KAJIAN YURIDIS TERHADAP PERLINDUNGAN DATA PRIBADI DITINJAU DARI KONVENSI DEWAN EROPA NOMOR 108 TAHUN 1981 DAN PROTOKOL AMANDEMENNYA TAHUN 2018 SERTA IMPLEMENTASINYA DI INDONESIA

Abstract

Personal data breaches occurring at both national and international levels indicate a gap between data management practices and the need for effective protection. This phenomenon is reflected in the Equifax incident in the United States, which affected millions of consumers, as well as in cases involving Tokopedia, BPJS Kesehatan, and population data management in Indonesia, all of which demonstrate weaknesses in data supervision and security. From a regulatory perspective, the Council of Europe Convention No. 108 and its Amending Protocol establish international standards for personal data protection, while Law Number 27 of 2022 concerning Personal Data Protection provides the national legal framework for safeguarding the rights of data subjects. The research questions are formulated as follows: 1) How is personal data protection regulated under the Council of Europe Convention No. 108 and its Amending Protocol?; 2) How is personal data protection implemented in Indonesia?. This research employs a normative legal research method using secondary data consisting of primary, secondary, and tertiary legal materials. The data were collected through document study or library research and analyzed qualitatively. The results of the research show that: 1) the Council of Europe Convention No. 108 and its Amending Protocol regulate the principles of lawful and fair processing, data quality and proportionality, protection of sensitive data, the rights of data subjects to access and correct their data, restrictions on cross-border data transfers, and the obligation to establish an independent supervisory authority as an enforcement mechanism; 2) Indonesia has not ratified the Council of Europe Convention No. 108 and its Amending Protocol; however, through Law Number 27 of 2022, Indonesia has adopted the main principles of personal data protection contained in the convention, including lawful bases for data processing, the rights of data subjects, the obligations of data controllers and processors, as well as administrative and criminal sanctions, although its implementation still faces challenges related to the effectiveness of supervision and institutional readiness.