Threats and Legal Protection of Personal Data Combined in E-Commerce Transactions Based on Personal Data Protection Law in Indonesia

: The dynamics of Indonesian trade are becoming more complex as time goes on, and one form of this development is digitalization. Although it has a positive impact, trade digitization also has a negative impact on different points of view, one of which is the threat in terms of combined personal data. Combined personal data is one type of personal data that is protected by the state through legal protection, so that the state guarantees people’s personal data. This scientific research uses one part of the grand method, namely Library Research which is based on literature or literature. The results of the research show that there are three forms of threats to people’s personal data combined in e-commerce transactions, especially in the use of IP Address, namely threats to geographic location tracking, unauthorized use and opening of personal data, and Distributed Denial of Service (DDoS) attacks. In the legal space in Indonesia, the three threats themselves do not yet have further rules related to the form and mechanism of protection and have different arrangements as a form of protection. Law Number 27 of 2023 concerning Personal Data Protection, Law Number 19 of 2016 amending Law Number 11 of 2008 concerning Electronic Information and Transactions, and Government Regulation of the Republic of Indonesia Number 71 of 2019 concerning the Implementation of Electronic Systems and Transactions. Based on this research, it is necessary to provide legal rules related to the form and mechanism of protecting a person’s IP Address as one type of personal data in Indonesia.


INTRODUCTION
Humans are creatures that need the presence of other people in their lives, because humans are social creatures who cannot live their lives alone. 1Humans as social creatures always need the help of others in their daily lives, including in carrying out economic activities.Economic activities such as buying and selling, renting, and making loans. 2Humans basically always try their best to achieve efficiency and effectiveness in 2 Safira Dhea Fitriani et al., "Digitalisasi Ekonomi  Syariah Penerapan Hukum-Hukum Islam Dalam Jual Beli Online," Jurnal Ekonomi Syariah 6, no. 1 (2021): 52, https://doi.org/10.37058/jes.v6i1.2542.
every action they take. 3In this case, buying and selling transactions are no exception.
Various kinds of online service facilities available in the community to facilitate buying and selling activities, ranging from online payment facilities, online shopping, to online transportation can easily be enjoyed through e-commerce facilities that are widely available today. 4 The presence of accurate and efficient e-commerce can reduce the risk of unwanted errors and increase the efficiency of selling products or services. 5In today's digital era, buying and selling goods online is increasingly popular in Indonesia.Various e-commerce platforms have mushroomed, allowing consumers to purchase goods easily without the need to visit a physical store. 6ccording to Bank Indonesia data, digital transactions in 2020 amounted to IDR 27.4 trillion and continued to increase to IDR 40 trillion in 2021, and is expected to continue to increase to IDR 48.6 trillion in 2022. 7 to increase to USD 95 billion by 2025.The ease of access to do business online, the wide reach, and the large number of internet users in Indonesia encourage people to open a stall to make a profit. 11However, these positive impacts and advancements have also led to new problems, including the easy collection and transfer of an individual's personal data without the knowledge and consent of the data subject.This threatens the constitutional rights of personal data subjects and emphasizes the importance of personal data protection in response to such challenges. 12In terms of personal data protection in Indonesia alone, no less than 466 million personal data were allegedly leaked after the enactment of the Personal Data Protection Law. 13In addition, on April 17, 2020, e-commerce Tokopedia experienced a leak of its users' personal data, at least for 12,115,583 accounts. 14 when conducting and accepting online transactions, it is necessary to provide consumers' personal data. 15n response to this, the government did not remain silent.Since 2019, Law (UU) Number 27 of 2022 on Personal Data Protection was approved and passed.This ratification coincides with the rise of many leaks of personal data.In its consideration, this regulation has the function of guaranteeing citizens' rights to personal protection and ensuring recognition and respect for the protection of personal data. 16As stipulated in Article 4 paragraph (1), this Law divides personal data into two parts, namely specific personal data and general personal data.The specific personal data includes health data and information, biometric data, genetic data, criminal records, child data, personal financial data; and/or other data in accordance with the provisions of laws and regulations. 17Furthermore, general personal data as stipulated in the PDP Law is data that includes name, gender, nationality, religion, marital status, and/or personal data combined for individual identification. 18rticle it is important to be protected, especially in terms of e-commerce implementation related to threats to IP Addresses and telephone numbers as a form of personal data combined.Therefore, this paper aims to analyze the threats of consumer personal data combined in e-commerce transactions and to analyze the form of protection of personal data combined in e-commerce transactions based on personal data protection laws.
Based on the explanation above, this paper aims to find the form of threats to consumer personal data combined in e-commerce transactions and identify the form of protection for consumer personal data combined in e-commerce transactions in Indonesia.

