Penal Provisions in the Personal Data Protection Law: A Comparative Legal Study between Indonesia and Singapore

This study aims to compare the penal provisions between the PDPA and Law Number 27 of 2022. This study uses normative legal research with the statute and comparative approaches. The collected legal material is then qualitatively analyzed to describe the problem and answer study purposes. The results show a striking difference between the PDPA and Law Number 27 of 2022 concerning penal provisions related to offenses of personal data protection. The PDPA portrays a more moderate approach by establishing relatively lighter imprisonment and fines. In contrast, Law Number 27 of 2022 illustrates a stricter approach with more severe imprisonment, fines, and additional punishments. Singapore leans towards prevention and education, while Indonesia places a high priority on law enforcement. Nonetheless, both approaches ultimately aim to protect their citizens’ personal data. Therefore, it recommended that the relevant authorities in both Singapore and Indonesia continually evaluate and adapt their legal frameworks to safeguard personal data effectively. Singapore could consider stricter penalties to discourage offenses while maintaining its focus on education and prevention. On the other hand, while Indonesia’s commitment to law enforcement is commendable, it could also benefit from incorporating preventive measures and public education to promote understanding and voluntary compliance. Collaborative efforts between the two countries can facilitate continual enhancements in personal data protection within their respective jurisdictions.


INTRODUCTION
In this era of globalization and digitalization, information and communication technology has fundamentally transformed human life around the globe (Gumelar & Dinnur, 2020). Unrestricted by geographical boundaries, technology has facilitated interactions and transactions among individuals, legal entities, and between the two. Numerous sectors, from trade and education to health and government, have integrated this technology as a vital part of their operations. For instance, e-commerce has revolutionized shopping, providing easy access and quick transactions at our fingertips (Wibawa, 2016).
However, behind the conveniences offered, there lies a significant implication that requires careful attention: the issue of collection, disclosure, use, and falsification of personal data. In every online transaction or interaction, personal data becomes a valuable currency, yet users often remain unaware of how their data is collected, disclosed, used, and falsified. This condition undoubtedly invites a series of challenges and ethical dilemmas (Disemadi & Prasetyo, 2021).
Furthermore, personal data as privacy is essentially a fundamental human right recognized and guaranteed by various international laws (Mangold, 2023). The Universal Declaration of Human Rights (UDHR), the International Covenant on Civil and Political Rights (ICCPR), and the ASEAN Human Rights Declaration all underscore the importance of privacy protection. Although these international legal instruments provide a basic framework for personal data protection, their implementation varies in different countries, including Singapore and Indonesia.
Singapore has emerged as one of the Southeast Asian pioneers in personal data protection, having enacted the PDPA as early as 2012. This law regulates various aspects, from organizational obligations in collecting, using, and disclosing personal data to the individual's right to protect their personal information. The PDPA has undergone several amendments to ensure its regulations remain relevant to technological advancements and societal changes, with the most recent one occurring in 2020 (Rahman & Wicaksono, 2021).
Conversely, Indonesia only enacted its Personal Data Protection Act in 2022. Despite its recent inception, this law signifies an essential step in protecting its citizens' data. Law Number 27 of 2022 incorporates regulations covering data subject rights, the data controller and processor obligations, and criminal and administrative penalties for offences.
The penal provisions are intriguing to observe in both countries laws. Strengthening the law through criminal punishment represents a significant effort in enforcing personal data protection, considering the potentially severe impacts on individuals and society if they violate this right is violated (Hanifawati, 2021).
The PDPA regulates various penalties, including imprisonment and fines, for violating the rules on collecting, using, and disclosing personal data. Meanwhile, Law Number 27 of 2022 also contains penal provisions, although their context and application may differ from Singapore. In this Law Number 27 of 2022, penalties are also imposed for offences of collecting, disclosing, using, and falsifying personal data. kesehatan bagi banyak orang. Pergeseran drastis ini pun dirasakan oleh sektor pemerintahan dengan penerapan e-government yang memungkinkan pelayanan publik secara online lebih cepat dan transparan.

