Art. 56 of Law No. 27 on Personal Data Protection allows the cross-border transfer of personal data from a controller to a controller and/or processor outside the jurisdiction of Indonesia if the recipient country has an adequate level of protection. If the country is not adequate, the controller must ensure an adequate and binding personal data protection. Alternatively, the controller must obtain the consent of the data subject.

The Ministry of Communication and Informatics (MOCI) Regulation No. 20 of 2016 stipulates that consent from the data subject is necessary for the transfer of data; such consent must also be in Bahasa Indonesia (or in bilingual format) and collected online or by paper hard copies. The Regulation also mandates that personal data that is electronically stored should be encrypted.
Under Government Regulation No. 71/2019, consent must be obtained from data subjects for cross-border transfers of personal data. Such consent must be “lawful consent”, i.e. consent that is delivered explicitly, cannot be concealed, and is not based on error, negligence or coercion.

Art. 2 of the Financial Service Authority (OJK) Circular Letter No. 14/SEOJK.07/2014 stipulates that financial service institutions should not disclose the data of their customers to a third party unless they get consent from the data owner. The consent should be expressed in writing.

Art. 21 of Government Regulation No. 71/2019 allows electronic system operators (ESOs) in the private sector to store and process electronic transaction data outside Indonesia, provided certain conditions are met. Companies must ensure that their electronic systems and data remain accessible to Indonesian authorities for supervision and law enforcement. ESOs in the private sector are defined as individuals, business entities, or communities that either (i) are regulated and supervised by the relevant Ministry or Institution based on laws and regulations or (ii) own portals, websites, or applications within the internet network used in, or offered in Indonesia, including those involved in selling, managing, operating, or offering goods and services, as well as search engines. Regulation of Minister of Communication and Informatics No. 5 of 2020 on Private Electronic System Operators ("Regulation 5") implements Government Regulation No. 71/2019.

Art. 59 of the Government Regulation No. 80/2019 states that personal data collected in e-commerce activities cannot be sent overseas unless the relevant Ministries confirm that the foreign country has the same level of personal data protection standard as Indonesia.

Indonesia has joined an agreement with binding commitments to open transfers of data across borders: Indonesia - Australia Comprehensive Economic Partnership Agreement (Art. 13.11).

Law No. 27 establishes a general framework for the protection of personal data in Indonesia. It is closely aligned with international data privacy standards and is largely modelled on the European Union’s General Data Protection Regulation. Data controllers, data processors, and relevant parties that process personal data are given a two-year transition period following the enactment of Law No. 27, which is up to 17 October 2024, to conform to it. Once the transition period elapses, all such parties must comply with all the provisions of Law No. 27, and any noncompliance thereto may possibly be enforced.

Indonesia mandates functional and accounting separation for operators with significant market power (SMP) in the telecom market (Art. 8 of the Government Regulations No. 52 regarding Telecommunications Operations).

Indonesia has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

Indonesia has a telecommunications authority: the Indonesian Telecommunication Regulatory Authority (BRTI). However, it is reported that this entity's decision-making process is not fully independent of the government.

In accordance with Art. 35 of OJK Regulation (POJK) No. 11/POJK.03/2022, banks are required to place their electronic systems in data centres and disaster recovery centres in Indonesia. Yet, banks may place them outside Indonesia upon obtaining authorisation from the Financial Services Authority (OJK). According to Art. 36, banks may apply for an authorisation provided that they:
- meet the regulatory provisions on the use of IT service providers in IT implementation;
- submit the results of the country risk analysis;
- ensure that the placement of the electronic systems in data centres and/or disaster recovery centres outside Indonesia does not diminish the effectiveness of OJK’s supervision as demonstrated by a statement letter;
- ensure that information regarding the bank’s confidentiality is only disclosed on the condition that such disclosure complies with the provisions of the statutory regulations in Indonesia, as evidenced by the cooperation agreement between the bank and the IT service provider;
- ensure that the written agreement with the IT service provider contains a choice of law clause;
- submit a no-objection letter from the supervisory authority of the IT service provider outside Indonesia so that OJK can conduct inspections on the IT service provider;
- submit a statement letter that the bank shall periodically submit the results of assessments conducted by the bank office(s) outside Indonesia on the application of risk management on the IT service provider;
- ensure that the placement plan of the electronic systems in data centres and/or disaster recovery centres outside Indonesia delivers more benefits than the costs for the bank; and
- submit the bank's plan to improve the bank's human resources capacity, both in IT implementation and in business transactions or products offered.
In addition, according to Art. 39, banks are required to process IT-based transactions within the Indonesian territory. However, the processing of IT-based transactions by the IT service providers outside Indonesia can be carried out provided that the bank has obtained authorisation from OJK. Banks may apply for an authorisation on the condition that:
- IT service providers comply with the prudential principle, with the regulatory provisions on the IT service providers in IT implementation, and take heed of consumer protection.
- the supporting documents for financial administration for transactions conducted at the bank offices in Indonesia are administered at the bank offices in Indonesia; and
- the bank's business plan demonstrates efforts to increase its role in developing Indonesia’s economy.
OJK Regulation (POJK) No. 11/POJK.03/2022 revoked and declared null and void OJK Regulation (POJK) No. 38/POJK.03/2016, which already required foreign banks and payments networks to locate data centres and process electronic transactions in Indonesia.

Art. 35 of Bank Indonesia Regulation No. 22/23/PBI/2020 requires domestic processing of initiation-authorisation-clearing-settlements phases of payment transactions for instruments issued by Indonesia's payment service provider and conducted within the territory of the Republic of Indonesia. Indonesia opens the possibility of such payment transactions being processed outside of Indonesian territory for the purpose of global reconciliation, integrated risk management system, and anti-money laundering. However, this is subject to Bank Indonesia's approval.

Art. 20 of Regulation No. 71 provides that public electronic system operators (ESOs) are required to manage, process, and/or store electronic systems and electronic data in the territory of Indonesia, except if the technology is not yet available. Private ESOs can manage, process, and/or store electronic systems and electronic data in Indonesia and/or outside the country (Art. 21). However if management is carried out outside, it must ensure the effectiveness of supervision by the ministry, etc.
Art. 1 contains several key definitions:
- Electronic system: a set of electronic equipment and procedures that have the function of preparing, collecting, processing, analysing, storing, displaying, announcing, delivering, and/or disseminating electronic information.
- ESO: any persons, state administrators, business entities and the public that provide, manage and/or operate an electronic system individually or jointly to electronic system users for its own interests and/or the interests of another party.
- Public ESO: an electronic system operation by a state administrator agency or institutions appointed by a state administrator agency.
- Private ESO: an electronic system operated by a person, business entity, and the public.
With the entry into force of Regulation No. 71, Regulation No. 82 was repealed and declared null and void. Under Art. 17 of Regulation No. 82, ESOs for public services had to establish data centres and a disaster recovery centre in Indonesia, impacting many private sector companies.

Art. 21 of Government Regulation No. 46/2020 mandates that the health data should be stored in Indonesia.

Under Art. 23 Regulation No. 4/05/2021, non-bank financial institutions are obligated to place their data centre and/or disaster recovery centre within the territory of Indonesia. An exemption of this obligation may only be applicable after obtaining prior approval from the Financial Services Authority (Otoritas Jasa Keuangan, OJK) and only for certain purposes of the electronic system.