As the digital economy is growing in Indonesia at an exponential rate, there is a need to come up with a novel approach to regulating the activities and transactions happening in this space. This is especially true in the sphere of personal data protection, where massive amounts of personal data are collected, processed, and stored by various entities for various purposes. It is difficult for regulators to supervise all activities and ensure compliance with best practices within digital platforms, both in the public and private sector. A co-regulatory approach becomes a potential solution to this issue.
A co-regulatory approach in personal data protection can complement enforcement of professional and technical sector-specific standards, focus on preventative measures, and engage non-state actors in enforcement mechanisms. Unique to Indonesia, especially in financial services, industry associations have been serving in the role of “self-regulatory- organizations” that complement the supervision of regulated entities. Recently there have been precedents to expand this into digital finance, including in the event of personal data protection violations. This model can be adopted for digital platforms in the general ICT sector. Taking the opportunity of the upcoming Personal Data Protection (PDP) bill that, according to Article 55 of the Bill, would enable industry associations to implement co-regulatory activities, industry associations can develop their own sector-specific technical standards in personal data governance and can also enforce these standards through “peer enforcements”. The Government, on the other hand, will still impose regulatory oversight to ensure that these industry initiatives are implemented fairly and in line with market competition principles. Another potential avenue for co-regulation is to empower the profession of Data Protection Officer (DPO), which based on the experience in other jurisdictions, can set professional community standards for best practices in personal data protection.