Article Sidebar

Submitted
December 4, 2023
Accepted
February 1, 2024
Published
February 25, 2024
Download
PDF
Statistic
Read Counter : 90 Download : 19

Main Article Content

Abstract

Information technology and its relationship with data protection is a crucial area that needs to be addressed, especially for data flows among different countries. In the majority of jurisdictions, international data transfers are restricted unless specific requirements stipulated by data protection laws are met. However, in the European Union (EU) and the United Kingdom (UK) there are three exceptions, adequacy, appropriate safeguards, and derogations. This paper conducts a comparative legal analysis of the regulations governing the cross-border transfer of personal data in the EU, UK, and Indonesia. The research method is normative, while the approaches employed are statutory and conceptual with an analytical and descriptive research design. The study focuses on the legal framework and the various mechanisms to protect personal data during transborder flows. The research identified both commonalities and disparities in data protection regulations in Indonesia, the EU, and the UK. Notably, differences appeared in the application of appropriate safeguards and the use of criminal sanctions in Indonesia. Finally, the study concludes by providing recommendations for future developments in the legal frameworks for cross-border data transfer in the EU, UK, and Indonesia.
Keywords: Adequacy decision, Cross-border data transfer, Derogations, Personal Data Protection Law.


Melindungi Data Pribadi Kita yang Paling Berharga: Perbandingan Hukum Aliran Data Lintas Batas Di Uni Eropa, Inggris, dan Indonesia


Abstrak
Teknologi informasi dan hubungannya dengan perlindungan data merupakan bidang penting yang perlu ditangani, terutama untuk aliran data antar negara. Di sebagian besar yurisdiksi, transfer data internasional dibatasi kecuali persyaratan khusus yang ditetapkan oleh undang-undang perlindungan data dipenuhi. Namun, di Uni Eropa (UE) dan Inggris (UK) terdapat tiga pengecualian, yaitu kecukupan, pengamanan yang sesuai, dan pengurangan. Tulisan ini melakukan analisis hukum komparatif terhadap peraturan yang mengatur transfer data pribadi lintas batas negara di UE, Inggris, dan Indonesia. Metode penelitian yang digunakan adalah normatif, sedangkan pendekatan yang digunakan bersifat perundang-undangan dan konseptual dengan desain penelitian analitis dan deskriptif. Studi ini berfokus pada kerangka hukum dan berbagai mekanisme untuk melindungi data pribadi selama arus lintas batas. Penelitian ini mengidentifikasi kesamaan dan kesenjangan dalam peraturan perlindungan data di Indonesia, UE, dan Inggris. Perbedaan yang terlihat jelas adalah penerapan safeguards yang tepat dan penggunaan sanksi pidana di Indonesia. Terakhir, studi ini menyimpulkan dengan memberikan rekomendasi untuk perkembangan masa depan dalam kerangka hukum transfer data lintas batas di UE, Inggris, dan Indonesia.
Kata Kunci: Keputusan kecukupan, Transfer data lintas batas, Derogasi, Undang-Undang Perlindungan Data Pribadi.

Keywords

Adequacy decision Cross-border data transfer Derogations Personal Data Protection Law

Article Details

Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

How to Cite
Budi Agus Riswandi, & Alif Muhammad Gultom. (2024). Protecting Our Mosts Valuable Personal Data: A Comparison Of Transborder Data Flow Laws In The European Union, United Kingdom, And Indonesia. Prophetic Law Review, 5(2), 179–206. https://doi.org/10.20885/PLR.vol5.iss2.art3
Download Citation
Endnote/Zotero/Mendeley (RIS)
BibTeX
Crossref
Scopus
Google Scholar
Europe PMC

References

  1. Indonesia Law No. 11 of 2008 on Information and Electronic Transactions.

  2. Regulation (EU) 2016/679 Of the European Parliament and of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1 24.05.2016.