METHOD
Scientific research uses one of the grand method sections, namely Library Research which is based on literature.Based on the subject of study and the type of problem, of the 3 (three) types of grand methods mentioned above, this research will use the Library Research method.Regarding this kind of research, it is also commonly called "Legal Research". 22This kind of legal research does not recognize field research (field research) because what is studied is legal material so that it can be said to be library based, focusing on reading and analysis and analysis of the primary and secondary materials. 23

Research Sites
This research utilizes the Social Science Research Network (SSRN) website to access and analyze academic articles and journals in order to review existing literature.Additionally, the research makes use of the Directory of Supreme Court Decisions of the Republic of Indonesia to obtain relevant court rulings.

Threats of Personal Data Combined in E-Commerce Transactions
The concept of data protection and cyber security is a form of effort made to protect user identity from various threats and illegal access. 24In general, in the cyber world, cyber threats can be access by unauthorized people to access data and misuse personal information, facilitate attacks on other systems, and threaten the personal safety of users. 25n the current era of the Industrial Revolution 4.0, digitalization has penetrated into the realm of privacy.26 E-Commerce media platforms must be able to provide security and protection of personal data that can provide a sense of security, and comfort in the buying and selling process and conform to the Personal Data Protection Law.27 Indonesia ranked third with the highest number of accounts that experienced data breaches in the third quarter of 2022.With more than 12 million hacked accounts and cases increasing every month. 28This number is a collection of data from several threats.Regarding personal data that is combined as described in Article 4 paragraph (3) letter f of the Personal Data Protection Law, the explanation of the paragraph explains that personal data combined to identify a person includes IP Address and cell phone number.
The first combined personal data-related threat is geo-location tracking by irresponsible parties by utilizing a person's IP Address.An IP address can show geolocation in the form of a city and even a person's address. 29Based on the IP Address, information can be obtained to track the location of the user. 30his number is a collection of data from several threats.Regarding personal data that is combined as described in Article 4 paragraph (3) letter f of the Personal Data Protection Law, the explanation of the paragraph explains that personal data combined to identify a person includes IP Address and cell phone number.
The first combined personal data-related threat is geo-location tracking by irresponsible parties by utilizing a person's IP address.
An IP address can show geolocation in the form of a city and even a person's address. 31ased on the IP Address, information can be obtained to track the location of the user. 32he second combined personal data-related threat is the unauthorized use and disclosure of personal data.If someone knows the victim's IP address, they can try to connect to the victim's device.. 33 The hacked IP address may reveal the identity of the Country, State or region, City, Internet service provider (Approx), GPS coordinates, and IP address type (private, static, dynamic, or public IP address).. 34 In addition, there is a leak of traceable application user data.Sensitive customer data such as name, coordinates, phone number, address, and destination can still be accessed through the API endpoint. 35 a form of Cyber Espionage which is a crime that utilizes the internet network to conduct spying activities on other parties, by entering the target party's computer network system.Sabotage and Extortion are crimes committed by disrupting, damaging or destroying data, computer programs or computer network systems connected to the internet. 37he third combined personal data-related threat is a Distributed Denial of Service (DDoS) attack.DDoS attack.DDoS attacks can impair network or website performance by sending extremely high internet traffic to a target IP Address.If your IP Address is not protected, you are vulnerable to such attacks. 38In a DDoS attack, the attacker uses thousands or even millions of connected devices to achieve his goal, thus making it more difficult to defend against.Affected services may include email, websites, online accounts (for example, banking), or other services that rely on the affected computer or network.Denial-of-service conditions are performed by flooding the targeted host or network with traffic until the target is unable to respond or crashes, preventing access for legitimate users. 39

