FGD on Biometric Data Protection in the Use of Extended Reality (XR) for the Tourism Industry

This FGD is part of the research themed "Biometric Data Protection in the Use of XR in Indonesia" which is funded by the Ministry of Education and Culture's DRTPM Grant for Fiscal Year 2023. This research was initiated and led by Dr Jur. Sih Yuliana Wahyuningtyas, S.H., M.Hum and consists of Dr. Yerik Afrianto Singgalen, M.Si., M.Kom, Stephen Aprius Sutesno, Konrardus Elias Liat, S.H., M.H., and Antonius Bayu, S.H..

Biometric data protection in XR is still relatively new and requires thorough examination to ensure responsible and ethical implementation of this technology. This FGD aims to strengthen the overall understanding of the challenges and opportunities related to XR in the context of Indonesian tourism, while addressing critical issues related to personal data protection.

Currently, the use of XR in tourism in Indonesia is not specifically regulated in a special regulation but still operates under the umbrella of Law No. 27 of 2022 on Personal Data Protection (UU PDP). Given the relative newness of XR in this sector, specific regulations relating to XR still do not exist. Therefore, this FGD comes at a crucial time to explore and shape potential frameworks and guidelines in protecting biometric data in the XR domain.

The FGD was opened with a presentation from the research team that explained the objectives of the research, including how to ensure users' rights to control their biometric data, especially in relation to XR. In addition, the research team tried to trigger a discussion on specific data arrangements that already exist in article 4 paragraph 2 letter b of the PDP Law, but it was deemed necessary to provide further deepening both in terms of regulation and research. The team also briefly explained how biometric data processing works and provided a real-life example of PT KAI's use of facial recognition to verify passengers entering the platform.

Prof. Dr. Ida Bagus Rahmadi Supancana, S.H., M.H., delivered his presentation which observed the massive development of technology in line with the increasingly widespread use of biometric data. He emphasised the importance of making derivative regulations from the PDP Law and applying the principle of minimum disclosure in personal data protection. In addition to regulations, there needs to be recommendations from technology companies to provide additional protection against cyber threats to personal data.

In line with Prof. Supancana, Prof. Dr. Sinta Dewi Rosadi, S.H., M.H., provided valuable insights on best practices for protecting biometric data in XR applications. "When business activities are already underway, risk mitigation is often overlooked, and users do not even understand the risks that may arise. Therefore, the PDP Law which generally regulates data protection must be complemented with derivative rules governing biometric data protection management," added Prof. Sinta.

On the other hand, the importance of inclusivity in the implementing regulations is a concern for Hendri Sasmita Yuda. He understands the importance of derivative and implementing regulations from the PDP Law. His presence also shows the government's commitment in addressing the regulatory aspect by accommodating various inputs from all stakeholders, including academics.

While from a consultant's perspective, Shaanti Shamdasani in her presentation emphasised the key principle of self-regulating to protect our personal data. While recognizing the importance of laws, she highlighted the need for self-protection.

The discussion progressed to the definition of sensitive data and which countries have rules and define sensitive data, which was explained by Parasurama Pamungkas. He also emphasised the relevance in this topic, especially when children become XR users, whether the children can give consent. This is an important concern in the context of this discussion.

Shevierra Danmadiyah expressed concern about the protection of biometric data, which has the potential to cause bias and discrimination. She also highlighted the importance of examining its relationship with the issue of Online Gender-Based Violence (GBV), especially as GBV victims are often from vulnerable groups. Consideration of the need for a Data Protection Officer (DPO) was also expressed in relation to biometric data collection.

As an XR user, Eugenius Kau Suni, also responded in the FGD that users sometimes do not pay attention to the importance of consent and the type of data taken in using an application. This illustrates the lack of public awareness of the importance of personal data protection.

This collaborative activity encourages all stakeholders to contribute actively and constructively, creating an enabling environment for the exchange of ideas and solutions. Bringing together experts, government officials, civil society and non-governmental organisations, legal practitioners, and users, the FGD aims to prepare an action plan for the responsible use of XR in Indonesia's tourism sector, prioritizing data privacy and user rights.

The exchange of ideas and views during the FGD has paved the way for potential frameworks and guidelines to ensure responsible and ethical use of XR in Indonesia. The absence of specific regulations on XR in tourism was recognised, and participants collectively agreed on the need for proactive measures to protect biometric data.