METHOD
This study uses normative legal research methods with the statute and comparative approaches (Qamar & Rezah, 2020). The legal materials used in this study include legislation, legal books and scholarly articles, and online materials discussing personal data protection. The collection of these legal materials is done through a literature study technique. The collected legal material is then qualitatively analyzed to describe the problem and answer the study objectives (Sampara & Husen, 2016).

RESULTS AND DISCUSSION
Personal data is crucial daily, especially in today's digital era (Zainuddin & Salle, 2022). The existence and use of personal data underpin numerous online activities while also bringing about significant legal and ethical implications, particularly regarding the right to privacy as a human right (Begem et al., 2019). Recognized and regulated under various international laws, personal data protection as a part of privacy rights reflects a global acknowledgment of this crucial issue. In this case, Article 12 of the UDHR regulates that: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks." Article 17 of the ICCPR regulates that: "No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks." Article 21 of the ASEAN Human Rights Declaration regulates that: "Every person has the right to be free from arbitrary interference with his or her privacy, family, home or correspondence including personal data, or to attacks upon that person's honour and reputation. Every person has the right to the protection of the law against such interference or attacks." Mengingat pentingnya perlindungan data pribadi dan peran pidana dalam penegakannya, penelitian ini bertujuan untuk membandingkan ketentuan pidana antara PDPA dengan UU Nomor 27 Tahun 2022.

METODE
Penelitian ini menggunakan metode penelitian hukum normatif dengan pendekatan perundangundangan dan perbandingan. Bahan hukum yang digunakan dalam penelitian ini meliputi peraturan perundang-undangan, buku hukum dan artikel ilmiah, serta materi online yang membahas tentang perlindungan data pribadi. Pengumpulan bahan-bahan hukum tersebut dilakukan melalui teknik studi pustaka. Bahan hukum yang terkumpul kemudian dianalisis secara kualitatif untuk mendeskripsikan masalah dan menjawab tujuan kajian. These international legal provisions all encompass regulations on personal data protection as a human right to privacy (Damayanti & Priyono, 2022). Nationally, many countries, including Singapore and Indonesia, have incorporated personal data protection into their legislation (Setiawati et al., 2020). Both countries have enacted Personal Data Protection Acts, including penal provisions to bolster law enforcement and compliance. Moreover, these penal provisions have several objectives, such as: 1. Prevention: Penal provisions aim to deter crime by threatening punishment to those breaking the law. With these provisions, individuals are expected to think twice before committing illegal actions.

HASIL DAN PEMBAHASAN
2. Retribution: Penal provisions also seek to mete out appropriate punishment to lawbreakers, aiming to deliver justice for victims and society.
3. Education: Through the legal process and punishments, penal provisions aim to educate society on respecting the law and others' rights. 4. Rehabilitation: In some cases, the purpose of criminal punishment is to rehabilitate offenders, aiding them in altering their behavior for successful reintegration into society.
5. Guidance: In specific contexts, penal provisions aim to guide offenders to prevent future recurrences of their actions.
In personal data protection, criminal charges apply to various forms of offences committed by individuals, organizations, legal entities, corporations, or public agencies (Makarim, 2013). These charges generally consist of different forms of punishment: imprisonment, fines, forfeiture, and compensation payments. Typically, these offences involve illegal collection, disclosure, use, and forgery of personal data (Rizal, 2019). Considering the importance of personal data protection and the role of criminal punishment in enforcing it, further study of the regulations of these penal provisions based on different offence forms becomes crucial.
Consequently, a comparative study focusing on the PDPA and Law Number 27 of 2022 becomes a relevant and significant point of interest for further discussion.

Information on Terminated Singapore Telephone Number
Section 42(2) of the PDPA regulates that: "A telecommunications service provider which contravenes subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $10,000." The provisions above are a penalty for telecommunications service providers failing to report all terminated Singapore telephone numbers to the Commission. The Commission can legally protect personal data subjects with these reports if other parties misuse their telephone numbers. Indirectly, this provision creates a system of accountability and transparency (Rosadi, 2018).

