Kasus pelanggaran keamanan data pribadi marak terjadi di Indonesia beberapa tahun belakangan. Akibat kasus tersebut menimbulkan berbagai kerugian terhadap Subjek Data Pribadi baik berbentuk materiil atau non-materiil. Terjadinya kebocoran data pribadi yang merugikan masyarakat ini sejatinya merupakan pelanggaran atas hak privasi serta mengancam hak konstitusional warga negara. Subjek Data Pribadi memiliki hak untuk dipulihkan dan menuntut ganti rugi atas kerugian yang timbul akibat kebocoran data. Namun, terdapat kesulitan dalam hal membuktikan dan menilai besaran nilai ganti rugi terutama kerugian non-materiil akibat kasus pelanggaran keamanan data pribadi ini. Indonesia sudah memiliki regulasi khusus di bidang pelindungan data pribadi melalui Undang-Undang Nomor 27 Tahun 2022 (UU PDP). Akan tetapi UU PDP tidak mengatur secara jelas dan teknis mengenai tata cara pengenaan ganti rugi dan upaya pemulihan tersebut. Dengan begitu, pengaturan hukum atas upaya pemulihan dan hak menuntut ganti rugi akibat kasus pelanggaran keamanan data pribadi ini dapat merujuk peraturan perundang-undangan lain seperti Kitab Undang-Undang Hukum Perdata, UU Informasi dan Transaksi Elektronik, dan UU Perlindungan Konsumen. Terkait implementasinya di Indonesia, peraturan pelindungan data pribadi ini masih baru berlaku sehingga belum ditemukan adanya praktik yang terjadi. Jika dibandingkan dengan di Uni Eropa dan Negara Inggris, implementasi atas pemenuhan hak ganti rugi selain dilakukan melalui gugatan perdata juga dapat dilakukan diluar pengadilan seperti melalui mediasi dan arbitrase. Selain itu, gugatan ganti rugi terhadap pengelola data yang melanggar hukum juga sering dilakukan melalui mekanisme Gugatan Kelompok. Penelitian ini dilakukan melalui metode studi komparasi dengan membandingkan regulasi dan implementasi atas upaya pemulihan dan ganti rugi akibat kebocoran data pribadi di Uni Eropa dan Negara Inggris. Terhadap hasil penelitian ini, disarankan kepada Pemerintah untuk segera membentuk Peraturan Pelaksana atas UU PDP, segera membentuk Lembaga Pengawas Pelindungan Data Pribadi, serta kepada penelitian selanjutnya untuk membahas lebih tentang mekanisme gugatan secara kelompok atas kasus pelanggaran keamanan data pribadi.

---

Personal data breaches in Indonesia have been rampant in recent years. As a result, there have been various damages to Personal Data Subjects, both material and non-material. The occurrence of personal data breaches that harm society is actually a violation of the right to privacy and threatens the constitutional rights of citizens. Personal Data Subjects have the right to be restored and to claim compensation for losses arising from data breaches. However, there are difficulties in proving and assessing the amount of compensation, especially non-material damages, due to this case of violation of personal data security. Indonesia already has regulations for data protection through Law Number 27 of 2022 (UU PDP). However, UU PDP does not clearly and technically regulate the procedures for imposing compensation and remedies. Thus, the legal regulation of remedies and the right to claim compensation due to cases of personal data security breaches can refer to other laws and regulations such as the Civil Code, ITE Law, and Consumer Protection Law. Regarding its implementation in Indonesia, there is no practice for the remedies and claiming compensation yet. Compared to the implementation in European Union and the United Kingdom, the execution of the right to compensation besides being carried out through civil lawsuits, can also be carried out outside the court, such as through mediation. In addition, compensation claims against data controllers who violate the law are often carried out through the Class Action mechanism. This research is conducted through a comparative study method by comparing the regulation and implementation of remedies and compensation efforts due to personal data breaches in the European Union and the United Kingdom. Based on the results of this research, it is recommended that the Government immediately form an Implementing Regulation of the PDP Law, immediately form a Personal Data Protection Supervisory Agency, and regulate in more detail the mechanism for class actions in cases of violations of personal data security