Abstract. This research discusses the mechanism of civil lawsuits for personal data misuse in the financial technology (fintech) sector after the enactment of Law Number 27 of 2022 concerning Personal Data Protection (PDP Law). Prior to the enactment of this regulation, other regulations already existed that addressed the misuse of personal data, but they were still general and complex, unlike the PDP Law, which is more specific and specifically addresses issues of personal data misuse, particularly in the financial technology sector. The urgency of this research is based on the prevalence of cases of misuse of fintech consumer data and the need for legal certainty, which was previously limited to legal instruments such as the Civil Code, Law ITE, and POJK No. 77/2016. The purpose of this research is to analyze the applicable legal basis and formulate alternative legal solutions for victims of personal data misuse in fintech services after the transition period of the PDP Law. The method used is a normative-juridical approach with case studies, examining legislation, court decisions, and empirical practices, as well as supported by qualitative data collection techniques through the review of legal documents, academic literature, and regulatory reports. The research method used is a normative legal research method with a legislative approach and a conceptual approach that is analyzed through a review of legislation and empirical case studies. The results of this study indicate that the existence of the Personal Data Protection Law (PDP Law) provides stronger legitimacy for civil lawsuits, provides a clear legal basis for consumers to seek compensation, and increases legal certainty in the handling of personal data disputes in the fintech sector. The findings of this research focus on the importance of increasing public literacy regarding personal data protection and knowledge of available legal procedures. The conclusions of this research contribute both theoretically and practically to the advancement of studies on personal data protection, while also providing recommendations to strengthen the effective implementation of the PDP Law and the protection of consumer rights in the fintech sector.
Keywords: Personal Data Protection; Fintech; Civil Lawsuits
Information and communication technology today has been used in people's social lives, and has entered various sectors of life, including the government sector, business sector, banking, education, health, and personal life. The benefits of information and communication technology, in addition to having a positive impact, are also realized to provide opportunities to be used as a means to commit new crimes (cyber crime) so that protection efforts are needed [1]. Indonesia is experiencing a significant acceleration in the digitalization of financial services, including the growth of fintech and P2P lending providers, so that exposure to the risk of leakage and misuse of personal data increases. The Financial Services Authority (OJK) reported dozens of licensed fintech lending providers (±96–97 entities in the 2024–2025 period), while large data leak incidents in the financial sector underscore the real practical vulnerabilities of data subjects. This phenomenon places the protection of personal data as an issue of local urgency and part of the global challenges of data governance and public trust in the digital economy [2].
Globally, the issue of personal data protection is a major concern, with the European Union implementing the General Data Protection Regulation (GDPR) as an international standard. In Indonesia, although the PDP Law has regulated the rights of data subjects and the obligations of data controllers, the mechanism for civil prosecution for such violations has not been systematically tested in judicial practice [3].
This problem has become increasingly relevant with the enactment of Law Number 27 of 2022 concerning Personal Data Protection (PDP Law), which marks the beginning of a new era in the data protection legal regime in Indonesia. The PDP Law establishes fundamental principles of personal data protection, including limitation of purpose, transparency, fairness, accountability, as well as data subject rights such as the right of access, the right of correction, the right of erasure, and the right to object to automated decision-making that has a legal or significant impact on the subject of personal data. However, until now there has been no derivative regulation that specifically regulates the automated decision-making mechanism in the fintech sector. Because there are no derivative regulations that specifically regulate automated decision-making, business actors do not have clear guidelines regarding the limits of the use of automated decision-making. Because previously there were no regulations that were specifically and more sectoral to be used as legal protection in the field of fintech [4].
Thus, the urgency of this research lies not only in the increasing cases of misuse of personal data, but also in the urgent need for an effective legal mechanism that is accessible to the public. Through a normative approach and juridical analysis, this study seeks to answer the challenges of the implementation of the PDP Law in the civil realm, as well as make a real contribution to the formation of a legal system that is responsive to the dynamics of financial technology.
A state of law must guarantee the legal rights of its citizens. The existence of law in social life is to coordinate and integrate all types of interests in community. Protection provided for certain interests can only be done by limiting the interests of the other party. Legal interests are used to take care of the rights and interests of the community, so that the law has the highest authority in determining the interests of the community that need to be protected and regulated. Legal protection is required to look at the stages, namely the protection of the law that comes from the provisions of the law and each regulations prepared by the community which are essentially agreements together from the community with the aim of regulating community relations between community members and between the government and individuals who represent the interests of the wider community [5].
According to Phillipus M. Hadjon, legal protection for the people is a preventive and repressive government action. Preventive legal protection aims to prevent disputes, which directs the government's actions to be prudent in decision-making based on discretion and repressive protection aims to prevent disputes, including their handling in judicial institutions [6].
