Strengthening Indonesia’s Personal Data Protection Framework

Adinova Fauri, a researcher at Indonesia’s Centre for Strategic and International Studies (CSIS), explores the progress and challenges in implementing the country’s Personal Data Protection (PDP) Law, highlighting key gaps that remain in the regulatory framework. This article expands on previous analyses of the PDP Law and provides the latest updates on its development.

This article is also available in Bahasa Indonesia, please click here.


By Adinova Fauri, Researcher at the Centre for Strategic and International Studies (CSIS), Indonesia

Indonesia’s efforts to safeguard personal data remain a work in progress. The enactment of Law No. 27/2022 on Personal Data Protection (PDP Law) was a significant milestone, but without the necessary implementing regulations, its full effectiveness remains uncertain. This regulatory gap creates ambiguity, making enforcement challenging and potentially weakening compliance efforts.

Under the PDP Law, full enforcement was scheduled to begin on 17 October 2024, following a two-year transition period. This grace period is intended to allow organisations time to align with the law’s requirements before compliance becomes mandatory. For private sector entities, this means significant operational adjustments, including appointing Data Protection Officers (DPOs), investing in data security infrastructure, and ensuring business practices adhere to the law’s principles.

For the government, the transition period is just as critical. It must draft and finalise implementing regulations, establish an independent data protection authority, and restructure internal processes to ensure compliance—since the law applies to both public and private entities. The delay in issuing these regulations not only hinders enforcement but also increases the risk of weak compliance and inconsistent data protection practices. Without clear guidelines and regulatory oversight, organisations may struggle to meet their obligations, leaving personal data more vulnerable to misuse.

To truly safeguard personal data, Indonesia must prioritise the swift and effective implementation of the PDP Law, ensuring that both businesses and government bodies have the necessary frameworks and resources to comply.

 

Challenges in Implementing Indonesia’s Personal Data Protection Law

1. Difficulties in Effective Implementation

One of the key provisions of the PDP Law is the establishment of an independent data protection authority responsible for enforcement. Without this institution, there is no clear entity to oversee compliance, investigate potential violations, or handle personal data breaches.

Additionally, implementing regulations are essential to serve as the foundation for sectoral rules. Without these regulations, sectoral harmonisation will be delayed, potentially undermining the effectiveness of the PDP Law’s implementation.

2. Risk of Low Compliance

Another major challenge is the risk of low compliance. Studies have shown that adherence to personal data protection laws tends to be low in various countries, and Indonesia is no exception. The broad principles outlined in Indonesia’s legal framework (Undang-Undang) often lack detailed technical guidance. Without clear implementation guidelines, organisations may struggle to understand and comply with the PDP Law, leading to weak enforcement.

These challenges highlight the urgency of strengthening Indonesia’s personal data governance. In the past two years alone, multiple high-profile data breaches, including the Bjorka case, ransomware attacks on the National Data Centre, and leaks of taxpayer identification data (NPWP), have underscored the urgent need for a comprehensive regulatory framework.

 

Policy Recommendations

The transition to a new administration presents an opportunity to position data protection as a key national agenda item. Without strong political will, the creation of implementing regulations and the establishment of a data protection authority may continue to face delays.

A shift in perspective is crucial. Data protection should not be seen as a barrier to digital economic growth but rather as an enabler. For instance, a report by the Ministry of Communication and Digital Affairs (Komdigi) revealed that 21% of respondents were hesitant to fully utilise digital platforms due to concerns over personal data security. Strengthening data protection measures can build public trust in digital services, fostering a more resilient and dynamic digital economy.

One of the most pressing issues surrounding the PDP Law is the delayed formation of the independent authority responsible for overseeing data protection. Despite being a cornerstone of the law, this institution remains unestablished even two years after its passage. In the interim, Komdigi has proposed overseeing data protection enforcement, but this approach raises concerns about impartiality. A truly independent oversight body is essential, as it must operate free from political influence and possess the autonomy to initiate data privacy investigations across all sectors. Given that the PDP Law applies to both private and government institutions, maintaining an independent regulatory framework is crucial to ensuring fair and effective enforcement.

