With one of the largest legal teams in Japan, we bring a wealth of practical knowledge focused on the singular purpose of providing high quality legal services.


Our lawyers have authored or co-authored a number of newsletters, articles, books and other materials covering a wide range of legal areas to address the latest legal developments and increasingly diverse and complex issues.


We regularly hold seminars and offer lectures through various formats, such as online streaming.


A Closer Look at Indonesia’s Government Regulation Draft on the Implementation of Personal Data Protection Law (Indonesia)

NO&T Asia Legal Review

Luciana Fransiska
Nagashima Ohno & Tsunematsu
Journal /
NO&T Asia Legal Review No.72 (November, 2023)
Practice Areas
*Please note that this newsletter is for informational purposes only and does not constitute legal advice. In addition, it is based on information as of its date of publication and does not reflect information after such date. In particular, please also note that preliminary reports in this newsletter may differ from current interpretations and practice depending on the nature of the report.


Nearly a year following the enactment of Law No. 27 of 2022 on Personal Data Protection (“PDP Law”), the Ministry of Communications and Information Technology of the Republic of Indonesia (“MOCI”) on 31 August 2023 published the draft of the government regulation (“GR Draft”) regarding the implementation of PDP Law for public discussion and consultation.

The period for public comments was closed on 25 September 2023 (extended from 14 September 2023). The public was encouraged to share feedback by creating an online account and submitting their inputs through a dedicated website established by MOCI (www.pdp.id). The GR Draft is expected to come into force in October 2024.

The issuance of the GR Draft aimed to provide a comprehensive framework and further clarification on the PDP Law. Nonetheless, we note that some provisions still lack a clear explanation.

The GR Draft spans over 188 pages, comprising a total of 10 chapters and 245 articles that specifically address the following topics:

  • 1) General provisions;
  • 2) Personal data;
  • 3) Processing of personal data;
  • 4) Rights and obligations;
  • 5) Personal data transfers outside the jurisdiction of the Republic of Indonesia;
  • 6) International cooperation;
  • 7) Authority of the Personal Data Protection Agency (“PDP Agency”);
  • 8) Administrative sanctions;
  • 9) Dispute resolution and procedural law; and
  • 10) Closing provisions.

Key Provisions of the GR Draft

Key provisions of the GR Draft include the following:

Expansion of Specific Personal Data

In addition to specific personal data listed in the PDP Law, this GR Draft broadens the definition of personal data by adding “other data in accordance with the provisions of laws and regulations”. It stipulates that “other data” is classified as specific personal data if it potentially can create more significant harm to personal data subjects, such as discrimination, material/non-material loss, or a violation of the law. However, the GR Draft does not provide further explanation for calculating material/non-material loss, including the method to determine the extent of “more significant harm” to personal data subjects. MOCI in coordination with the PDP Agency established under the PDP Law shall have the authority and discretion to determine and designate additional data as ‘other data’.

More Detailed Obligations of Personal Data Controllers

The GR Draft sets out more specific obligations for a personal data controller. For instance, in order to enhance the security and convenience of personal data subjects, the personal data controllers are required to set up a communication line that allows the personal data subject to communicate directly with the personal data controller. In addition, the GR Draft also requires the personal data controller to establish a policy for personal data processing and an agreement with the personal data processor which sets out statutory minimum provisions as regulated under the GR Draft.

The GR Draft also provides further details on how the personal data controller can obtain consent from personal data subjects, including through electronic measures (e.g., columns and other consent features) which is not addressed yet in the PDP Law.

Mechanism for Claims and Compensation Requests

The GR Draft elaborates further on the rights of personal data subjects to file a claim and request for compensation from a personal data controller in case of error or negligence in personal data processing.

The claim can be in the form of material and non-material claims. Material claims include financial compensation equivalent to the losses incurred by personal data subjects. The amount of material claim that a personal data subject can file will be determined by the appointed party authorized to resolve the dispute outside court or by a panel of judges. On the other hand, non-material claims include corrective actions or other measures aimed at restoring the protection of personal data.

Merger, Separation, Acquisition, Amalgamation and/or Dissolution of Data Controller

PDP Law requires the personal data controller to notify the personal data subject in the event of merger, separation, acquisition, amalgamation and/or dissolution of the personal data controller. Under the GR Draft, it is further specified that the notification must occur prior to the completion of such corporate actions. Additionally, both the previous and new data controller shall enter into an agreement that governs the rights and obligations of each party with respect to the transferred personal data.

Authority of the PDP Agency

It is worth noting that the GR Draft does not elaborate on the formation of the PDP Agency despite the mandate already provided under Article 58 of the PDP Law. Consequently, it remains silent on the specific procedures to establish the PDP Agency.

