INDONESIA LAW AND PRACTICE Contributed by: Agus Ahadi Deradjat (Agung), Gustaaf Reerink, Adri Dharma, Karina Widyaputri and Ilma Sulistyani, ABNR Counsellors at Law
storage, and disclosure of personal data. The PDP Law is substantially modelled on the Euro - pean Union’s General Data Protection Regula - tion, reflecting Indonesia’s commitment to align - ing its data protection standards with global best practices. The PDP Law officially came into force on 17 October 2024, marking a significant milestone in Indonesia’s digital governance landscape. Since its enactment, the Indonesian govern - ment, through the Ministry of Communication and Digital (MOCD), has been tasked with over - seeing its implementation. The government is currently developing a Draft Government Regu - lation on Personal Data Protection, which will provide detailed guidance on the implementa - tion and enforcement mechanisms. However, as of mid-2025, no definitive timeline has been announced for the finalisation of this implement - ing regulation. In addition to the PDP Law, personal data pro - tection requirements are also stipulated under: • pre-existing regulations that remain valid insofar as they do not conflict with the PDP Law; and • sector-specific laws and regulations, such as those governing telecommunications, electronic transactions, medical records, and financial services. 8.2 Geographical Scope The PDP Law has a notable extra-territorial effect, extending its reach beyond the coun - try’s borders. As stipulated in Article 2, the law applies to all legal acts involving personal data processing that are conducted: • within the jurisdiction of Indonesia; and
• outside the jurisdiction of Indonesia, if such acts result in legal consequences: (a) within Indonesia; and/or (b) for data subjects who are Indonesian citizens located abroad. This provision ensures that foreign-based data controllers – including individuals, public agen - cies, and international organisations – are sub - ject to the PDP Law if their activities affect Indo - nesian citizens or have legal implications within Indonesia. Consequently, a foreign company without a legal presence in Indonesia that provides services to Indonesian users must still comply with the PDP Law. If it fails to process the personal data of those users in accordance with the law’s require - ments, it may be subject to enforcement actions and sanctions, despite operating from outside Indonesia. 8.3 Role and Authority of the Data Protection Agency At present, the enforcement of PDP Law is over - seen by the Directorate General of Digital Space Supervision (DG) under MOCD. While the PDP Law mandates the establishment of an independent Data Protection Authority (DPA) – tasked with regulatory, supervisory, and enforcement responsibilities – this authority has not yet been formally constituted. In the interim, pursuant to MOCD Regulation No 1 of 2025 on Organization and Work Procedures, the DG continues to serve as the competent authority for personal data protection matters. Its responsibilities include:
350 CHAMBERS.COM
Powered by FlippingBook