As mentioned earlier, private data must be protected, but do you know what private data is? and why it matters so much to us? There are several definitions regarding private data, as follows :

So that explains private data; why is it so influential? Cause to achieve satisfaction or profit, for example, used to bully someone through social media, deceive someone by using someone else's identity to be sent some money until the victim is killed, defamed, and so on. Therefore, private data is very important to be stored, maintained, and maintained its authenticity and protected both by individuals and data controllers to be safe from unexpected parties (Gutwirth, 2015). So, private data is essential to be stored, maintained, and maintained its authenticity and protected both by individuals and data controllers. In Indonesia, special regulations governing private data, namely the Personal Data Protection Law (PDP law). Protection, which means how to use, disclose, and share data legally with related parties so that if data is exchanged but there is no legal basis to regulate it, it is considered invalid.

The PDP law is guided in European General Data Protection Regulation (GDPR). Discuss collection, using, sharing, and disclosing data, addressing aspects such as data quality, accuracy, and data subjects. There are three things in this law include data subjects which themselves are attached to private data, such as people or corporations, data controllers consisting of individuals, public bodies, international organizations, then the data processor processes private data in the name of private data controllers with the condition that a data must be kept confidential. A data owner has the right to know what his data is used for and sue and receive compensation in case of violations when processing data, except for law enforcement and national defense and security.

Data is grouped into General and specific data in the PDP law. General data encompasses complete details such as full name, gender, amalgamated private information for individual identification and etc. Conversely, specific data comprises biometric data, genetic data, crime records, information about children, private financial data, and other data stipulated by legal provisions. Another example is a photo; a photo is not specific data but can be particular data if a picture is used for authentication. So far, the Ministry of Communications and Information Technology receives data breaches mainly related to negligence or vulnerabilities in the information security aspects of electronic systems. In case of a data leak, the processor must inform the data owner in writing within 3 x 24 hours, which contains information about the type of private data leaked, the time and mechanism of the leak, and efforts to overcome or recover from data leak.

In the Philippines, private data can be defined as human aspiration in controlling or influencing information about themselves in an effort to protect private information that comes from the wishes of individuals and is recognized by democratic societies (Romanou, 2017). Therefore, the government ought to communicate the methods it employs to fulfill the desires of its citizens regarding their private data. Furthermore, the commission's decisions and resolutions play a crucial role in interpreting and enforcing these regulations.

The commission issued a circular to fill in the details, supplement the DPA provisions, or provide the means to implement the act. It provides advice to guide interpreting the law about specific data privacy matters. The commission issues advisory opinions through its advisory functions. The circular complements the DPA provisions and the IRR to strengthen private data protection. Data privacy includes all types of private information, such as private, sensitive, and privileged information. Private information is a data subject that refers to the information holder. Private information includes name, occupation, bank account number, transaction history, last known address of former employee, email, signature, and others. Sensitive private information includes information that, when processed, results in a higher potential risk to data subjects and the increased protection necessary to prevent such danger. Privileged information is data that arises from confidential communications based on court rules and other relevant laws.

The purpose of processing private data is as follows:

a. Scientific and statistical research is subject to applicable ethical and legal standards and processes.

b. Investigations are carried out by authorized persons/bodies according to laws and regulations concerning criminal, administrative, tax, and other provisions.

c. National security interests.

In the Philippines, it enacted laws to regulate private data and established an independent regulatory body called the National Privacy Commission (NPC) to protect private data. The NPC is in charge of regulating and implementing the provisions of Private data protection regulations and complying with its international standards. The NPC approach to providing education and literacy to the public is to increase awareness of data protection laws by providing education and literacy through online platforms that can make it easier for people to access information (Hasan et al.,) such as the official website of the National Privacy Commission and social media, Facebook (@privacy.gov.ph), Twitter (@privacyphp), and the AI chatbot feature on the National Privacy Commission's website is "AskPriva."In addition to providing education and literacy, the platform facilitates questions related to Data privacy laws.

