Data & Privacy · Indonesia
Data protection & privacy laws in Indonesia (2026)
Indonesia shaded by its data & privacy status
Indonesia enacted a comprehensive, GDPR-inspired Personal Data Protection Law (Law No. 27 of 2022) on 17 October 2022, with a two-year transition period that ended on 17 October 2024, after which full compliance is required. The law applies to public and private controllers/processors and has extraterritorial reach. However, key institutional pieces remain incomplete: the mandated independent Data Protection Authority has not yet been formed and the detailed implementing Government Regulation is still being finalized as of early-to-mid 2026.
Key points
Law No. 27 of 2022 (UU PDP) is Indonesia's first omnibus personal-data law, modeled on the EU GDPR. It covers data subject rights, lawful processing bases (including consent), special-category data, breach notification, and cross-border transfers, applying both within and beyond Indonesia.
Controllers and processors were given a two-year grace period that expired on 17 October 2024; since then full compliance is mandatory and non-compliance is enforceable.
The PDP Law requires a presidentially-established Data Protection Authority (Lembaga PDP), but it has not yet been formed. A draft Presidential Regulation to create it was made public around end-February 2026 and is awaiting presidential approval, with a target launch around mid-2026.
Pending the dedicated authority, data-protection matters are handled by the Ministry of Communication and Digital Affairs (Komdigi), specifically its Directorate General of Digital Space Supervision under Komdigi Regulation 1/2025.
The detailed implementing Government Regulation (RPP PDP, reportedly ~245 articles on data-subject rights, controller obligations and oversight) completed inter-ministerial harmonization in 2025 but had not yet been formally enacted as of early 2026; it is expected to clarify cross-border transfer adequacy and safeguard mechanisms.
Obligations include lawful basis for processing, transparency, breach notification, appointing a DPO in defined cases, and data-protection by design. Sanctions include administrative fines up to 2% of annual revenue, suspension of processing, and criminal penalties for unlawful data acquisition or disclosure.
Timeline - major decisions & events
The long-delayed implementing regulation (RPP PDP) and the Presidential Regulation establishing Indonesia's Personal Data Protection Agency entered the harmonization stage at the Ministry of Law in October 2025, with the agency targeted to become operational in 2026; until then the Ministry of Communication and Digital Affairs handles supervision.
Chambers and Partners ↗The grace period under Law No. 27/2022 expired, so all data controllers and processors must now fully comply with the PDP Law and face administrative and criminal sanctions for breaches, even though the dedicated supervisory authority is not yet operational.
DLA Piper Data Protection Laws of the World ↗A LockBit 3.0-variant ransomware attack on Indonesia's temporary National Data Centre disrupted 282 public services including immigration, with attackers demanding US$8 million; the government refused to pay and the breach exposed that only ~2% of hosted data was backed up.
GovInsider ↗President Joko Widodo signed the second revision of the Electronic Information and Transactions Law, refining provisions on electronic systems, content, and criminal penalties that had drawn criticism for chilling online speech.
SSEK Law Firm ↗A threat actor exfiltrated and offered for sale a database of roughly 252 million voter records from the General Elections Commission (KPU) ahead of the February 2024 presidential election, after employee credentials were compromised by infostealer malware.
Resecurity ↗Indonesia's first comprehensive data-protection law came into force, establishing data-subject rights, controller/processor obligations, special-category data rules, cross-border transfer requirements, fines up to 2% of annual revenue, and a mandate to create a national supervisory authority.
Library of Congress ↗Highly sensitive data (national ID/NIK, phone, email, address) tied to the state health-insurance agency BPJS Kesehatan was leaked and sold on Raid Forums; the National Police summoned BPJS executives, intensifying public pressure for a dedicated data-protection law.
Indonesian National Police ↗GR 71/2019 (replacing GR 82/2012) modernized rules for electronic system operators, mandated PSE registration for both public and private operators, eased data-localization for private operators, and set personal-data-protection and security obligations.
Global Compliance News ↗The first dedicated personal-data-protection rule required written consent, encrypted storage, a minimum five-year retention, breach notification, and coordination with the ministry for cross-border transfers — the de facto framework until the PDP Law.
Ministry of Communication and Informatics (via DataGuidance) ↗The first revision of the ITE Law added the concept of electronic system providers, a right to request deletion of irrelevant electronic information (right to be forgotten), content-blocking powers, and recalibrated criminal penalties.
Conventus Law ↗Indonesia's foundational digital-law statute recognized electronic documents and signatures and contained the country's earliest, limited personal-data provision (consent to use electronic personal data), forming the legal base later built upon by GR 71/2019 and the PDP Law.
Law No. 11 of 2008 (JICA translation) ↗Indonesia - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →