Digital footprints or more commonly known the official website of Honda Indonesia informs that as cookies on some sites, is a set of text that information regarding the digital footprint contained is stored on a person’s computer or device on that page will be shared with service providers, by a website that is visited by that person.1 A cookie can record information on sites that have been visited, items added to a digital shopping cart, or information that has been filled in into digital forms, such as names and passwords.2 Cookies also has function so that the ads shown to users are relevant and not displayed repetitively.3
Digital footprints can be useful for making users surf the Internet easier. However, users have little control over who collects this information or where it is sent. By design, users can delete digital footprints from their own browsers, but users will not be able to manage or delete the digital footprints in the third party’s servers that store and collect the data, for example the site administrator.4 For example, business transfers, affiliates, and business partners.5 However, the users do not obtain information in detail concerning the identity of the parties who receive the relevant digital footprint.
Indonesian laws and regulations do not provide a specific definition of digital footprints. The regulation most closely related to the digital footprints is Law Number 11 of 2008 concerning Electronic Information and Transactions as amended by Law Number 19 of 2016 (Law 11/2008) and its implementing regulation namely Government Regulation Number 71 of 2019 concerning The Organization of Electronic Systems and Transactions (GR 71/2019), namely the provisions regarding personal data.
Pursuant to Article 1 number 29 GR 71/2019, Personal Data is any data on a person, which is identified and/or may be identified individually or combined with other information both directly and indirectly through an electronic system and/or non-electronic system. Based on this provision, GR 71/2019 provides a very broad definition of Personal Data, which at a glance, may be interpreted to include digital footprints as part of Personal Data.
However, this interpretation must also consider the concept of the digital footprints itself. A digital footprint is a collection of traces of all digital data, including any and all files and accounts, whether stored locally on a device or online,6 originating from a device that is used to access the internet, regardless of who and how many people use the device, only 1 (one) profile will be formed after the digital footprint is processed. This is in principle different from personal data, which tends to be attached to a person.
Regardless of the difference, Law 11/2008 regulates that unless determined otherwise by laws and regulations, the use of any information through electronic media, which is related to Personal Data of a person shall be conducted with the consent from the person concerned.7 GR 71/2019 also regulates that Electronic System Providers8 must implement the principle of Personal Data protection in processing Personal Data, including but not limited to collection of Personal Data and must be conducted in a limited and specific manner, legally valid, fair, with the consent and agreement of the Personal Data owner.9 Further, the Electronic System Provider must provide information to the user concerning a privacy and/or protection of Personal Data guarantee.10
The existing provisions seem to focus on notification and users’ consent for the management of the digital data, but there is no
clear provision regarding the prohibition on the collection of certain Personal Data and further, no provision regarding the monetization of digital footprints. By considering the very broad definition of Personal Data and also the current business developments, there will potentially vast amount of users’ personal information that can be collected, monetized, and potentially misused.
Law 11/2008 has given rights for every person who considers his privacy rights are violated,11 or suffer loss in relation of organizations of electronic system and/or uses information technology12 to file a lawsuit. However, this provision will be very difficult to implement in practice because there is a tendency that users are not aware of what digital footprints are left, especially passive digital footprints, and by whom the digital footprints are used to cause loss.
In the end, a specific provision is needed in the laws and regulations regarding how to collect, process, limit, and prohibit the use of personal digital data in general and digital footprints in particular. It is not sufficient to only regulate the legal remedies in the event of misuse of digital footprints, but it is necessary to make a prohibition and provide preventive provision so that the protection of digital footprints and personal rights of each person can be safeguarded and its use carried out optimally for the stated purpose of allowing the user a better surfing experience online. DRP/SCN
provides, manages, and/or operates Electronic System individually or jointly to Electronic System User for their own purposes and/or for other