• Home
  • OUR FIRM
    • How We Help
    • About Us
    • Portfolio
  • Our Expertise
    • CORPORATE
    • DISPUTE RESOLUTION
    • INSOLVENCY
  • Our Team
    • Partners
    • Associates
  • Publishings
    • Publications
    • Accolades
  • Contact Us
    • Contact
    • Make an Appointment
    • Career

Indonesia Data Protection - Scraping and Consumer Data by Victoria Lorenzo

  • Publications
  • 09 January 2024
  • By Admin

Indonesia Data Protection: Scraping and Consumer Data

Jakarta, January 2024 | Victoria

By now anyone following news in the data protection space have heard of Facebook’s personal data leak. In April 2021, Business Insider issued a story that the personal data of over 533 million Facebook users were publicly made available. Meta later addressed the facts of the news report stating that such data were obtained “not through hacking our systems but by scraping it from our platform […]”. On 2 July 2023, X (formerly Twitter) made headlines when Elon Musk announced on the platform that it will apply temporary limits on how many posts users can read per day to address “extreme levels of data scraping and system manipulation”. Recently, twelve data protection and privacy authorities worldwide published a joint statement calling for the protection of personal data from unlawful data scraping on social media.

What is scraping? Taken from Meta’s own description, scraping is the automated collection of data from a website or app and can be both authorised and unauthorised. In simple terms, think of the copy-paste function in bulk but without the manual labour. How would this relate to consumer data? Certain businesses utilise data-scraping tools to collect relevant data such as consumer behaviours and patterns for various commercial reasons. Moreover, it has the added benefit of obtaining data in real time. If the data collected are publicly accessible, and no terms of service or copyright laws were violated, scraping was an acceptable general business practice – until data protection laws were introduced. Scraping raises privacy concerns when the data scraped contains the personal information of individuals without their knowledge or reasonable expectation. It poses the question: is scraping (under Indonesian jurisdiction) to obtain consumer data justified?

European Union

For brief comparison, we look to the legislation in the European Union (EU). In the EU, the General Data Protection Regulation (GDPR) does not explicitly address scraping. If viewed from the definition of “processing” (Article 4.2), and with the added description of “whether or not by automated means”, scraping may incidentally involve the processing of personal data. Thus, the GDPR rule of processing applies. This means the relevant entity must apply at least one of the six lawful bases for processing under the GDPR (Article 6) – consent, contract with the data subject, compliance with a legal obligation, vital interest, public interest, legitimate interest. In addition, it must be considered whether notification applies where personal data are collected from the data subject (Article 13) and where personal data have not been obtained from the data subject (Article 14) or whether exemptions (Article 14.5) may be relied upon. An important point to note is that the GDPR may apply to businesses in Indonesia if it scrapes the personal data of EU citizens or residents (including those in the EEA).

Indonesia

In Indonesia, Law Number 27 of 2022 on Personal Data Protection (PDP Law) similarly does not address scraping or impose any explicit restrictions. However, unlike the GDPR, the PDP Law does not define processing. Instead, it adopts a list of activities (Article 16.1) from Government Regulation Number 71 of 2019 on the Implementation of Electronic Systems and Transactions that would constitute processing of personal data. Based on the list, scraping would fall under activities of acquisition and collection (Article 16.1(a)) and storage (Article 16.1(c)), however, the law has yet to specify a mechanism to follow. The government regulation bill on the implementation of the PDP Law (Bill) regulates a mechanism for each processing activity, but it could be a while until we see a bill passed.

If indeed scraping is identified as processing, and where the data obtained is a personal data (be it general (Article 4.3) or specific (Article 4.2)), the entity engaging on its own or through a service provider (the ‘data controller’) must identify which of the lawful bases for processing (Article 20.2) applies. The PDP Law adopts the same six lawful bases from the GDPR but with consideration of the legal and societal characteristics of Indonesia. One of these considerations is the recognition of only explicit consent. In fact, PDP Law has a provision that mandates all data controllers to provide proof of consent for all processing activities (Article 24). Without a reference to Article 20 (the provision regulating the grounds for processing), it can be argued that all data controllers must have the explicit consent of the data subject regardless of the chosen lawful basis. This provision remains a grey area which should be addressed in the Bill. For the purpose of this article, this point is moot.

Consent as ground for processing may not be favourable to justify scraping. Considering it extracts data in large volume and from variety of sources, it is unlikely that data controllers received the necessary consent. Data controllers may look to legitimate interest (Article 20.2(f)) as the other lawful bases involve a particular specified purpose i.e., a contractual obligation, complying with a legal obligation, protecting vital interest, and/or performing a public duty. PDP Law has not defined or elaborated “legitimate interest” other than an emphasis to consider the purpose, necessity, and balance of interests of the data controller and the rights of the data subject. The conditions for legitimate interest provided in the Bill (Article 70) may serve as a useful guideline for the time being.

Data Protection Impact Assessment

If a data controller by its own assessment or by a resolution of a regulatory body consider scraping as likely to result in ‘high risk’, a Data Protection Impact Assessment (DPIA) (Article 34) may be required. For instance, the Information Commissioner’s Office in the UK published a list of processing operations that requires a DPIA.

In conclusion, data controllers engaged in scraping activities to obtain consumer data, whether on its own or through a service provider, may be justified on the condition that it has the purpose and lawful basis for processing. These businesses should have already considered the privacy risks associated with scraping and in doing so strictly apply the key principles of data protection reiterated in the PDP Law, among others, to carry out processing in a limited and specific manner, lawfully and transparently.

Disclaimer

This opinion piece is not a substitute for professional legal advice. The opinions expressed in this publication are those of the author. They do not purport to reflect the opinions or views of ANSS.