In consideration of its actualization, consumer protection needs to be enforced in a government based on the formulation of the current situation and will affect the fate of the consumer community. This consideration is usually taken by paying attention to:
a. The level of development of each country;
b. Industrial and technological growth;
c. Development philosophy and policy
The growing awareness of the state to provide protection for consumers who are in a weak bargaining position begins by thinking about policy [7].
Principle of Responsibility in civil law, responsibility is a person's responsibility towards unlawful acts. Unlawful acts have a wider scope than criminal acts. Unlawful acts do not only include acts that are contrary to the criminal law, but also if the act is contrary to other laws and even to unwritten legal provisions. The legal provisions of unlawful acts aim to protect and provide compensation to Harmed Party [8].
The concept of legal liability is basically related, but not identical to the concept of legal obligations. An individual is legally required to behave in a certain way, if the behavior that is otherwise a condition is imposed coercive action. But this forced action does not have to be there. An individual who is obliged to be a "perpetrator of the offense" but can be addressed to another individual who is related to the first individual in the manner prescribed by the legal order. Individuals who are sanctioned are said to be "responsible" or legally liable for the violation [9].
According to article 1365 of the Civil Code, what is meant by unlawful acts is unlawful acts committed by a person who, due to his fault, has caused harm to others. In law, there are 3 categories of acts against the law, which are as follows:
The type of research used in this study is doctrinal legal research, which is research on law as a norm and reality (behavior) or as something aspired to and as a reality or living law, even legal disciplines related to this type of research have a general and special aspect [11]. In this study, the approaches used are the statutory approach and the analytical approach. The source of legal material for this research consists of primary legal materials and secondary legal materials, primary legal materials in the form of laws and regulations, where the reference used in this study is Law No. 27 of 2022. The secondary legal materials used are textbooks and scientific journals related to the study of this research as well as non-legal materials that have relevance to the research topic. The technique of collecting legal materials is combined with library research.
Personal data leaks in the fintech industry not only causing material losses but also eroding consumer trust. This negative perception arises because of financial data (such as transaction history, loans, and information accounts) are highly sensitive and vulnerable to misuse for criminal acts such as fraud, identity forgery, or extortion. Juridically, this negative perception shows that the principles of transparency and accountability as mandated in Law Number 27 of 2022 concerning Personal Data Protection (PDP Law) have not been implemented to the maximum. In fact, Article 20 paragraph (1) of the PDP Law requires data controllers to provide notices in a manner that is consistent with the written to the data owner in the event of a data leak, something that is often not carried out by fintech companies. Consumer trust is an element which is protected by Law Number 8 of 1999 concerning Consumer Protection (UUPK). Article 4 of the UUPK guarantees consumers' rights to comfort, security, and privacy. If fintech fails to meet its obligations this, they can be categorized as violating the principle of good faith in the agreement (Article 1338 of the Civil Code) [12].
Violation Law No. 27 of 2022 concerning Personal Data Protection can be subject to administrative and criminal sanctions, depending on the level and impact of the violation. Administrative sanctions are typically applied to entities that fail to meet compliance obligations, such as not obtaining lawful consent in data processing or negligence in maintaining the security of personal information. The form of sanctions includes a written reprimand, suspension of business licenses, or fines whose amount is adjusted to the impact of the violation. These sanctions aim to ensure compliance with companies and institutions with regulations and prevent future violations. Criminal sanctions, on the other hand, apply to serious violations such as misuse of personal data that cause significant harm to individuals or society. Unauthorized disclosure of information, data theft, and use of data for illegal purposes may be subject to imprisonment and a large amount of fines according to the severity of the violation. Criminal sanctions This aims to provide a deterrent effect for perpetrators and uphold justice for individuals harmed by privacy violations. However, the effectiveness of the application of criminal sanctions is still depends on a clear legal mechanism and the readiness of law enforcement officials in handling data breach cases [13].
Administrative sanctions related to personal data violations have been clearly regulated in Law Number 27 of 2022 concerning Personal Data Protection and accompanying regulations. These types of administrative sanctions include: a) Warning, both verbal and written, to personal data managers who have committed violations. b) Temporary suspension of personal data processing activities that are not in accordance with the stipulated rules. c) Deletion or destruction of personal data that has been processed illegally. d) Administrative fines that can reach a maximum of 2% of annual income personal data managers related to the variables of the violations committed. The inability to maintain personal data in accordance with the provisions of Article 46 paragraphs (1) and (3) and Article 47 of Law Number 27 of 2022 concerning Personal Data Protection will lead to administrative sanctions. in accordance with the provisions contained in Article 40A paragraph (5) of the ITE Law. These sanctions can be in the form of: a) Warning or warning letter, b) Administrative denda, (c) Temporary suspension of personal data processing activities, d) Deletion or destruction of personal data, e) Termination of access. So it is clear about the government's obligation to fulfill one of the rights citizens, namely the right to privacy by protecting people's personal data, especially in Indonesia. But if the government fails to implement this, the punishment that given in the context of the responsibility of the government office for the failure to protect Personal data can be in the form of administrative penalties or civil penalties [14].
