By Adinova Fauri, Researcher at the Centre for Strategic and International Studies (CSIS), Indonesia
Indonesia’s efforts to safeguard personal data remain a work in progress. The enactment of Law No. 27/2022 on Personal Data Protection (PDP Law) was a significant milestone, but without the necessary implementing regulations, its full effectiveness remains uncertain. This regulatory gap creates ambiguity, making enforcement challenging and potentially weakening compliance efforts.
Under the PDP Law, full enforcement was scheduled to begin on 17 October 2024, following a two-year transition period. This grace period is intended to allow organisations time to align with the law’s requirements before compliance becomes mandatory. For private sector entities, this means significant operational adjustments, including appointing Data Protection Officers (DPOs), investing in data security infrastructure, and ensuring business practices adhere to the law’s principles.
For the government, the transition period is just as critical. It must draft and finalise implementing regulations, establish an independent data protection authority, and restructure internal processes to ensure compliance—since the law applies to both public and private entities. The delay in issuing these regulations not only hinders enforcement but also increases the risk of weak compliance and inconsistent data protection practices. Without clear guidelines and regulatory oversight, organisations may struggle to meet their obligations, leaving personal data more vulnerable to misuse.
To truly safeguard personal data, Indonesia must prioritise the swift and effective implementation of the PDP Law, ensuring that both businesses and government bodies have the necessary frameworks and resources to comply.
Challenges in Implementing Indonesia’s Personal Data Protection Law
1. Difficulties in Effective Implementation
One of the key provisions of the PDP Law is the establishment of an independent data protection authority responsible for enforcement. Without this institution, there is no clear entity to oversee compliance, investigate potential violations, or handle personal data breaches.
Additionally, implementing regulations are essential to serve as the foundation for sectoral rules. Without these regulations, sectoral harmonisation will be delayed, potentially undermining the effectiveness of the PDP Law’s implementation.
2. Risk of Low Compliance
Another major challenge is the risk of low compliance. Studies have shown that adherence to personal data protection laws tends to be low in various countries, and Indonesia is no exception. The broad principles outlined in Indonesia’s legal framework (Undang-Undang) often lack detailed technical guidance. Without clear implementation guidelines, organisations may struggle to understand and comply with the PDP Law, leading to weak enforcement.
These challenges highlight the urgency of strengthening Indonesia’s personal data governance. In the past two years alone, multiple high-profile data breaches, including the Bjorka case, ransomware attacks on the National Data Centre, and leaks of taxpayer identification data (NPWP), have underscored the urgent need for a comprehensive regulatory framework.
Policy Recommendations
The transition to a new administration presents an opportunity to position data protection as a key national agenda item. Without strong political will, the creation of implementing regulations and the establishment of a data protection authority may continue to face delays.
A shift in perspective is crucial. Data protection should not be seen as a barrier to digital economic growth but rather as an enabler. For instance, a report by the Ministry of Communication and Digital Affairs (Komdigi) revealed that 21% of respondents were hesitant to fully utilise digital platforms due to concerns over personal data security. Strengthening data protection measures can build public trust in digital services, fostering a more resilient and dynamic digital economy.
One of the most pressing issues surrounding the PDP Law is the delayed formation of the independent authority responsible for overseeing data protection. Despite being a cornerstone of the law, this institution remains unestablished even two years after its passage. In the interim, Komdigi has proposed overseeing data protection enforcement, but this approach raises concerns about impartiality. A truly independent oversight body is essential, as it must operate free from political influence and possess the autonomy to initiate data privacy investigations across all sectors. Given that the PDP Law applies to both private and government institutions, maintaining an independent regulatory framework is crucial to ensuring fair and effective enforcement.
A strong data protection framework relies not only on regulations but also on public awareness and digital literacy. However, awareness of personal data security remains low in Indonesia. In 2024, Indonesia’s digital skills and literacy score stood at 58.25, with even lower awareness of data protection practices. For example, only 36.4% of respondents reported using two-factor authentication, and just 64.8% refrained from uploading sensitive personal data on social media.
To address this gap, large-scale public awareness campaigns must be implemented. So far, the government’s efforts have been limited, primarily focusing on the digital and financial sectors. Future initiatives should take a broader approach, targeting all industries, as the PDP Law applies universally.
Additionally, a risk-based assessment framework could be introduced to ease the transition. A phased implementation approach, where smaller, lower-risk businesses receive temporary exemptions, would allow for a more practical and effective rollout of the law. Overly stringent regulations could impose unnecessary costs, placing an undue burden on the economy.
Strengthening Data Protection for a Trusted Digital Economy
Indonesia’s PDP Law marks a significant step towards stronger data governance, but its effectiveness depends on swift and decisive action. Prioritising the issuance of implementing regulations, establishing an independent enforcement authority, and fostering greater public awareness are critical to ensuring a robust data protection framework. By addressing these challenges, Indonesia can strengthen its digital ecosystem, protect personal data, and build greater public trust in its digital economy.
The views and recommendations expressed in this article are solely of the author/s and do not necessarily reflect the views and position of the Tech for Good Institute.