Unauthorised Disclosure of Personal Data
Section 48D(1) of the PDPA regulates that: "... the individual shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both." The provisions above are a penalty for an individual intentionally disclosing personal data unauthorized by the organization or public agency concerned. On the other hand, this penalty also applies to individuals recklessly disclosing personal data, including those authorized by the organization.

Improper Use of Personal Data
Section 48E(1) of the PDPA regulates that: "... the individual shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both." The provisions above are a penalty for an individual intentionally using personal data unauthorized by the organization or public agency concerned. On the other hand, this penalty also applies to individuals recklessly using personal data, including those authorized by the organization.

Unauthorised Re-identification of Anonymised Information
Section 48F(1) of the PDPA regulates that: "... the individual shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 2 years or to both." The provisions above are a penalty for an individual intentionally taking to re-identify of anonymized personal information unauthorized by the organization or public agency concerned. On the other hand, this

Offences and Penalties
Section 51(2) of the PDPA regulates that: "A person guilty of an offence under subsection (1) shall be liable on conviction to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 12 months or to both." The provisions above are a penalty for an individual requesting the organization concerned to be able to access or change personal data about another individual without being authorized by the other individual. Furthermore, Section 51(4) of the PDPA regulates that: "An organisation or person that commits an offence under subsection (3)(a) is liable in the case of an individual, to a fine not exceeding $5,000 or to imprisonment for a term not exceeding 12 months or to both; and in any other case, to a fine not exceeding $50,000." The provisions above are a penalty for organizations or persons intentionally evading a request under the section on access to and correction of personal data. In this case, they take steps to dispose of, alter, falsify, conceal, or destroy a record containing information about the collection, use, or disclosure of personal data.

General Penalties
Section 56 of the PDPA regulates that: "A person guilty of an offence under this Act for which no penalty is expressly provided shall be liable on conviction to a fine not exceeding $10,000 or to imprisonment for a term not exceeding 3 years or to both and, in the case of a continuing offence, to a further fine not exceeding $1,000 for every day or part of a day during which the offence continues after conviction." The provisions above are a penalty for an individual violating personal data protection in cases where the punishment is not explicitly regulated in Sections of the PDPA. The additional fine for ongoing offences after conviction clarifies Singapore Government's staunch commitment to personal data protection. This provision indicates that all offenses will still receive a commensurate penalty even if not explicitly regulated in Sections of the PDPA. Therefore, this provision strengthens the PDPA as an effective legal instrument in maintaining the privacy and integrity of personal data subjects. bagi individu yang sembrono melakukan identifikasi ulang atas informasi tersebut, termasuk yang diizinkan oleh organisasi.

Penal Provisions in Law Number 27 of 2022
In line with the previous penal provisions discussed, Law Number 27 of 2022 also outlines several articles regulating offenses and penalties to protect every subject of personal data. These provisions provide penalties in imprisonment, fines, forfeiture, and compensation payments based on various forms of personal data protection offenses.

Collection of Personal Data
Article 67 section (1)

punishments may also be imposed in the form of forfeiture of profits and/or assets acquired from or resulting from the crime, and compensation payments"
The provisions above is a penalty for an individual who intentionally commits an unlawful act to collect personal data. However, if a corporation commits this offense, it is only subject to a fine. Furthermore, Article 70 section (3) of Law Number 27 of 2022 regulates that: "The fine imposed on the Corporation will be at most 10 (ten) times the maximum fines that can be charged." In addition to a maximum fine of IDR 50,000,000,000.00 for the corporation, Article 70 section (4)  Thus, it is understood that if an individual intentionally commits an unlawful act to collect personal data, they face penalties, including imprisonment, fines, forfeiture of assets or profits, and compensation payments. Conversely, penalties for corporate offenses can consist of a fine and eight additional punishments according to Article 70 section (4) of Law Number 27 of 2022.