Legal Protection of Personal Data Combined in E-Commerce Transactions Based on Personal Data Protection Law in Indonesia
Referring to the 2009 Madrid Resolution, personal data protection regulations must regulate enforcement mechanisms, at least some of which are capable of being applied to 37 Ibid. 38Levi, "Pentingnya Keamanan IP Address Dan Cara Melindunginya!," Codepolitan.Com, last modified 2023, https://www.codepolitan.com/blog/pentingnyakeamanan-ip-address-dan-cara-melindunginya/. 39Publication Team, "Understanding Denial-of-Service Attacks," America Cyber Defence Agency.
provide sanctions varying from mild to very high.Then, the need for proactive and systemic enforcement actions, with the existence of an independent data protection authority. 40oday, the world has entered the Zettabyte era, where global IP (Internet Protocol) based communication traffic has increased rapidly in the past three years. 41The IP Address in global traffic itself cannot be underestimated.Law No. 27 of 2022 even makes IP Address an object of personal data that needs to be given protection.Against a person's IP Address as previously explained, that there are several threats to a person's IP Address, where the IP Address can be used as a medium for tracking a person's geographic location, wiretapping or unauthorized use and opening of personal data, and DDoS attack media.So it is important to be given protection.
Indonesia is a country based on law in accordance with Article 1 paragraph 3 of the 1945 Constitution.This makes the law the commander-in-chief that binds the lives of Indonesian people.Law is needed to provide protection, justice and certainty. 42egarding a person's IP Address as public personal data as mandated by Article 4 paragraph (3) letter f of Law No. 27 of 2022, the protection of the first threat that needs to be considered is the use of IP Address as a means of geographic tracking of a person.In Law Number 27 of 2022, this contradicts the principles of protection and confidentiality as mandated by Article 3 letters a and h.This law does not explain more deeply the protec- "Electronic System Operator is responsible for the implementation of its Electronic System."So that in this case, every electronic organizer is still responsible for the electronic implementation that he does.However, it should be noted that Article 15 paragraph (2) does not apply in the event that it can be proven that force majeure, error, and / or negligence of the Electronic System user as regulated in paragraph (3).
In addition, it should be noted that Article Based on these rules, it can be understood that electronic system providers are required to meet these minimum requirements to protect personal data and other important information collected from their users.In the event of a violation of this, the electronic system organizer can be given administrative sanctions as stipulated in Article 100 paragraph (1).Article 100 paragraph (2) then explains that the administrative sanctions can be in the form of a written warning, administrative fines, temporary suspension, termination of access; and/or excluded from the electronic system registration granted by the minister.In this case, it is necessary to provide legal rules related to the form and mechanism of protecting a person's IP Address as one type of personal data in Indonesia.

CONCLUSION
Based on the results of the analysis, it can be concluded that there are two types of personal data combined based on the rules applicable in Indonesia, namely IP Address and telephone number.This IP Address is definitely utilized in e-commerce as a platform that utilizes the IP address.The form of threat to this IP Address is that it can be used to track geographic location, unauthorized use & opening of personal data, and Distributed Denial of Service attacks.In the legal space Another thing that can be utilized by hackers against a person's IP Address is knowing a person's Digital Trace, which is knowing a person's digital record of what digital activities in cyberspace. 36This is Oleh Pihak Lain Tanpa Izin," Lex Privatum IX, no. 12 (2021): 92, https://ejournal.unsrat.ac.id/index.php/lexprivatum/article/view/38447. 36Ibid.
4 letter b of Government Regulation of the Republic of Indonesia Number 71 of 2019 concerning the Implementation of Electronic Systems and Transactions, explains that: "Every Electronic System Operator must operate an Electronic System that meets the minimum requirements to protect the availability, integrity, authenticity, confidentiality, and accessibility of Electronic Information in the implementation of the Electronic System."