Author: Fitri Astari Asril
Indonesia enacted the Personal Data Protection Law (PDP Law) in October 2022 in response to a rising number of personal data breaches. The lack of a robust legal framework had previously prevented the Indonesian government from addressing these breaches effectively and imposing measures to safeguard personal data. This new legislation represents a substantial advancement in fortifying the protection of private information for Indonesian citizens and supporting the investment environment in the country.
In the context of the PDP Law, personal data, as defined in Article 1, point 1, pertains to data regarding individuals who are identified or can be identified separately or in combination with other information, either directly or indirectly through an electronic or non-electronic system. Furthermore, Article 4 (3) of the PDP Law, expounds that publicly classified personal data encompasses full names, gender, nationality, religion, marital status, and/or personal data combined for the purpose of individual identification. As a result, any methods or processes capable of establishing or disclosing information that aids in identifying an individual fall within the scope of this classification.
Closed-Circuit Television (CCTV) regularly records not just objects but also images of people. It serves as a tool that can confirm the identities of individuals, primarily through visual means, either directly or indirectly. CCTV is a widely adopted technology across various domains, including public, private, social, and professional settings. Presently, CCTV systems are nearly ubiquitous, spanning a wide range of domains. They are commonly encountered in public spaces, educational institutions, offices, and even residential settings. This prevalence is intended to enhance environmental security, safeguarding against potential hazards, and facilitating the evidentiary process in the event of incidents.
CCTV falls under the purview of the definitions pertaining to electronic information and documents, as delineated in Article 1, point 1, and Article 4 of the ITE Law[1].. It is deemed an admissible piece of evidence, and consequently, within the framework of criminal procedural law, it can be utilized as evidence throughout the investigative, prosecutorial, and adjudicatory phases, as stipulated in Article 5, paragraphs (1) and (2), as well as Article 44 of the ITE Law. This was also upheld by the Constitutional Court Decision Number 20/PUU-XIV/2016, decided on September 7, 2016.
However, even though CCTV is installed for security and as evidence, it can create a false sense of security and invade people’s privacy. This raises concerns about privacy and potential issues with how these surveillance systems work and the biases they can introduce. It is important to understand how Indonesian laws deal with CCTV and the protection of personal data.
The realm of PDP Law and CCTV
Prior to the enactment of the PDP Law, provisions pertaining to CCTV could be discerned by referencing Article 26 (1) of the ITE law, which stipulates: ” Unless provided otherwise by Rules, use of any information through electronic media that involves personal data of a Person must be made with the consent of the Person concerned.” Hence, it can be argued that data processing is consent-based. Nonetheless, challenges manifest when each individual necessitates a solicitation for consent regarding whether the installed CCTV may lawfully record them. In another scenario, it can illustrate that “individuals who are disinclined to be captured on CCTV might consider refraining from visiting locations where CCTV installations are in place.” This inference underscores the absence of a genuinely voluntary choice, thus signifying an unresolved problem in situations where processing is subject to consent.
After the PDP Law was enacted, regulations concerning CCTV, also referred to as video surveillance, have become more explicit and are applicable to various scenarios, and not only focus on consent-based principles. These regulations are outlined in Article 17 of the PDP Law, which states:
- Installation of a visual data processor or processing device in public places and/or in public service facilities shall be carried out with the following provisions:
- for the purpose of security, disaster prevention, and/or traffic management or collection, analysis, and regulations of traffic information;
- must display Information in areas where a visual data processor or processing device has been installed; and
- not used to identify a person
- The provisions as referred to in paragraph (1) letter b and letter c are excluded for the prevention of crimes and law enforcement processes in accordance with provisions of laws and regulations
In light of a genuine and hazardous situation, safeguarding property against burglary, theft, or vandalism can indeed constitute a legitimate interest for video surveillance (re: CCTV). The regulations governing the processing of personal data are provisioned under Article 20(2) of the PDP Law, which enumerates six fundamental grounds for the processing of personal data[2].. Taking this into account, Article 20(2)(f) of the Personal Data Protection Law (UU PDP) has been designed to regulate such scenarios, stipulating that: “The basis for processing Personal Data as referred to in paragraph (1) includes (f) the fulfillment of other legitimate interests, taking into account the purposes, needs, and balance of the interests of the Personal Data Controller and the rights of the Personal Data Subject.” This provision essentially allows the controller of personal data to engage in data processing and the installation of CCTV systems based on their legitimate interests.
The PDP Law, much like the General Data Protection Regulation (GDPR) of the European Union, establishes fundamental principles governing data processing within its framework. These principles are articulated in Article 16(2) of the PDP Law[3].. They form the core philosophy underpinning all data processing activities and necessitate that data processing strictly adheres to these principles. From the author’s perspective, the processing and installation of CCTV are acceptable as long as these are conducted of the PDP law i.e. Article 17, and get deeper into Article 16(2) regarding the principle of processing. In this case, these principles of processing should include, at the very least:
- Limited and Specific, lawful, and Transparent (Art. 16 (2) letter a): This entails that the installation of CCTV and the processing of data obtained from it must comply with Article 17 of the PDP Law. Transparency is vital, signifying that data subjects are informed of the presence of CCTV for recording purposes.
- Purpose limitation (Art. 16 (2) letter b): The installation of CCTV must conform to its designated purpose and be rooted in legitimate interests, as stipulated in Article 20(2) of the PDP Law. Installation is prohibited if it is not employed for activities related to security purposes and other purposes detailed in Article 17(1)(a) of the PDP Law, for example to monitor someone’s behavior or movements.
- Data Retention (Art. 16 (2) letter g): Pertaining to data retention, it is imperative to maintain the balance of the genuine interests of personal data, acquired not by consent but through retention. This implies that there must be limitations on the storage of data processed from CCTV, for example, with a maximum retention period of, say, 7 days before the data is erased.
- Integrity and confidentiality (Art. 16 (2) letter h): This principle is designed to prevent misuse of data processing, particularly when it falls into the wrong hands, or the results of CCTV recordings are manipulated.
As data subjects possessing autonomy over their personal data, personal data undeniably carries fundamental rights regarding how it is processed. Thus, a data subject can raise objections to the presence of CCTV, which, by recording them and processing their data (which potentially leads to their direct or indirect identification), makes automated decisions, including profiling, that have legal consequences or significant impacts on the personal data subject, as outlined in Article 10(1) of the PDP Law.
The Requirements for Installing CCTV under PDP Law
In alignment with Article 17(1)(b), it is imperative that the installation of CCTV should conspicuously display information confirming the presence of CCTV monitoring the location in question. For instance, putting stickers bearing the inscription “CCTV in operation” serves the purpose of informing data subjects about the potential processing of their personal data by the data controller. Moreover, to strike a balance regarding personal data processing based on legitimate interests, it is crucial to establish a specific timeframe for data retention. for instance, the data from the CCTV storage should only be accessible for a maximum of 7 days, after which a system reset is necessary.
In the context of installing CCTV cameras in a house to record outdoor spaces, the need for a review becomes evident, especially when the CCTV coverage extends to public areas such as streets or neighboring properties. This highlights the requirement for a more comprehensive assessment.
The lack of a precise definition for a public place in Article 17(1) of the PDP law leads to uncertainty. For instance, if a CCTV system affixed to a residential property’s wall records individuals on a public road or within a residential street, the question arises: should it be classified as operating in a public space? It is important to note that this law unequivocally does not cover the processing of personal data by individuals for personal or household purposes, as defined in Article 1, paragraph (2) of the PDP Law. Therefore, the use of CCTV within a house setting falls outside the scope of the UU PDP. However, the author’s interpretation suggests that a CCTV, regardless of its location within a private residence, falls under the PDP Law’s scope if it records information that can identify individuals in a public area, such as a main road. This interpretation is based on the notion that the camera’s scope extends beyond the strictly private domain and aligns with the concept of legitimate interest. Nevertheless, this interpretation remains a subject of debate due to the absence of similar cases or court rulings in Indonesia on this matter.