In contrast, in Indonesia, which does not yet have a supervisory institution for Private data protection, a supervisory institution should be established according to the mandate of the PDP Law. If there isn’t supervisory agency, it is feared that it will be difficult. The president is responsible for establishing an autonomous supervisory body accountable directly to them, and must be free from any influence of private interests and groups, with the existence of a private data protection supervisory institution is expected to help the public not to become victims. The supervisory board for the protection of private data when it has been established will have the following tasks (hukum online):

a. Supervise the implementation of private data protection.

b. Enforce administrative Law measures to address infringements

c. Facilitate alternative dispute resolution outside the formal judicial process.

Litigation involves judges who, according to Cik Hasan Bisri etymologically, are the one who decide the law (Isnantiana, 2017). In addressing incidents of private data breaches, law enforcement is crucial to maintain legal compliance and prevent further breaches (Ngape, 2018). In delivering judgments, judges bear great responsibility not only to humans but also to God Almighty (Asshidiqie, 2014). Therefore, the challenge faced lies in the ability to adapt given the ongoing social dynamics alongside technological advancements (Atmasasmita, 2014).

When giving a decision in a case, the judge's contains reasons and considerations and from these considerations, one can recognize the motivation, namely to give legal certainty and justice to all engaged involved in a legal dispute. Judges must be fully engaged in exploring and achieving legal justice in every trial, not just mechanically applying the law. In a progressive legal framework, judges can challenge norms by interpreting legal texts through hermeneutics to explore the values of justice, especially in the context of laws. Therefore, judges must fully utilize their intellect, wisdom, and humanism in court to decide a case with full justice (Lesmana, 2020).

As law enforcers, judges must have an understanding of the legal regulations and values that apply in society, and use reasoning in decision making. This is important because judges are seen as those who understand all laws, so the court cannot refuse to examine and hear cases (Harahap, 2016). Reasoning is an attempt to reach the truth through the use of reason or logical thinking, which is used by judges to think logically and give consideration to the truth or error of a matter. Law enforcers need good legal reasoning skills to formulate legal arguments. (Qodri, 2019). Legal reasoning is the process of finding the basic principles underlying a judge's ruling in a legal matter, the manner in which an attorney employs legal arguments, and the approach through which a legal expert comprehends the law (Vera & Ainudin, 2016). Therefore, a judge must have good skills and abilities in understanding legal reasoning.

It is important for a judge to have an adequate understanding of legal reasoning as this plays a crucial role in drawing up legal considerations when making decisions. In Indonesia, courts in making decisions and passing judgments are based on considerations that are in accordance with the right reasons and regulations. Therefore, judges are expected to act wisely because court decisions are complex matters (Pamungkas, 2021). The judge should focus on the essence of the verdict, namely whether the consideration can be burdensome or mitigating the crime because sufficient consideration cannot be made of legal remedies. In the Philippines, courts generally make decisions based on evidence, and such decisions are not seen as biased against just one sector. Generally, courts make decisions based on the evidence presented, yet there's a perspective suggesting that courts might show partiality toward affluent and influential individuals (Panao & Leon, 2018). Also rely on evidence, while complying with the Constitution and other regulations that support the principles of social justice, human rights, and gender equality (Tetch, 2019-08). Judges need to uphold equilibrium in society by reinstating the social order to its initial condition (Djanggih, 2018).

The PDP Law is set to be fully enforced starting from October 2024, while currently still using the ITE Law while currently still using the ITE Law to regulate cybercrime (Sutrisno & Paksa, 2019). For example, in the ruling no. 438/Pid. Sus/2020 / PN.JKT.UTR this is a case in which a person is sentenced for violating the rules on data transfer. The defendant, who worked as a debt collector in an online loan company, was involved in a case where the victim felt aggrieved by the defendant's actions. The victim, who was a debtor in one online loan, was pressured in an inappropriate manner by the defendant. These include verbal intimidation with harsh words, threats via text messages, and threats to disclose information about the debts owed to the victim's family and close people if they do not fulfill the defendant's wishes. In this case, the defendant was sentenced for one year and six months. The punishment is given because the defendant has been proven to be legally in violation of the law as outlined in Article 45 paragraph (4) Jo. Article 27 paragraph (4) of Law No. 19 of 2016 amending Law No. 11 of 2008 concerning ITE Law. Here is the verdict:

ORDERED

Thus decided in a deliberation session of the Panel of Judges of the North Jakarta District Court, on Tuesday, June 9, 2020, by Agung Purbantoro, S.H., M.H. as Chief Judge, Drs. Tugiyanto, Bc.I.P., S.H., M.H., and Fahzal Hendri, S.H., M.H., each as Member Judges, which was pronounced in a hearing open to the public on the same day by the Presiding Judge accompanied by the aforementioned Member Judges, assisted by Ari Palti Siregar, S.T., S.H., M.H., Substitute Registrar at the North Jakarta District Court, and attended by Erma Octora, S.H. Public Prosecutor and Defendant.