Disclosure of Personal Data
Article 67 section (2) of Law Number 27 of 2022 regulates that: "Any person who intentionally and unlawfully discloses Personal Data that is not theirs, as referred to in Article 65 section (2), shall be punished with a maximum imprisonment of 4 (four) years and/or a maximum fine of IDR 4,000,000,000.00 (four billion rupiah)." The provisions above are a penalty for an individual who intentionally commits an unlawful act to disclose personal data. In addition, the individual will also have forfeiture of assets or profits and compensation payments according to Article 69 of Law Number 27 of 2022. Whereas if the corporation commits this offense, it is only subject to a fine according to Article 70 section (3) of Law Number 27 of 2022. In addition to a maximum fine of IDR 40,000,000,000.00, the corporation will be subject to additional punishment according to Article 70 section (4) of Law Number 27 of 2022.

Use of Personal Data
Article 67 section (3) of Law Number 27 of 2022 regulates that: "Any person who intentionally and unlawfully uses Personal Data that is not theirs, as referred to in Article 65 section (3), shall be punished with a maximum imprisonment of 5 (five) years and/or a maximum fine of IDR 5,000,000,000.00 (five billion rupiah)." The provisions above are a penalty for an individual who intentionally commits an unlawful act to use personal data. In addition, the individual will also have forfeiture of assets or profits and compensation payments according to Article 69 of Law Number 27 of 2022. Whereas if the corporation commits this offense, it is only subject to a fine according to Article 70 section (3) of Law Number 27 of 2022. In addition to a maximum fine of IDR 50,000,000,000.00, the corporation will be subject to additional punishment according to Article 70 section (4) of Law Number 27 of 2022.

Falsification of Personal Data
Article 68 of Law Number 27 of 2022 regulates that: "Any person who intentionally creates false Personal Data or falsifies Personal Data with the intention to benefit themselves or another person, which may result in harm to others, as referred to in Article 66, shall be punished with a maximum imprisonment of 6 (six) years and/ or a maximum fine of IDR 6,000,000,000.00 (six billion rupiah)." The provisions above are a penalty for an individual who intentionally commits an unlawful act to falsify personal data. In addition, the individual will also have forfeiture of assets or profits and compensation payments according to Article 69 of Law Number 27 of 2022. Whereas if the corporation commits this offense, it is only subject to a fine according to Article 70 section (3) of Law Number 27 of 2022. In addition to a maximum fine of IDR 60,000,000,000.00, the corporation will be subject to additional punishment according to Article 70 section (4) of Law Number 27 of 2022.

Comparison of Penal Provisions between PDPA and Law Number 27 of 2022
The PDPA and Law Number 27 of 2022 were enacted to protect personal data, albeit with different approaches. Although both contain penal provisions for offenses of personal data protection, there are significant differences in terms of imprisonment duration, fines value, and the types of additional punishments imposed (Paripurna et al., 2018).
The PDPA takes a relatively lenient approach toward imprisonment provisions for individuals. Under the PDPA, imprisonment for individuals who offend personal data protection does not exceed three years. Meanwhile, Law Number 27 of 2022 prescribes a longer duration of imprisonment for individuals who offend personal data protection, with a maximum penalty not exceeding six years.
Furthermore, the PDPA sets a relatively low maximum amount for fines against individuals who offense the law, not exceeding $10,000. In contrast, Law Number 27 of 2022 imposes a heavier fine on individuals who offense personal data protection, with the maximum fines amount reaching IDR 6,000,000,000.00.
The PDPA prescribes a fine not exceeding $50,000 for organizations that offend personal data protection. Although this sum is more significant than the individual fine, it allows organizations room for correction and prevention of future offenses without being burdened by excessive fines. In contrast, Law Number 27 of 2022 imposes a significantly heavier fine on organizations that offend personal data protection. The regulated fine could reach IDR 60,000,000,000.00 -a substantial
On the other hand, the PDPA emphasizes only imprisonment and fines as penalties for offenses of personal data protection without prescribing additional punishments for individuals and organizations. Conversely, Law Number 27 of 2022 emphasizes additional punishments for individuals and corporations who offend personal data protection. For individuals, these additional punishments can include forfeiture of profits and/or assets acquired from or resulting from the crime and compensation payments. For corporations, additional punishments can encompass forfeiture of profits and/or assets acquired from or resulting from the crime, business suspension, prohibition to perform specific actions, closure of place of business, implement neglected obligations, compensation payments, permit revocation, and/or corporation dissolution.
The differences in criminal punishment between the PDPA and Law Number 27 of 2022 have significant implications for implementing personal data protection in Indonesia and Singapore. In Indonesia, stringent penalties demonstrate the government's robust commitment to protecting its citizens' data, possibly driving corporations and individuals to ensure their compliance with Law Number 27 of 2022. Significant fines and additional punishments also underline the government's seriousness in preventing personal data protection offenses, offering a strong incentive for corporations and individuals to comply with Law Number 27 of 2022.
Other than that, Singapore opts for a more moderate approach to enforcing laws related to personal data protection (Chik, 2013). Although this is a softer approach, it can assist in fostering a culture of understanding and offense prevention rather than punishment. This approach is more effective in the long run as it encourages individuals and organizations to understand better and appreciate the importance of personal data protection instead of merely fearing punishment (Yuspin et al., 2023).
Therefore, these different approaches affect how personal data protection is implemented in both countries. In Indonesia, the focus is more on law enforcement, while in Singapore, an educational and preventive approach dominates. Nevertheless, both approaches share the same objective -to protect personal data and prevent its misuse.