Furthermore, in the context of installing CCTV cameras on the office’s premises, it is crucial to adhere to the reasons specified in Article 17(1)(a) (for instance, for office security) and align with the principles of data processing outlined in the PDP Law. An essential requirement is that the office must inform employees when CCTV recording is in effect within the office or a specific room. Therefore, it can be argued that installing CCTV for the purpose of monitoring employee performance may potentially contravene the provisions of Article 17 of the PDP Law.
Is CCTV Dummy Subject to UU PDP Law?
In essence, the PDP Law law does not encompass fake cameras (commonly known as CCTV Dummy). This is primarily because this device does not participate in the processing and storing the data. Consequently, they do not acquire data or possess the capacity to discern and identify individuals, as stipulated in Article 1, point 1 of the PDP law.
Conclusion
In essence, the importance of strict adherence to the provisions of the PDP Law in the context of CCTV installation and management. It not only aims to safeguard individuals’ privacy but also establishes a higher standard for the use of surveillance technologies like CCTV. The Indonesian PDP Law, notably in Article 17, provides specific guidance on CCTV systems, emphasizing strict adherence to foundational principles and data processing standards. The installation of CCTV systems is, as a fundamental principle, allowed only under well-defined circumstances and for specific, justifiable reasons, one of which is maintaining security. From the author’s perspective, the legal basis for CCTV data processing has shifted from the ITE Law, which was consent-based, to the PDP Law’s focus on the legitimate interests of data controllers. Furthermore, a crucial requirement that deserves attention is the obligation for data controllers to inform individuals when a specific area is under CCTV surveillance. This obligation plays a pivotal role in balancing the rights of data controllers and data subjects.
Reference
- See Article 1 pojnt 1 of ITE Law: Video surveillance, often known as Closed-Circuit Television (CCTV), serves as a tool that can confirm the identities of individuals, primarily through visual means, either directly or indirectly.
- See Article 20 para. 2 of the PDP Law: The basis for Personal Data processing as referred to in paragraph (1) shall include: a. an explicit valid consent from Personal Data Subjects for 1 (one) or several specific purposes that has been submitted by the Personal Data Controller to Personal Data Subjects; b. fulfilment of agreement obligations in the event that a Personal Data Subject is a party or to fulfil the request of the Personal Data Subject at the time of entering into the agreement; c. fulfilment of the legal obligations of the Personal Data Controller in accordance with provisions of laws and regulations; d. fulfilment of the protection of vital interests of the Personal Data Subject; e. carrying out duties in the context of public interest, public services, or exercising the authority of the Personal Data Controller based on laws and regulations; and/or f. fulfilment of other legitimate interests by taking into account the purposes, needs, and balance of interests of the Personal Data Controller and the rights of the Personal Data Subject.
- The Personal Data Processing principles as referred to in paragraph (1) shall be carried out in accordance with the Personal Data Protection principles including: a. Personal Data collection is limited and specific, legally valid, and transparent; b. Personal Data processing is carried out in accordance with its purpose; c. Personal Data processing is carried out by ensuring the rights of the Personal Data Subject; d. Personal Data processing is carried out in an accurate, complete, not misleading, up-to-date and accountable manner; e. Personal Data processing is carried out by protecting the security of Personal Data from an unauthorized access, unauthorized disclosure, unauthorized alteration, misuse, destruction, and/or loss of Personal Data; f. Personal Data processing is carried out by notifying the purpose and processing activities, as well as failure of Personal Data Protection; g. Personal Data shall be destroyed and/or deleted after the retention period ends or at the request of the Personal Data Subject, unless otherwise stipulated by laws and regulations; and h. Personal Data processing is carried out responsibly and can be clearly proven.