Implementation of Personal Data Privacy Law in Indonesia: Examining Benefits and Key Challenges

Centre for Strategic and International Studies’ Adinova Fauri examines the social and economic benefits as well as challenges of the Indonesian Personal Data Protection Law.

By Adinova Fauri , Centre for Strategic and International Studies (CSIS) Indonesia

Considering the rapid advancement of digital technologies coupled with market externalities, consumer protection and data privacy has become key issues for governments to pay heed to. With the exploitation of data on the rise, Indonesia’s timely success in enacting the Personal Data Protection (PDP) Law warrants credit.

With the PDP Law passed on 17 October 2022 by Indonesia’s President and House of Representatives (DPR), Indonesia joins neighboring nations such as Singapore, Malaysia, Philippines, Thailand, and many other countries who have PDP Laws in place. This act demonstrates the government’s urgency in PDP issues as Indonesia continues to grow its digital economy.

Social and Economic Benefits of PDP Law

1. Data Protection Law as a human right

Under the PDP Law, personal data subjects are given more control over their own personal data. This includes, but is not limited to, the right to access and erase personal information. This provision ensures that personal data belongs to the individual and not to the corporation or institution that gathers and processes it, elevating data protection to that of a basic human right.

In the past, medical data of patients in Indonesia were not transferable between hospitals as the data was obtained by the hospital and thus regarded as the hospital’s data. With the PDP Law, it is believed that patient data would be more freely shared and accessible, boosting the efficiency of Indonesian health services.

2. Data Protection Law builds trust and promotes economic cooperation

The presence of a defined framework for consumer protection, particularly in personal data, will boost consumer trust in utilising digital services. In the context of the Digital Financial Services (DFS) in Indonesia, trust plays an important role in predicting positive attitudes towards DFS and the intention to adopt such services. Thus, with the PDP Law in place, this will enable financial services in Indonesia to be more inclusive and accessible.

In addition, a robust framework for personal data protection generates economic benefits for the country as it enables and encourages cross border data flow which is essential for economic transactions and enabling innovation. As highlighted in the 2023 World Economic Forum, cross border e-commerce is a $2.7 trillion industry that heavily depends on cross-border data transfer. In light of the increasing significance of data both the digital and traditional manufacturing sector, it is vital to promote public-private partnership in adopting Data Free Flows with Trust (DFFT) as a tool for trust-based data exchanges.


Key Challenges of PDP Law

Despite its social and economic benefits, the PDP is far from perfect. The Indonesian government still faces several challenges to establish a more robust system for citizens’ personal data.

1. Lack of education in the collection and processing of personal data

The current approach used by the Indonesian government on data protection is largely enforcement and compliance based, with the use of punishments such as fines to enforce cooperation. However, such an approach does not take into consideration the lack of education by the general public on how to protect and properly share their private information. In addition, entities that collect and process data should also be properly trained to handle data in accordance with PDP Law’s principles. Thus, a shift in approach is needed to educate consumers and entities alike on proper data principles, to fully realise the promise of the PDP Law.

2. Workforce Gap in Data Protection Officers

Another difficulty that Indonesia faces in its effort to strengthen data protection measures is a shortage of data protection officers (DPO). The Indonesia law currently mandates the appointment of DPOs in all organisations, be it digital or non-digital sectors, to ensure proper governance of PDP. With the mandate in place, only 27.3% of firms, according to a survey performed by the Ministry of Communication and Information in 2021, have designated DPOs, signalling a significant workforce gap in DPOs. As a result, the government has provided business incentives and support to organisations to train their employees on PDP competencies, as well as to hire overseas experts to fill the workforce gap.

3. Lack of harmonisation of existing regulations

Several government bodies in Indonesia such as the Bank Indonesia and Otoritas Jasa Keuangan (Financial Services Authority of Indonesia) have recently established their own internal policies to ensure data privacy. In addition, there are also existing regulations in place that currently restrict cross border data movement, making it illegal to store and process data anywhere other than within the country. According to the Information Technology & Innovation Foundation’s (ITIF) report, data localization and other restrictions to data flows negatively affect the economy. With the above regulations and constraints, it is pivotal for the various government agencies to work together and harmonise all existing regulations to comply with the PDP Law.