In this case, the judge still referred to the ITE Law as the basis for his consideration. In its ruling, the judge ensured that all elements of the alleged violation of the ITE Law were met, in particular with regard to the private data violation. On this occasion, the author seeks to investigate aspects of private data protection in Indonesia regulates the transfer of private data of a person who must obtain the relevant permission. Violation of this provision may result in the data owner filing a claim for damages in court, but difficulties in proving cases in civil courts in Indonesia hamper the ability of data owners to legitimately highlight breaches in the security of their private data. The PDP Law allows the resolution of disputes related to the protection of private data through civil courts and alternative dispute resolution mechanisms like arbitration (Article 64). This finding is an important note for all of us. Independent supervisory authorities have an important role as a mechanism for societal oversight of governmental authority and can safeguard private data for the sake of legal progress (Sukmariningsih, 2014).

In the Philippines, private data cases are handled and decided by the National Privacy Commission (NPC) whose information can be accessed through its official website. To date, no case of private data has reached the Supreme Court, since only decisions of the Supreme Court are accessible to the public. For example, in the NPC ruling 21-086. This was a case where the complainant, RTB, had previously taken out a car loan secured by a mortgage pledge with the Philippine Bank of Communications (PBComm), and then transferred the loan and mortgage to the East West Banking Corporation (EWBC). Next provided EWBC with several dated checks to repay the loans granted, but because EWBC personnel failed to deposit the checks, the complainant's account was marked as overdue resulting in a referral to a collection agency. So that the complainant received a bad phone call that was misleading and tried to take the car. Accordingly, the complainant filed a complaint with the NPC, claiming that EWBC process also disclosed his private information to a third-party collection agency in an unauthorized manner.

Discussion

WHEREFORE, premises considered, Commission resolves that NPC 21-086 – RTB v. East West Banking Corporation is hereby CLOSED. Further, East West Banking Corporation’s Compliance and Manifestation (Re: Letter/Order dated 25 April 2022 and Decision dated 03 February 2022) dated 02 May 2022 is hereby NOTED.

After reviewing the complaint, the NPC based on Section 12(b) of the DPA decides to reject that, after determining that EWBC processes RTB's private information within the legitimate criteria. As a result of EWBC negligence, the NPC compensated RTB. In this context, EWBC does not comply with its responsibilities as a controller of private information based on Section 11 (c) of the DPA. The commission noted that EWBC had complied with RTB's indemnity payment. The payment was deemed to have been made based on the confirmation of payment of the nominal compensation, accompanied by RTB's signature of receipt, emailed to the commission. Despite RTB's intention for reconsideration in the email, RTB did not do so by the deadline set by the commission in NPC Circular 2021-01. Therefore, based on these considerations, the Commission decided to close the case. (privacy.gov.ph).

As the Personal Information Controller (PIC), EWBC must keep the data subject's personal information up to date as a form of accountability. EWBC is supposed to check the date of deposit of the check that has passed the date given by the complainant. Accidental failure to deposit a check past the specified date causes the complainant's personal information to unnecessarily be revealed to third-party collection agency. EWBC violated the KPR terms and conditions of the mortgage in collecting the debt by not giving prior written notice to the complainant. EWBC proved to be grossly negligent in carrying out the obligations given by the banking institution. If EWBC had fulfilled its obligations in accordance with the loan contract and DPA, then EWBC would not have needed to disclose the complainant's private information. Nevertheless, EWBC recklessness was not enough to propose prosecution. Although the processing carried out by EWBC has a valid legal basis, EWBC is still liable for nominal losses.

