According to Art. 34 of Law No. 27, the data controller is obliged to conduct a Data Protection Impact Assessment if the personal data processing has a high potential risk to the personal data subjects. Personal data processing with high potential risk includes:
- automatic decision-making that has legal consequences or a significant impact on the data subject;
- processing of specific personal data;
- processing of large-scale personal data;
- processing of personal data for systematic evaluation, scoring, or monitoring of data subjects;
- processing of personal data for the activity of matching or combining a group of data;
- the use of new technologies in the processing of personal data; and/or
- the processing of personal data that limits the exercise of the rights of the data subject.
On the other hand, under Art. 12 of Government Regulation No. 71, electronic system providers must apply risk management towards damages or losses that they incur. Such provision provides the meaning of 'risk management', which is conducting risk analysis and formulating mitigation measures and countermeasures to overcome threats, disturbances, and obstacles to the electronic system it manages.

Art. 23 of Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems provides that, for the purpose of the law enforcement process, electronic system providers are obliged to provide personal data that is contained in electronic systems or personal data generated by electronic systems, upon a legitimate request made by law enforcement officers in accordance with the provisions of laws and regulations.

The Law on State Intelligence passed in October 2011 mandates that the collection of information on a person that is considered harmful to national interest and security should be based on the Head of State Intelligence Agency's order. The Law broadly authorises the Indonesian State Intelligence Agency (BIN) to engage in efforts “to prevent and/or to fight any effort, work, intelligence activity, and/or opponents that may be harmful to national interests and national security” (Art. 6). This may include communications surveillance. BIN's intelligence activities, including to collect information, should meet the following requirements: 1) they are for the purpose of intelligence function; 2) they are based on the Head of BIN's order; 3) they should be conducted without making any arrest and/or detention; and 4) they should be conducted in cooperation with a law enforcement agency. Civil society advocates in Indonesia had denounced the draft bill, which was nevertheless passed.

Circular of the Minister of Communication and Information Technology No. 5/2016 provides the exemption to e-commerce providers from liability for failures to comply with the relevant laws in the event of force majeure, errors, or negligence. E-commerce providers will only be responsible for prohibited content posted on their platform if they are unable to prove that the uploading of such content was caused by the users.
In addition, Government Regulation No. 80/2019 provides broad immunity to e-commerce service providers and intermediary service providers from the legal consequences arising from illegal third-party content. For e-commerce service providers, the regulation discharges them from any liability for illegal content found on their platforms, provided they have acted expeditiously to remove or restrict access to such content after knowing of its existence (either by way of a report from a third party or finding it out themselves). To ensure that an e-commerce service provider is alerted of illegal content on its platform, the regulation requires such provider to provide terms of use/terms and conditions of the platform to its users and employ certain technology and/or features in the platform for users to submit a report.
The regulation discharges intermediary service providers from any liability for illegal content, provided that such providers act as a mere conduit. If an intermediary service provider provides an 'interactive computer service', such as a social media platform, they will be discharged from any liability for restricting or removing access to content if such action was carried out in good faith and based on a report that such content is illegal.

Circular of the Minister of Communication and Information Technology No. 5/ 2016 provides the exemption to e-commerce providers from liability for failures to comply with the relevant laws in the event of force majeure, errors, or negligence. E-commerce providers will only be responsible for prohibited content posted on their platform if they are unable to prove that the uploading of such content was caused by the users.
In addition, Government Regulation No. 80/2019 provides broad immunity to e-commerce service providers and intermediary service providers from the legal consequences arising from illegal third-party content. For e-commerce service providers, the regulation discharges them from any liability for illegal content found on their platforms, provided they have acted expeditiously to remove or restrict access to such content after knowing of its existence (either by way of a report from a third party or finding it out themselves). To ensure that an e-commerce service provider is alerted of illegal content on its platform, the regulation requires such provider to provide terms of use/terms and conditions of the platform to its users and employ certain technology and/or features in the platform for users to submit a report.
The regulation discharges intermediary service providers from any liability for illegal content, provided that such providers act as a mere conduit. If an intermediary service provider provides an 'interactive computer service', such as a social media platform, they will be discharged from any liability for restricting or removing access to content if such action was carried out in good faith and based on a report that such content is illegal.
Furthermore, MOCI Regulation 5 of 2020 provides that private ESOs hosting user-generated content may be exempted from legal liability for prohibited content transmitted or distributed on their electronic systems as long as they have fulfilled their governance obligations, shared information on subscribers who uploaded the prohibited content for monitoring and law enforcement purposes, and take down the prohibited content as regulated under MOCI Regulation 5. According to the law, private ESOs must ensure that their electronic systems do not (i) contain prohibited electronic information or documents and (ii) facilitate the dissemination of prohibited electronic information or documents. They also must take down prohibited content within 24 hours or four hours (the latter is for urgent prohibited content, such as child pornography content, terrorism content, and content that causes public unrest, which is very broad) after receiving the takedown notice. MOCI Regulation 5 classifies prohibited content into content that is in violation of laws and regulations, causes anxiety for society, and disturbs public order based on the government’s assessment, posts, or provides access to prohibited content.

