Flying Safe, Data Unsafe? Personal Data Protection in Indonesia’s Aviation Industry

Together, these laws show that data protection has become an essential part of aviation operations and security in Indonesia.

Jennifer and Nadya Cristabella/Indonesia

Legal Basis for Digital ID Policy in Indonesia

Indonesia’s regulation of electronic identity began in 2006, when population data started to be recorded electronically, although a clear digital identity system had not yet been established. A clearer legal basis emerged under Law No. 24 of 2013, which defines the Electronic Resident Identity Card (KTP-el) as an official identity document equipped with a chip to ensure uniqueness and prevent duplication or forgery. For the aviation sector, this framework is particularly relevant for passenger data management, identity verification, and security control as KTP-el data can support accurate passenger identification, reduce identity fraud, and enhance the integrity of aviation information systems. However, subsequent regulations on online population administration services, including Minister of Home Affairs Regulation No. 7 of 2019 and its amendment under Regulation No. 2 of 2023, only regulate electronic population documents in general and do not clearly regulate how Digital ID should be integrated, creating legal uncertainty for secure and real-time identity verification in aviation systems.

Personal Data Protection and Legal Certainty Challenges

Based on data released by the National Cyber Security Index (NCSI), Indonesia ranks 83rd out of 160 countries in cybersecurity readiness, with a score of 38.96, and 46.84 for digital development. In the Southeast Asian region, Indonesia is ranked sixth out of ten countries, far behind Malaysia and Singapore, which demonstrate significantly stronger cybersecurity preparedness. This weak level of cybersecurity poses a serious challenge for the aviation sector, which increasingly relies on digital systems for ticketing, passenger data management, and security screening, thereby heightening the risk of cyber incidents that can directly undermine passenger confidence in airlines.

In the aviation context, leaked passenger data can be exploited for targeted fraud and phishing, using information obtained from airline databases such as travel history, contact details, and identity numbers. Because airline data is generally trusted as accurate, it can be misused by criminals to convincingly impersonate airlines, airport authorities, or travel agents via phone calls, emails, or messaging platforms. Such misuse not only causes financial losses for passengers but also damages customer trust, as airlines are seen as failing to protect sensitive data entrusted to them.

The risks escalate further when leaked aviation-related personal data is used for financial crimes, including bank account takeovers, unauthorized transactions, or fraudulent online loans in the passenger’s name. Access to critical identifiers such as the National Identity Number (NIK), combined with travel and contact data, allows criminals to bypass verification processes. For passengers, this creates long-term insecurity and reluctance to share personal information with airlines, ultimately weakening trust in digital aviation services.

Moreover, the integration of personal and biometric data into centralized digital identity systems raises serious concerns for the aviation sector, which routinely processes biometric data for check-in, boarding, and security clearance. Linking biometric data to a single digital identity means that one data breach can affect millions of passengers at once. In the absence of strong enforcement and robust cybersecurity governance, such vulnerabilities challenge legal certainty and further erode public confidence in airlines’ ability to manage data responsibly.

Weak personal data protection therefore has direct implications for aviation security and flight safety, as compromised identity data may be used for impersonation, manipulation of passenger manifests, or infiltration of high-risk individuals into aviation systems. Beyond operational risks, repeated data breach incidents significantly undermine public trust in airlines, as passengers increasingly associate aviation safety not only with physical security but also with the airline’s capacity to safeguard personal data. This shows that protecting passenger data is not just a privacy issue, but a core part of aviation security, safety, and public trust.

Source: Generated by ChatGPT

Aviation Data Breaches and the Evolution of Personal Data Protection Law in Indonesia

Aviation service providers, such as airlines, airports, and ticketing providers, also manage sensitive passenger data, such as identity cards, transactions, and flight manifests, which are vulnerable to leaks and misuse. Recent cases of aviation data breaches demonstrate that cybersecurity systems in aviation services are also vulnerable to data theft. For example, Qantas Airways confirmed a cyber-attack exposing personal data of around 5.7 – 6 million customers, including names, email addresses, phone numbers, dates of birth, and frequent flyer numbers—after a third-party platform used by its call centre was breached. This incident reflects broader systemic weaknesses in airline cybersecurity and third-party risk management.

Other notable breaches include Cathay Pacific, where data for approximately 9.4 million passengers including passport numbers and contact details was exposed, demonstrating how legacy systems and poor network security can remain compromised for extended periods. EasyJet experienced a breach affecting around 9 million customers, with some credit card details accessed, highlighting how reservation systems and shared infrastructure can be vectors for large-scale leaks. British Airways’ 2018 incident saw personal and payment card data of hundreds of thousands of customers stolen via malware injected into its web payment pages, resulting multiple forms of loss, both material and immaterial.

In 2019, the Lion Air customer data breach also prompted the enactment of a new Personal Data Protection Law, which was enacted in 2022, which affirms the responsibility of data controllers to ensure the security and confidentiality of personal data. Within aviation, the obligation to safeguard passenger data is clearly imposed on airlines as data controllers and electronic system operators. Law No. 27 of 2022 on Personal Data Protection affirms airlines’ responsibility to ensure the security, confidentiality, and lawful processing of passenger personal data throughout reservation, check-in, and flight operations. This obligation is reinforced by Law No. 11 of 2008 on Electronic Information and Transactions, as amended by Law No. 19 of 2016, and Government Regulation No. 71 of 2019, which require airlines to operate reliable and secure electronic systems. Together, these laws show that data protection has become an essential part of aviation operations and security in Indonesia.

***

Jennifer, S.H., M.H. is a lecturer in the criminal law laboratory at the University of Surabaya. In 2013,
she completed her undergraduate degree from the Faculty of Law at the University of North
Sumatra and subsequently completed her master’s degree from the University of North Sumatra,
graduating Summa Cum Laude. Jennifer conducted research through her thesis in the field of
environmental criminal law and its relationship to corporate crime. She is currently active in writing
and researching corporate crime, including environmental crime, economic crime, and transnational
crime.
Nadya Cristabella is a Undergraduate Student at the Faculty of Law, Universitas Surabaya. She is Interested in International Law.