CONCLUSIONS AND SUGGESTIONS
Based on the results and discussion, it can be concluded that there is a striking difference between the PDPA and Law Number 27 of 2022 concerning penal provisions related to offenses of -jumlah yang cukup besar yang menandakan komitmen tegas pemerintah Indonesia untuk mencegah dan menghukum pelanggaran data pribadi oleh organisasi.

KESIMPULAN DAN SARAN
Berdasarkan hasil dan pembahasan, dapat disimpulkan bahwa terdapat perbedaan yang mencolok antara PDPA dengan UU Nomor 27 Tahun 2022 tentang ketentuan pidana terkait pelanggaran perlindungan data pribadi. PDPA menggambarkan pendekatan yang personal data protection. The PDPA portrays a more moderate approach by establishing relatively lighter imprisonment and fines. In contrast, Law Number 27 of 2022 illustrates a stricter approach with more severe imprisonment, fines, and additional punishments. These two distinct approaches reflect the policies of the Singaporean and Indonesian governments in dealing with personal data protection issues. Singapore leans towards prevention and education, while Indonesia places a high priority on law enforcement. Nonetheless, both approaches ultimately aim to protect their citizens' personal data.
Based on the conclusions above, it is recommended that the relevant authorities in both Singapore and Indonesia continually evaluate and adapt their legal frameworks to safeguard personal data effectively. Singapore could consider stricter penalties to discourage offenses while maintaining its focus on education and prevention. On the other hand, while Indonesia's commitment to law enforcement is commendable, it could also benefit from incorporating preventive measures and public education to promote understanding and voluntary compliance. Collaborative efforts between the two countries can facilitate continual enhancements in personal data protection within their respective jurisdictions. Berdasarkan kesimpulan kesimpulan di atas, direkomendasikan agar otoritas terkait di Singapura dan Indonesia terus mengevaluasi dan menyesuaikan kerangka hukum mereka untuk melindungi data pribadi secara efektif. Singapura dapat mempertimbangkan hukuman yang lebih ketat untuk mencegah pelanggaran, sekaligus mempertahankan fokusnya pada edukasi dan pencegahan. Di sisi lain, meskipun komitmen Indonesia terhadap penegakan hukum patut dipuji, Indonesia juga dapat memanfaatkan tindakan pencegahan dan edukasi publik untuk meningkatkan pemahaman dan kepatuhan sukarela. Upaya kolaboratif antara kedua negara dapat memfasilitasi peningkatan berkelanjutan dalam perlindungan data pribadi dalam yurisdiksi masing-masing.