In the digital age, numerous challenges are associated with the security of private data especially in Indonesia and the Philippines. International law governs the safeguarding of private data as outlined below:

It marks the inaugural instrument upholding an human right to privacy, the term "privacy" is regarded as a comprehensive term, encompassing the safeguarding of a range of additional rights, including family, honor, reputation and others. As time has progressed, additional dimensions of protection have emerged, covering physical privacy, dignity, privacy deciding, and privacy of information. This evolution emphasizes the necessity for regulations concerning the privacy of private data.

Doesn't clearly mention that the right to privacy encompasses private data. Nonetheless (Kuner, 2014) offers a comprehensive right to privacy from guidelines that explain the extent, and it is said that the purpose of getting protection in human private life is that everyone needs to have the right to make sure a form can be understood and what kind of private data is in automatic data files. Everyone needs to know and check individuals or public/private bodies related to whether their data is wrong or has been collected/processed against the law. Hence, everyone should possess the entitlement to seek the removal of their data. Connected to the aforementioned discussion, it is evident that private data is intricately linked to the right to privacy, necessitating safeguarding.

The Council of Europe, functioning; regional international organization, possesses an agreement concerning the privacy, particularly detailed in Article 8 ECHR. This article became foundation for the establishment of an additional convention that specifically delves into the safeguarding of private data. After being signed by representatives of member states in 1981, this convention was enforced in 1985 following the requisite ratifications from several countries (Themba, 2016).

Regarding the things that have been described above, it proves that protecting private data is very important because it is part of individual life, has a great complexity and amount and can make others know something about ourselves (Riahi, 2015) such as data leakage such as name and the Population Identification Number (NIK). This information can be used by hackers. Hackers are always up to date with technology; therefore, they always find a way to exploit vulnerabilities on the websites of companies/government agencies to determine whether the stolen private data is then sold to the detriment of a particular company or out of political motives. There are two forms of private data protection, including physical security of both visible and invisible data, and regulations that govern the unauthorized use of data, data misuse for specific purposes, and damage to the data itself (Sautunnida, 2018). Disputing parties have several considerations in choosing the appropriate mechanism to resolve conflicts, including legal system components that will influence their choices.

The dispute resolution mechanism for private data security in Indonesia and the Philippines differs. In Indonesia, if there is an indication of a private data leak, it can take general steps first. If a private data leak is detected, it must be responded to quickly; for example, companies or organizations that experience such incidents need to immediately identify and confirm private data leaks by checking systems and networks to determine the source and scale of the leak. Second, if it is confirmed that there is a data leak, then access to the affected system must be disconnected first, then repair the security gaps that allow attacks and restore damaged or lost data. Third, ask for the help of a computer security team or forensic company to find out who the culprit is and the motive behind it. To find out carried out Forensic investigation is carried out that involves analyzing logs, digital traces, and other investigative techniques. Fourth, the information and evidence collected during the investigation are submitted to the National Cyber and Encryption Agency (BSSN) or the police to be processed legally. Fifth, if the case has been resolved, the affected organization or company needs to implement measures such as training employees, improving network security, conducting periodic security audits, and updating software. Sixth, evaluate and monitor the security system regularly because this can help determine the existence of potential threats and new weaknesses that may arise.

In addition, the PDP law if we see in Article 64, paragraphs 1 and 2 concluded dispute resolution is done in court or alternatively through institutions with statutory provisions, see the principle of lex specialis, that procedural law is used to resolve disputes. The trial process can be carried out behind closed doors to protect private data. In Indonesia, safeguarding private data is imperative as it constitutes one of the fundamental human rights. They protect private privacy, and there should be a legal basis that can guarantee the rights of citizens by regulating the protection of private data. Data subjects who experience losses due to data leakage are entitled to receive compensation by filing a civil lawsuit. As for an alternative dispute resolution as stated in law number 30 of 1999 in Article 6, which regulates that if the dispute is resolved by non-litigation based on the good faith of the parties, it is carried out by meeting directly within 14 days. Then, an agreement that has been successfully reached is made in writing.