  3. United Kingdom Data Protection Act (2018). 

  4. Indonesia Law No. 27 of 2022 on Personal Data Protection. 

  5. ALLEA (European Federation of Academies of Sciences and Humanities), FEAM (Federation of European Academies of Medicine), and EASAC (European Academies’ Science Advisory Council). International Sharing of Personal Health Data for Research. DE: ALLEA, 2021. https://doi.org/10.26356/IHDT.

  6. Bennett, Colin J., and Charles D. Raab. The Governance of Privacy: Policy Instruments in Global Perspective. 2nd and updated ed. ed. Cambridge, Mass: MIT Press, 2006.

  7. Bygrave, Lee A. Data Privacy Law: An International Perspective. 1st ed. Oxford, United Kingdom: Oxford University Press, 2014. https://academic.oup.com/idpl/article-abstract/5/1/88/622973.

  8. Dumortier, Jos, Pieter Gryffroy, Ruben Roex, and Yung Shin van der Sype. European Privacy and Data Protection Law. Alphen aan den Rijn: Wolters Kluwer, 2022.

  9. European Data Protection Board. Guidelines 2/2018 on Derogations of Article 49 under Regulation 2016/679 Adopted on 25 May 2018. EDPB, 2018. https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf.

  10. European Union Agency for Fundamental Rights., Council of Europe (Strasbourg)., European Court of Human Rights., and European Data Protection Supervisor. Handbook on European Data Protection Law: 2018 Edition. LU: Publications Office, 2018. https://data.europa.eu/doi/10.2811/343461.

  11. Greenleaf, G. W. Asian Data Privacy Laws: Trade and Human Rights Perspectives. 1st ed. Oxford, United Kingdom ; New York, NY: Oxford University Press, 2014.

  12. Hijmans, Hielke. The European Union as Guardian of Internet Privacy: The Story of Art 16 TFEU. 1st ed. 2016. Issues in Privacy and Data Protection 31. Cham: Springer International Publishing : Imprint: Springer, 2016. https://doi.org/10.1007/978-3-319-34090-6.

  13. Karo Karo, Rizky P.P., and Teguh Prasetyo. Pengaturan Perlindungan Data Pribadi di Indonesia: Perspektif Teori Keadilan Bermartabat. Bandung: Nusa Media, 2020.

  14. Kuner, Christopher, Lee A Bygrave, Christopher Docksey, and Laura Drechsler, eds. The EU General Data Protection Regulation (GDPR): A Commentary. Oxford University PressNew York, 2020. https://doi.org/10.1093/oso/9780198826491.001.0001.

  15. Lloyd, Ian J. Information Technology Law. 9th ed. Oxford: Oxford University Press, 2020.

  16. Mcgeveran, William. Privacy and Data Protection Law. 2nd ed. University Casebook Series. St. Paul: Foundation Press, 2023.

  17. Millard, Christopher J. Legal Protection of Computer Programs and Data. Toronto : London: Carswell Co. ; Sweet & Maxwell, 1985.

  18. Rücker, Daniel, and Tobias Kugler. New European General Data Protection Regulation, a Practitioner’s Guide: Ensuring Compliant Corporate Practice. München Oxford Baden-Baden: C.H. Beck Hart publishing Nomos, 2018.

  19. Taylor, Mark. Genetic Data and the Law: A Critical Perspective on Privacy Protection. 1st ed. Cambridge University Press, 2012. https://doi.org/10.1017/CBO9780511910128.

  20. Ustaran, Eduardo, ed. European Data Protection: Law and Practice. Portsmouth, NH: an IAPP Publication, International Association of Privacy Professionals, 2018.

  21. Voigt, Paul, and Axel Von Dem Bussche. The EU General Data Protection Regulation (GDPR). Cham: Springer International Publishing, 2017. https://doi.org/10.1007/978-3-319-57959-7.

  22. Araújo, Alexandra Maria Rodrigues. “The Right to Data Protection and the Commissions’ Adequacy Decision.” UNIO – EU Law Journal 1 (July 1, 2015): 77–93. https://doi.org/10.21814/unio.1.6.