According to Art. 5 of the Minister of Communication and Information Technology Regulation No.14 of 2017, to get a prepaid phone SIM card in Indonesia, a customer must register their phone prepaid SIM card with their valid national ID and family register card, or a passport for foreigners. For the Registration process using a passport, the information to be registered includes at least name, passport number, citizenship, and place and date of birth.

According to regulation MR5 of 2020, Private Electronic System Operators (ESOs), except cloud providers, are required to ensure that their service, websites, or platforms do not contain and do not facilitate the dissemination of prohibited information or documents. Private ESOs are then required to ensure that their system does not carry prohibited content or information, which will, in practice, require a general monitoring obligation and the adoption of content filters.

It is reported that websites and apps in Indonesia are frequently blocked for hosting what the government defines as “negative” content or for not complying with national regulations. For instance, in 2021, the Ministry of Communication and Information Technology (Kominfo) blocked the platforms Snack Video, TikTok Cash, and VTube on the grounds that they engaged in financial and other services without Financial Services Authority (OJK) licensing. In July and August 2022, Kominfo blocked access to major sites, including Yahoo, the gaming service Steam, and the payment processor PayPal, for several days. These sites were unblocked after complying with registration requirements under MR 5/2020. Additionally, between 2016 and July 2020, the film and television streaming service Netflix was inaccessible to Telkom Indonesia and Telkomsel customers despite the absence of a formal blocking notification from Kominfo. In September 2023, Kominfo blocked TikTok Indonesia. The Ministry of Trade stated that it is working to further regulate e-commerce, emphasising that transactions on social media platforms are not permitted in the country.

According to the Minister of Communication and Informatics Regulation No. 5 of 2020 on Private Electronic System Operators, foreign Private Electronic System Operators (ESOs) are required to register their businesses with the relevant ministry through the online single submission system. ESOs should also appoint liaison officers, who have to be domiciled in Indonesia. The duty of the liaison officer is to facilitate any access request by government authorities and takedown requests. According to the regulation, ESOs are persons, business entities, or communities that operate an electronic system. ESOs include electronic system operators that are supervised by ministers or institutions in accordance with laws and regulations and electronic system operators that have an online portal, site, or application through the Internet. The requirement was first enacted with Government Regulation No. 71/2019 regarding the Provision of Electronic Systems and Transaction which repealed the Government Regulation No. 82 of 2012.

Pursuant to Art. 24 of the Trade Act and Art. 5 of the Limited Liability Company Act, all exporters and importers are subject to a licence issued by the government, which is subject to a commercial presence requirement.

It is reported that according to the Ministry of Trade Regulation (MOT) 20/2021, which was amended by MOT Regulation 25/2022, pre-shipment verification by designated companies (known in Indonesia as “surveyors”) is required for a broad range of products, including electronics. It is reported that the verifications are conducted at the importer’s expense and impede the entry of imports to designated ports and airports. Despite reports about this regulation, the regulatory text could not be located online.

Companies have reported that, in some cases, the Ministry of Information is informally limiting import quantities under existing licenses (issued under the Ministry of Information's Regulation 108/2012) to protect locally manufactured cell phones, handheld computers, and tablets.

The Minister of Communication and Informatics Regulation No. 20 of 2016 mandates the minimum retention for stored personal data at five years (unless stated otherwise in other laws and regulations). An exemption to this provision is stipulated under Art. 16 of Law No. 27, where personal data must be destroyed and/or deleted after the expiry of the retention period or at the request of the data subject.

Government Regulation No. 80/2019 states that domestic or foreign e-commerce platforms that operate in Indonesia should store data for at least 10 years for financial transactions and 5 years for non-financial transactions since the data were collected.

Indonesia has a telecommunications authority: the Indonesian Telecommunication Regulatory Authority (BRTI). However, it is reported that this entity's decision-making process is not fully independent of the government.