law, the Republic of Indonesia must protect the rights of its citizens. These rights are part of human rights guaranteed in the 1945 Constitution as stated in Article 28D paragraph (1) which states that: "Everyone has the right to recognition of guarantees, protection and fair legal certainty and equal treatment before the law." Personal data protection is a type of privacy protection directly mandated by the Republic of Indonesia's Constitution, which includes respect for human rights values and individual rights, so a legal basis is required to provide more security for privacy and personal data. 25 To address the issue of personal data security and protection, the government passed Law No. 19 of 2016 amending Law No. 11 of 2008 on Information and Electronic Transactions (UU ITE). However, due to the rapid advancement of technology, these provisions are currently deemed insufficient to address legal issues, particularly the protection of personal data on social media platforms. 26 The government has drafted a regulation to protect personal data, as stated in the Personal Data Protection Bill, but the bill has yet to be ratified. This bill should be included in the government's priority list because legal issues regarding the misuse of personal data are becoming more prevalent, as is the need for personal data protection itself, given that personal data is part of privacy, which is a human right of every individual. Misuse of personal data harms the data owner. Personal data has a confidential nature that should be kept confidential. Following this, legislation governing the legal protection of personal data in Indonesia comprises several laws that do not stand alone. At least 30 laws and regulations at various levels govern personal data protection and are sectoral, governing only their domain. 27 The legal protection of personal data and the extent to which the use of personal data can be carried out is still unclear. Therefore, the Personal Data Protection Bill that has been drafted, according to the author, has covered essential aspects as a cover for gaps in the ITE Law and other regulations on protecting personal data. As contained in the preamble to the Personal Data Protection Bill, the regulation of personal data is currently contained in several laws and regulations. To improve the effectiveness of personal data protection implementation, personal data protection must be legally regulated. 28 Furthermore, the PDP Bill states that community participation in raising public awareness of the importance of personal data protection can be accomplished through education, training, advocacy, technical guidance, and/or socialization. 29 As a result, awareness of personal data protection can be felt and carried out by all parties, not just the government as a policymaker.
One of the most important aspects that must be prioritized in every policy formulation is the security and confidentiality of personal data. It is clear that there is a need for protection and the establishment of a firm and comprehensive law governing the use of personal data in order for its development and utilization to proceed smoothly. 30 Clear and comprehensive laws are urgently needed to establish definite steps in using and protecting personal data. As Thomas Hobbes argues, the rights and freedoms of the people have been handed over to the Primus inter ruling pares as a form of the social contract, and the government, as the party making policy, must pay more attention to this matter. 31 The laws and regulations currently available in Indonesia regarding personal data protection have not comprehensively provided sufficient protection for personal data. By paying attention to international developments in personal data regulation, both those carried out by many countries around the world and those carried out by international organizations, the Personal Data Protection Bill, which has been completed and formed, needs to be ratified immediately because it will provide more certainty and protection law to regulate and protect personal data as a human right of every citizen. 32 In order to provide legal protection to all victims, law enforcement must be carried out correctly. Furthermore, the laws that govern must be comprehensively and explicitly regulated to provide legal certainty to protect personal data, such as how personal data may be collected, stored, and used by third parties, as well as the exact steps or rules in the personal data security process. This Personal Data Protection Regulation will also help create order and progress in the information society.

C. Conclusion
Establishing an independent authority institution is one of the most important things to do, as an independent supervisory authority will later maximize protection and law enforcement against misuse of personal data on social media or other platforms. It is critical to provide legal protection and legal protection to all victims. When special rules are required that are regulated comprehensively and precisely to provide legal certainty to protect personal data, the existence of an independent authorized agency and the laws that regulate it cannot be separated.
It is well understood that the widespread misuse of personal data requires the support of the rule of law and the agency overseeing it. The country's constitution established a framework for developing regulations to protect the personal data of mass media users, which was realized with the passage of Law the Personal Data Protection Bill, which has been completed and formed, so this bill must be ratified immediately because it will provide more certainty and legal protection to regulate and protect personal data as a human right of every citizen.