  23. Birch, Kean, Dt Cochrane, and Callum Ward. “Data as Asset? The Measurement, Governance, and Valuation of Digital Personal Data by Big Tech.” Big Data & Society 8, no. 1 (January 2021): 1–15. https://doi.org/10.1177/20539517211017308.

  24. Casalini, Francesca, and Javier López González. “Trade and Cross-Border Data Flows.” OECD Trade Policy Papers, OECD Trade Policy Papers, 279, no. 220 (January 23, 2019): 40. https://doi.org/10.1787/b2023a47-en.

  25. Celeste, Edoardo. “Cross-Border Data Protection After Brexit.” SSRN Electronic Journal, no. 4 (2021). https://doi.org/10.2139/ssrn.3784811.

  26. Daigle, Brian, and Mahnaz Khan. “The EU General Data Protection Regulation: An Analysis of Enforcement Trends by EU Data Protection Authorities.” Journal of International Commerce and Economics, June 2020, 38. https://www.usitc.gov/publications/332/journals/jice_gdpr_enforcement.pdf.

  27. Geradin, Damien, Dimitrios Katsifis, and Theano Karanikioti. “GDPR Myopia: How a Well-Intended Regulation Ended up Favoring Google in Ad Tech.” SSRN Electronic Journal, 2020, 40. https://doi.org/10.2139/ssrn.3598130.

  28. Hoofnagle, Chris Jay, Bart Van Der Sloot, and Frederik Zuiderveen Borgesius. “The European Union General Data Protection Regulation: What It Is and What It Means.” Information & Communications Technology Law 28, no. 1 (January 2, 2019): 65–98. https://doi.org/10.1080/13600834.2019.1573501.

  29. Jiménez-Gómez, Briseida Sofía. “Cross-Border Data Transfers Between the EU and the U.S.: A Transatlantic Dispute.” Santa Clara Journal of International Law, 1, 19, no. 2 (May 1, 2021): 45. https://digitalcommons.law.scu.edu/scujil/vol19/iss2/1.

  30. Lintvedt, Mona Naomi. “Putting a Price on Data Protection Infringement.” International Data Privacy Law 12, no. 1 (March 18, 2022): 1–15. https://doi.org/10.1093/idpl/ipab024.

  31. Newlands, Gemma, Christoph Lutz, Aurelia Tamò-Larrieux, Eduard Fosch Villaronga, Rehana Harasgama, and Gil Scheitlin. “Innovation under Pressure: Implications for Data Privacy during the Covid-19 Pandemic.” Big Data & Society 7, no. 2 (July 2020): 14. https://doi.org/10.1177/2053951720976680.

  32. Park, Jihyun and Heriyanto, Dodik Setiawan Nur. “In favor of an Immigration Data Protection Law in Indonesia and Its Utilization for Contract Tracing”. Prophetic Law Review 4, no. 1 (2022). https://doi.org/10.20885/PLR.vol4.iss1.art1.

  33. Stoilova, Veronika. “Regulation of International Data Transfers under EU Data Protection Law.” CES Working Papers 13, no. 1 (2021): 16. https://ceswp.uaic.ro/articles/CESWP2021_XIII1_STO.pdf.

  34. Sun, Yunchuan, Junsheng Zhang, Yongping Xiong, and Guangyu Zhu. “Data Security and Privacy in Cloud Computing.” International Journal of Distributed Sensor Networks 10, no. 7 (July 1, 2014). https://doi.org/10.1155/2014/190903.

  35. Vrbljanac, Danijela. “Personal Data Transfer to Third Countries – Disrupting the Even Flow?” Athens Journal of Law 4, no. 4 (September 30, 2018): 337–58. https://doi.org/10.30958/ajl.4-4-4.