A strong data protection framework relies not only on regulations but also on public awareness and digital literacy. However, awareness of personal data security remains low in Indonesia. In 2024, Indonesia’s digital skills and literacy score stood at 58.25, with even lower awareness of data protection practices. For example, only 36.4% of respondents reported using two-factor authentication, and just 64.8% refrained from uploading sensitive personal data on social media.

To address this gap, large-scale public awareness campaigns must be implemented. So far, the government’s efforts have been limited, primarily focusing on the digital and financial sectors. Future initiatives should take a broader approach, targeting all industries, as the PDP Law applies universally.

Additionally, a risk-based assessment framework could be introduced to ease the transition. A phased implementation approach, where smaller, lower-risk businesses receive temporary exemptions, would allow for a more practical and effective rollout of the law. Overly stringent regulations could impose unnecessary costs, placing an undue burden on the economy.

Strengthening Data Protection for a Trusted Digital Economy

Indonesia’s PDP Law marks a significant step towards stronger data governance, but its effectiveness depends on swift and decisive action. Prioritising the issuance of implementing regulations, establishing an independent enforcement authority, and fostering greater public awareness are critical to ensuring a robust data protection framework. By addressing these challenges, Indonesia can strengthen its digital ecosystem, protect personal data, and build greater public trust in its digital economy.


About the Writer

Adinova Fauri is a Researcher in the Department of Economics, Centre for Strategic and International Studies (CSIS), Indonesia. Currently, he undertakes several research projects related to digital economy, financial inclusion, international and industrial policy, and labour economic issues focusing on digital skills and literacy.

About the Organisation

The Centre for Strategic and International Studies (CSIS) is Indonesia’s oldest think tank specialising in policy research and strategic analysis in economics, politics, and international relations.

 

The views and recommendations expressed in this article are solely of the author/s and do not necessarily reflect the views and position of the Tech for Good Institute.

Tag(s):

Keep pace with the digital pulse of Southeast Asia!

Never miss an update or event!

Mouna Aouri

Programme Fellow

Mouna Aouri is an Institute Fellow at the Tech For Good Institute. As a social entrepreneur, impact investor, and engineer, her experience spans over two decades in the MENA region, South East Asia, and Japan. She is founder of Woomentum, a Singapore-based platform dedicated to supporting women entrepreneurs in APAC through skill development and access to growth capital through strategic collaborations with corporate entities, investors and government partners.

Dr Ming Tan

Founding Executive Director

Dr Ming Tan is founding Executive Director for the Tech for Good Institute, a non-profit founded to catalyse research and collaboration on social, economic and policy trends accelerated by the digital economy in Southeast Asia. She is concurrently a Senior Fellow at the Centre for Governance and Sustainability at the National University of Singapore and Advisor to the Founder of the COMO Group, a Singaporean portfolio of lifestyle companies operating in 15 countries worldwide.  Her research interests lie at the intersection of technology, business and society, including sustainability and innovation.

 

Ming was previously Managing Director of IPOS International, part of the Intellectual Property Office of Singapore, which supports Singapore’s future growth as a global innovation hub for intellectual property creation, commercialisation and management. Prior to joining the public sector, she was Head of Stewardship of the COMO Group and the founding Executive Director of COMO Foundation, a grantmaker focused on gender equity that has served over 47 million women and girls since 2003.

 

As a company director, she lends brand and strategic guidance to several companies within the COMO Group. Ming also serves as a Council Member of the Council for Board Diversity, on the boards of COMO Foundation and Singapore Network Information Centre (SGNIC), and on the Digital and Technology Advisory Panel for Esplanade–Theatres on the Bay, Singapore’s national performing arts centre.

 

In the non-profit, educational and government spheres, Ming is a director of COMO Foundation and Singapore Network Information Centre (SGNIC) and chairs the Asia Advisory board for Swiss hospitality business and management school EHL. She also serves on  the Council for Board Diversity and the Digital and Technology Advisory Panel for Esplanade–Theatres on the Bay, Singapore’s national performing arts centre.

 

Ming was educated in Singapore, the United States, and England. She obtained her bachelor’s and master’s degrees from Stanford University and her doctorate from Oxford.