4. The Urgent Need for PDP Law Implementing Regulations

The Indonesian government’s initiative to establish a comprehensive personal data protection policy framework is far from finished. As the PDP Law only sets out normative provisions for personal data protection, there is a mandate to have 10 implementing rules to detail the implementation of the PDP Law. As part of the 10 implementing rules, there will be nine government regulations (PP) and one presidential regulation (Perpres). The implementing regulations are issued to provide explicit standards, for both the private institutions and public institutions, given that both types of institutions will collect, store, and process personal data. The implemented regulations will seek to address a myriad of issues such as risk-based data classification, data authorization and enforcement rights, mechanisms for data processing and transfer, administrative sanctions and compliance index indicators, and the establishment of an independent supervisory body to oversee personal data protection in Indonesia.

Thus, to fulfil the promise of the PDP Law, there is still much work to be done to address the above challenges. While these issues may be daunting, the enactment of the PDP Law has been a crucial step in the right direction: one that would require the cooperation of consumers, businesses, and government agencies, as only in partnership can an inclusive and confident digital society be built.

Adinova Fauri is a researcher at the Department of Economics, Centre for Strategic and International Studies in Jakarta, Indonesia. Currently, he undertakes several research projects related to digital economy, financial inclusion, international and industrial policy, and labour economic issues focusing on digital skills and literacy.

The views and recommendations expressed in this article are solely of the author/s and do not necessarily reflect the views and position of the Tech for Good Institute.

Download Report

Download Report

Latest Updates

Latest Updates​

Keep pace with the digital pulse of Southeast Asia!

Never miss an update or event!

Mouna Aouri

Programme Fellow

Mouna Aouri is an Institute Fellow at the Tech For Good Institute. As a social entrepreneur, impact investor, and engineer, her experience spans over two decades in the MENA region, South East Asia, and Japan. She is founder of Woomentum, a Singapore-based platform dedicated to supporting women entrepreneurs in APAC through skill development and access to growth capital through strategic collaborations with corporate entities, investors and government partners.

Dr Ming Tan

Founding Executive Director

Dr Ming Tan is founding Executive Director for the Tech for Good Institute, a non-profit founded to catalyse research and collaboration on social, economic and policy trends accelerated by the digital economy in Southeast Asia. She is concurrently a Senior Fellow at the Centre for Governance and Sustainability at the National University of Singapore and Advisor to the Founder of the COMO Group, a Singaporean portfolio of lifestyle companies operating in 15 countries worldwide.  Her research interests lie at the intersection of technology, business and society, including sustainability and innovation.


Ming was previously Managing Director of IPOS International, part of the Intellectual Property Office of Singapore, which supports Singapore’s future growth as a global innovation hub for intellectual property creation, commercialisation and management. Prior to joining the public sector, she was Head of Stewardship of the COMO Group and the founding Executive Director of COMO Foundation, a grantmaker focused on gender equity that has served over 47 million women and girls since 2003.


As a company director, she lends brand and strategic guidance to several companies within the COMO Group. Ming also serves as a Council Member of the Council for Board Diversity, on the boards of COMO Foundation and Singapore Network Information Centre (SGNIC), and on the Digital and Technology Advisory Panel for Esplanade–Theatres on the Bay, Singapore’s national performing arts centre.


In the non-profit, educational and government spheres, Ming is a director of COMO Foundation and Singapore Network Information Centre (SGNIC) and chairs the Asia Advisory board for Swiss hospitality business and management school EHL. She also serves on  the Council for Board Diversity and the Digital and Technology Advisory Panel for Esplanade–Theatres on the Bay, Singapore’s national performing arts centre.


Ming was educated in Singapore, the United States, and England. She obtained her bachelor’s and master’s degrees from Stanford University and her doctorate from Oxford.