Notwithstanding the above, the GR Draft elaborates on the scope of authority vested in the PDP Agency, as follows:

  • a. formulating and determining personal data protection policies;
  • b. supervising the compliance with personal data protection law and policies;
  • c. imposing administrative sanctions in case of violation by the personal data controller and/or processor;
  • d. facilitating law enforcement officers in handling personal data crimes;
  • e. cooperating with other countries’ personal data protection agencies in order to resolve allegations on violation of cross-border personal data protection laws;
  • f. assessing the fulfillment of requirements for the transfer of personal data outside the jurisdiction of the Republic of Indonesia;
  • g. giving orders to follow up the results of supervision to the personal data controller and/or personal data processor;
  • h. publishing the results on the implementation of supervision of personal data protection in accordance with statutory provisions;
  • i. receiving complaints and/or reports regarding alleged violations of personal data protection law;
  • j. carrying out inspections and investigations of complaints, reports and/or monitoring results regarding alleged violations of personal data protection law;
  • k. summoning and presenting any person and/or public body related to an alleged violation of personal data protection law;
  • l. requesting information, data and documents from any person and/or public body regarding alleged violations of personal data protection law;
  • m. summoning and presenting the necessary experts in the examination and investigation regarding suspected violations of personal data protection law;
  • n. carrying out inspections and searches of electronic systems, facilities, spaces and/or places used by personal data controllers and/or personal data processors, including obtaining access to data and/or appointing third parties;
  • o. requesting legal assistance from the prosecutor’s office to resolve personal data protection disputes.

Personal Data Breach Notification

The GR Draft provides that in the event of a personal data breach or any failure to protect personal data, the personal data controller who is responsible for the data’s protection is required to promptly report the failure or breach to the PDP Agency and the affected personal data subjects. This report shall be submitted within a maximum period of 3 x 24 hours (i.e., 72 hours) from the moment the personal data controller becomes aware of the failure or breach. The GR Draft clarifies that no notification is required if the failure or breach does not lead to the disclosure or leakage of personal data.

Cross-Border Data Transfer Requirements

The current PDP Law permits the transfer of personal data to other countries as long as the data controller or the data processor as the transferor can ensure that the receiving country has an equal or higher level of personal data protection. However, the PDP Law does not specify the criteria for assessing the adequacy of such personal data protection level.

The GR Draft finally provides specific benchmarks to meet such requirements, as follows:

  • 1. The receiving country has its own personal data protection law;
  • 2. The receiving country has a personal data protection supervisory authority or agency;
  • 3. The receiving country has made an international commitment or is subject to an international treaty or convention on personal data protection.

Additionally, the GR Draft stipulates that in the event the requirements cannot be fulfilled, the personal data controller must ensure that the receiving country has adequate and binding personal data protection measures. It can be ascertained through the existence of:

  1. the international agreement entered into by and between the transferring country and the receiving country;
  2. standard contract clauses for personal data protection provided by the PDP Agency;
  3. binding corporate rules for a corporate group approved by the PDP Agency; and
  4. any other instruments for personal data protection that are deemed adequate and binding by the PDP Agency.

The GR Draft also introduces new mandates relating to cross border data transfer whereby the personal data controller is required to perform risk assessment and a legal instrument assessment prior to processing the personal data transfer. In this regard, personal data controller and/or personal data processor must assess the necessity of the data transfer and its impact on the rights of personal data subjects. In addition, the GR Draft provides the possibility of personal data transfer as ordered by a court decision, tribunal or decision of a third country administrative authority. It is important to note that such personal data transfer is only allowed if there is an underlying international agreement with the requesting country which justifies the transfer of personal data.

Standard Forms and Clauses under Personal Data Agreements and Documents

In order to improve the protection of personal data subjects, the GR Draft provides standard forms and clauses for mandatory agreement and documents in processing personal data, which include:

  1. an agreement between personal data controllers and personal data processors;
  2. a cooperation agreement for joint personal data controllers; and
  3. a notification on personal data protection failures.

Administrative Fines

The PDP Law sets out that the administrative fines for non-compliance can reach up to 2% of a company’s annual revenue or an amount determined based on violation variables. The GR Draft further specifies the variables for calculating fines:

  • a. any negative impact resulting from the violation;
  • b. the duration of the violation;
  • c. the type of personal data affected;
  • d. the number of people affected;
  • e. the violation discovery process;
  • f. the level of transparency and cooperation of the personal data controller during the investigation process;
  • g. the scale of the business of personal data controller or processor;
  • h. the financial capability of personal data controller or personal data processor to pay; and
  • i. other relevant elements or factors considered by the PDP Agency.

Alternative Dispute Settlement

The GR Draft introduces an alternative dispute settlement forum that allows the personal data subjects and the personal data controllers and/or processors to report the disputes to the PDP Agency. The facilitation of dispute settlement by the PDP Agency must prioritize mediation. A detailed mediation procedure is set out under the GR Draft.


As the GR Draft is subject to public inputs which have been solicited by the MOCI, it is highly likely that further changes will be made before the final draft is approved by the President. In the meantime, businesses are advised to proactively review and align their data processing practices with the GR Draft to avoid potential sanctions as well as to foster trust among personal data subjects.

This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.

Download full text(PDF)


Data Protection and Privacy Related Publications

Global Practice Related Publications

Asia and Oceania Related Publications

Indonesia Related Publications

Apply Select Practice Areas