However, if it does not work out, the parties can seek the help of a mediator or expert advisor. If, within a period of 14 days, the parties have sought the assistance of a mediator or expert advisor but have not reached an agreement, the disputing parties may request an alternative dispute resolution institution or arbitration institution to appoint a mediator to initiate mediation involving a third party, with a deadline of 7 days (Rezki et al., 2019). While carrying out its responsibilities, the mediator should possess the capability to maintain confidentiality, and a written agreement, endorsed by the concerned disputing parties, must be reached within a 30-day period. In addition, the outcome of the agreement is recorded within 30 days at the court from the date of ratification by the parties to the dispute. Nevertheless, these initiatives may not bring about a resolution to the dispute. In such instances, the disputing parties have the option to pursue dispute resolution through an arbitration institution or ad hoc arbitration, contingent upon a documented agreement.

Resolution of disputes through arbitration depends on written agreements between the parties engaged in disputes outside the General Court. Arbitrators, designated by either the parties, the district court, or an arbitration institution, are tasked with making a decision on the dispute that arises; the outcome is a win-lose decision, is final, and has the force of law binding on all parties involved. Anyone can voluntarily resolve private data leakage disputes through out-of-court dispute resolution. The parties to the dispute may choose according to their needs, such as negotiation, mediation, conciliation, arbitration, or other options based on their agreement in dispute. Then, if this effort is successful, the results of the written agreement shall be final and binding on the parties unless otherwise provided by law. However, the parties may dispute with the court when the above attempts are unsuccessful.

Unlike in Indonesia, in the Philippines, the general step that must be taken when there is an indication of private data leakage is first, the individual company or organization concerned determines what violation occurred, for example, whether there is unauthorized use of private data, unauthorized access, and others. Second, gather all available evidence, e.g., screenshots and copies of documents, to support our statement. Third, report violations that occur and submit all evidence to the National Privacy Commission (NPC) so that it can take appropriate steps to resolve the problem. Fourth, we can also contact the police or the court so that they can take investigative steps and take legal action if necessary. Fifth, ask for the help of lawyers experienced in privacy law and data protection because we can be given the right solution and assisted in resolving the case. In the Philippines, it was resolving disputes primarily through the judicial system. However, the large number of cases that went to court caused the file to become clogged due to limited resources in responding to the increase in cases. Hence, the judicial process seemed protracted and expensive.

Therefore, an alternative dispute resolution or ADR emerges, which refers to other dispute resolutions that include alternatives to litigation (Blake et al., 2021). Alternative dispute resolution is considered an intervention against the accumulation of case files. Consequently, this alternative dispute resolution should be considered based on its superiority as an effective system to resolve disputes more quickly and efficiently, with lower costs. The Alternative Dispute Resolution Act of 2004 was established by the Philippine government. Alternative dispute resolution mechanisms in the Philippines include mediation, conciliation, and arbitration. Although mediation and conciliation are two different things, they are used interchangeably in the Philippines. Thus, in this case, the third party facilitates the negotiation with two or more parties to the dispute. When facilitating it, third parties help to provide the best solution to benefit the parties to the debate. The agreement can be reached because the mediator orders the parties concerned to express all their views on a condition until they understand each other about the problems that occur. The role of a mediator in a successful negotiation lies with the parties to the dispute because the negotiation results are in their hands. In carrying out its duties, the mediator must ensure that the negotiation process can run effectively, systematically, and fairly.

It distinguishes itself from arbitration as it involves a third party that assesses the information presented by the disputing parties and examines the case. Then arbitration is the one that gives the decision on how to resolve the dispute and often assesses who is the proper party among the other parties to the dispute. In contrast to mediation, the third party is a facilitator only, and the parties to the dispute decide the final solution to the disputed problem.

There are advantages if you resolve a dispute out of court rather than through the courts:

a. The settlement is private so that outsiders do not know the company's kitchen, so the company's reputation is well preserved, and the verdict results are not published.

b. The settlement is faster than through the court because the provisions regarding the time limit, the selection of arbitrators, and Law resolution of disputes agreed by the parties submitted by themselves are made relatively quickly and flexibly.

c. It realizes the results of a win-win dispute resolution with the hope that in the future, it is not placed as a losing or disadvantaged party despite the conflict between the parties.

Therefore, this alternative settlement can keep the business relationship in the future. Of course, some advantages of the Alternative Dispute Resolution Mechanism are "contradictory" when compared with the settlement mechanism through the courts. Dispute resolution through the courts is closely related to practices that tend to be slow or not fast (takes a long time), not simple (complicated), and expensive. In addition, sometimes, the judicial world, in some cases, is full of corrupt practices.