  36. Wolff, Josephine, and Nicole Atallah. “Early GDPR Penalties: Analysis of Implementation and Fines Through May 2020.” Journal of Information Policy 11 (December 1, 2021): 63–103. https://doi.org/10.5325/jinfopoli.11.2021.0063.

  37. Yakovleva, Svetlana. “Personal Data Transfers in International Trade and EU Law: A Tale of Two ‘Necessities.’” The Journal of World Investment & Trade 21, no. 6 (September 11, 2020): 881–919. https://doi.org/10.1163/22119000-12340189.

  38. Yuniarti, Siti. “PROTECTION OF INDONESIA’S PERSONAL DATA AFTER RATIFICATION OF PERSONAL DATA PROTECTION ACT.” Progressive Law Review 4, no. 02 (November 23, 2022): 54–68. https://doi.org/10.36448/plr.v4i02.85.

  39. ALLEA. “Sharing Matters: Why International Data Transfer Is Crucial For Health Research.” ALLEA (European Federation of Academies of Sciences and Humanities) (blog), April 26, 2021. https://allea.org/sharing-matters-why-international-data-transfer-is-crucial-for-health-research/.

  40. Baig, Anas. “What To Know About The Russian Federal Law No. 152-FZ.” securiti.ai, August 5, 2023. https://securiti.ai/russian-federal-law-no-152-fz/.

  41. Chiavetta, Ryan. “UK Announces Independent Adequacy Decisions; Edwards Named ICO Top Candidate.” iapp.org, August 26, 2021. https://iapp.org/news/a/uk-announces-independent-adequacy-decisions-edwards-named-ico-top-candidate/.

  42. DA, Ady Thea. “Advokat Ini Ingatkan 3 Ketentuan Transfer Data Pribadi Ke Luar Negeri.” Hukumonline (blog), October 4, 2022. https://www.hukumonline.com/berita/a/advokat-ini-ingatkan-3-ketentuan-transfer-data-pribadi-ke-luar-negeri-lt633baec525388/.

  43. Deng, Jet Zhisong, and Ken Jianmin Dai. “China’s Restrictions on Cross-Border Transfer of Personal Information: An Update on Regulatory Policy and Practical Implications.” ibanet, February 17, 2023. https://www.ibanet.org/chinas-restrictions-on-cross-border-transfer-of-personal-information.

  44. Department for International Trade and The Rt Hon Anne-Marie Trevelyan MP. “Digital Trade Key to Unlocking Opportunities of the Future.” Press release. gov.uk, November 25, 2021. https://www.gov.uk/government/news/digital-trade-key-to-unlocking-opportunities-of-the-future.

  45. Dorwart, Hunter, Katerina Demetzo, Dominic Paulger, Josh Lee Kok Thong, Lee Matheson, and Isabella Perera. “INDONESIA’S PERSONAL DATA PROTECTION BILL: OVERVIEW, KEY TAKEAWAYS, AND CONTEXT Indonesia’s Personal Data Protection Bill: Overview, Key Takeaways, and Context.” Future of Privacy Forum (blog), October 19, 2022. https://fpf.org/blog/indonesias-personal-data-protection-bill-overview-key-takeaways-and-context/.

  46. General Data Protection Regulation (GDPR). “GDPR Third Countries.” gdpr-info.eu, n.d. https://gdpr-info.eu/issues/third-countries/.

  47. Global Data Alliance. “Cross-Border Data Transfers & Privacy.” globaldataalliance.org, May 2020. https://globaldataalliance.org/wp-content/uploads/2021/07/gdafactsandfigures.pdf.

  48. Hawkins, Andrew J. “Uber Admits Covering up Massive 2016 Data Breach in Settlement with US Prosecutors.” theverge.com, July 25, 2022. https://www.theverge.com/2022/7/25/23277161/uber-2016-data-breach-settlement-cover-up.

  49. Hubbard, Michael T. “Personal Data of U.S. Citizens Transferred Abroad Needs Protection.” natlawreview, July 30, 2019. https://www.natlawreview.com/article/personal-data-us-citizens-transferred-abroad-needs-protection.