Anyone who commits a personal data breach can be held accountable civilly by filing a civil lawsuit for unlawful acts (PMH) to the District Court and asking for compensation from the party who committed the violation.
A civil lawsuit to seek compensation for a personal data breach can be filed through a mechanism in the District Court. Article 64 paragraph (1) of the Personal Data Protection Law states:
The settlement of personal data protection disputes is carried out through arbitration, courts, or other alternative dispute resolution institutions in accordance with the provisions of laws and regulations. The District Court is one of the dispute resolution institutions that can be used to file a claim for compensation due to a personal data breach according to the law.
A civil lawsuit filed with the District Court for personal data violation is a lawsuit for unlawful acts (PMH) as stipulated in Article 1365 of the Civil Code which reads: "Every act that violates the law and causes harm to others, then obliges the person who caused the loss due to his fault to compensate for the loss."
The Plaintiff's civil lawsuit for personal data breach was filed with the District Court in the area of domicile of the Defendant. However, if the Defendant is more than 1 (one) person, then the Plaintiff files a civil lawsuit in one of the domicile courts of the Defendant's address while still including the other Defendants.
How much compensation can be claimed for a personal data breach? There are no specific rules governing how much can be sued for a personal data breach. However, in practice, a person who feels aggrieved by the unlawful acts of others can sue in court for 2 (two) types of losses, namely: 1) Material loss, namely factual loss, 2) Immaterial loss, namely potential losses in the future due to personal data breaches.
Article 64 paragraph (1) of the Personal Data Protection Law states that evidence in the system of proving cases of personal data violation uses procedural law evidence applicable in the Court such as letter evidence, witness statements, suspicions, confessions and oaths, and supplemented with electronic information evidence and/or electronic documents. Therefore, in the form of a personal data breach and most of the evidence is in the form of electronic information and/or electronic documents, so to get maximum results for the electronic evidence validation process, you should need a digital forensic expert [15].
The PDP Law (Personal Data Protection Law) also provides space for victims of personal data breaches to take civil action to claim compensation for losses suffered due to the leakage or misuse of their personal data. This civil sanction is in accordance with the legal principles that contained in Article 1365 of the Civil Code, which declares that any act that is unlawful and causes harm to other parties are obliged to be compensated. Thus, the victim can file a lawsuit against the controller of personal data deemed responsible for the breach to obtain compensation or restitution. However, in practice, the mechanism for filing a civil lawsuit is related to personal data protection still faces obstacles, because the PDP Law (Law on Personal Data Protection) has not regulated technically and in detail the implementation procedure This civil lawsuit is in its implementing regulations. Ambiguity and rule void This causes obstacles in the implementation of victims' rights, especially for the general public who usually do not have access to legal resources that sufficient to pursue their rights. This situation poses its own challenges in the aspect of repressive legal protection, because there is no clear and easy mechanism reached, then efforts to enforce victims' rights and provide a deterrent effect to perpetrators can becoming less effective [16].
This study concludes that the personal data protection mechanism enforced in Indonesia, when viewed from a civil law perspective, still faces various serious challenges in terms of clarity of norms, legal certainty, and effectiveness of law enforcement. Although Law No. 27 of 2022 concerning Personal Data Protection has regulated the provisions of administrative norms and sanctions for law violators, it has not been implicitly explained regarding the procedure for implementing civil claims in its implementation. Therefore, it is necessary to have a derivative regulation that specifically regulates the implementation procedure, so that the effectiveness of the law can be guaranteed and can protect the rights of legal subjects. There is a need for the establishment of an independent supervisory institution with strong authority to ensure accountability in the management and enforcement of personal data protection laws. The government is expected to provide understanding and literacy to the public, there needs to be vigilance and prudence in handing over personal data to other parties, and fintech applications that have been tested and supervised by the OJK can be checked in advance, so that the data provided to the application operator can be protected and prone to leakage.
(Open Access Text)
Springer Nature will add OpenAccess standard text here during typesetting. Springer Nature will add OpenAccess standard text here during typesetting Springer Nature will add OpenAccess standard text here during typesetting. Springer Nature will add OpenAccess standard text here during typesetting. Springer Nature will add OpenAccess standard text here during typesetting. Springer Nature will add OpenAccess standard text here during typesetting.