Indonesia's fast-growing financial technology (“Fintech”) has positively contributed to national economic growth as it has opened wider access to financial services for society. However, the industry has also creating noteworthy problems on the issue of personal data protection. Excessive use of the users’ personal data, such as contact numbers, locations, and even photo galleries, by the fintech providers in an intimidating and unethical debts collection process is often heard in Indonesia.

Responding to the problem, the Financial Services Authority (Otoritas Jasa Keuangan, “OJK”) has officially appointed the Indonesian Fintech Association (“AFTECH”) to become the Association for Digital Financial Innovation Providers, with one of its important tasks to develop a code of ethics for fintech operations. Recently, AFTECH has launched the Code of Ethics on Personal Data Protection and Data Confidentiality in the Financial Technology Sector (“Code of Ethics”). This article will highlight a selection of key provisions under said Code of Ethics.

The Key Principle

The Code of Ethics set customers’ consent as its cornerstone, which makes all Fintech companies must obtain the data subject's consent before processing their personal data. In addition, this request for consent must also be accompanied with a term of use made in a clear and plain language, so the data subject can understand the purpose of the data processing. Nevertheless, AFTECH has also foresee the processing of personal data without consent through legitimate interest, a principle which will also be introduced as a standalone basis to process data in the upcoming data protection law which the bill is still being discussed in the House of Representative.

Another interesting item is the introduction of data minimisation principle. All this time, Fintech companies’ practice to collect vast quantity of users’ personal data has put the data subject at risk, especially in the common occurrence of data breaches or other occasion of unauthorised data access. By embracing the data minimisation principle, we see that the Code of Ethics intends to put a brake on this practice, obligating fintech companies to run a measurable data collection on the basis of its relevancy to the purpose and only in an adequate quantity. In the long run, it is expected to change the excessive data collection practice and reduce the risk faced by the data subject.

We see the act to put forward the data subject protection did not end there. The Code of Ethics covers many other issues as well, including data retention issues. When the users’ personal data is no longer relevant to be used, the fintech companies must delete or destroy those data. In addition, the Code of Ethics also mandates the fintech companies as the data controller to conduct periodic reviews relating to personal data that is no longer needed and erase it, while still taking into account the mandatory retention period as regulated by laws.

Addressing Technology Risks

The Code of Ethics has also tried to address common issues surrounding the fintech sector. Although the fact that fintech ecosystem is strongly built on the basis of automation to minimize human error is already widely accepted, the Code of Ethics believes that the factor of ‘human intervention’ should not be left in the process, especially for the assessment-based product, such as credit scoring, that is fabricated using the users’ personal data. Due to the aspect of how this product can significantly affect one’s life, the Code of Ethics sets the obligation for fintech companies to have mechanism for data subject to submit their objections on the decision made by the fully automated system.

In the need to minimize the risks and vulnerabilities of the users’ data, the Code of Ethics is encouraging fintech companies to ensure data protection principles from the earliest stage of its digital platform development. An example given is by restricting access to the users’ devices. We believe this aspect is especially important, considering many fintech companies have been collecting and requesting many irrelevant accesses to its users’ devices, putting the users’ device and data at risk. Limiting these accesses will almost certainly and significantly reduce the risk as well as the amount of data compromised before cybersecurity threats.

Gaining Trust

Considering fintech’s value for national economic growth, it is important to build up people's trust and confidence to use the system and technology. The emphasis of various key principles, such as data minimisation, were already a major step to improve the data protection environment in the fintech sector. That, coupled with the transparency principle along the requirement for fintech companies to accurately record its data processing activities will certainly aid to shift the bad reputation fintech industries have on data protection issues and gain more trust from fintech users.

Another aspect which will boost trust is confidentiality and security. The lack of effort shown by many fintech companies to protect users’ data so far has left many users not paying attention on the risk of personal data they provided to fintech companies in return for their services. However, if the Code of Ethics can push fintech companies to uphold security and confidentiality issues seriously, we can certainly see an increase in the fintech industries data protection performances, which in turn will further garner public’s trust in the industry. While it has yet to be seen how fintech companies will implement these principles in the long term, the introduction of these principles alone will have AFTECH to gain more confidence from the publics.

Nevertheless, AFTECH’s effort to put forward the Code of Ethics is a sign how the industry is concerned with personal data protection and data confidentiality issues in the fintech sector. If implemented and supervised well, the fintech industry can certainly benefit from the confidence garnered from the public and receive the respect it deserves.

Should there be any queries related to this regulation or to find out if this affects your business or personal interest, please do not hesitate to contact us.