  50. Information Commissioner’s Office. “Guide to the General Data Protection Regulation (GDPR).” ico.org.uk, October 14, 2022. https://ico.org.uk/media/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr-1-1.pdf.

  51. ———. “International Data Transfers.” ico.org.uk, n.d. https://ico.org.uk/for-organisations/data-protection-and-the-eu/data-protection-and-the-eu-in-detail/the-uk-gdpr/international-data-transfers/.

  52. Kakadia, Keith. “A Comprehensive List of Social Media Statistics for Journalists.” Sociallyin (blog), March 30, 2023. https://blog.sociallyin.com/social-media-statistics-for-journalists-by-sociallyin.

  53. Klosek, Jacqueline. “Indonesia: A Long-Awaited Privacy Measure Finally Becomes Law In Indonesia.” mondaq, November 16, 2022. https://www.mondaq.com/data-protection/1251262/a-long-awaited-privacy-measure-finally-becomes-law-in-indonesia.

  54. Kurth, Hunton Andrews. “ICO Confirms UK Firms May Rely on Public Interest Derogation for SEC Transfers.” natreview.com, January 29, 2021. https://www.natlawreview.com/article/ico-confirms-uk-firms-may-rely-public-interest-derogation-sec-transfers.

  55. Lord, Nate. “What Is the Data Protection Directive? The Predecessor to the GDPR.” digitalguardian.com, December 28, 2022. https://www.digitalguardian.com/blog/what-data-protection-directive-predecessor-gdpr.

  56. Pisa, Michael, Pam Dixon, and Ugonma Nwankwo. “Why Data Protection Matters for Development: The Case for Strengthening Inclusion and Regulatory Capacity.” Center for Global Development (blog), August 11, 202AD. https://www.cgdev.org/publication/why-data-protection-matters-development-case-strengthening-inclusion-and.

  57. Quixy Editorial Team. “80+ Eye-Opening Social Media Statistics for Every Channel.” Quixy.Com (blog), August 2023. https://quixy.com/blog/social-media-statistics-for-every-channel/.

  58. Sayce, David. “The Number of Tweets per Day in 2022.” Personal blog. Dsayce.Com (blog), 2022. https://www.dsayce.com/social-media/tweets-day/.

  59. Shvartsman, Daniel. “Facebook: The Leading Social Platform of Our Times.” investing.com, August 2023. https://www.investing.com/academy/statistics/facebook-meta-facts/.

  60. Thea DA, Ady. “Advokat Ini Ingatkan 3 Ketentuan Transfer Data Pribadi Ke Luar Negeri.” hukumonline, October 4, 2022. https://www.hukumonline.com/berita/a/advokat-ini-ingatkan-3-ketentuan-transfer-data-pribadi-ke-luar-negeri-lt633baec525388/.

  61. “UK Approach to International Data Transfers,” August 26, 2021. https://www.gov.uk/government/publications/uk-approach-to-international-data-transfers.

  62. UNCTAD. “Data Protection Regulations and International Data Flows: Implications for Trade and Development.” unctad.org, April 2016. https://unctad.org/publication/data-protection-regulations-and-international-data-flows-implications-trade-and.

  63. Wijaya, Glenn. “Residual Issues in Indonesia’s Forthcoming Personal Data Protection Law.” iapp.org, August 18, 2022. https://iapp.org/news/a/residual-issues-in-indonesias-forthcoming-personal-data-protection-law/.

  64. CJEU - C-311/18 Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems [2020] ECLI:EU:C:2020:559

  65. Dumortier, Jos, and Caroline Goemans. “Data Privacy and Standardization.” Discussion Paper presented at the CEN/ISSS Open Seminar on Data Protection, Brussels, March 23, 2000. https://www.law.kuleuven.be/citip/en/archive/copy_of_publications/90cen-paper2f90.pdf.