The Ministry of Communication and Informatics (MOCI) Regulation No. 20 of 2016 stipulates that consent from the data subject is necessary for the transfer of data; such consent must also be in Bahasa Indonesia (or in bilingual format) and collected online or by paper hard copies. The Regulation also mandates that personal data that is electronically stored should be encrypted.
Under Government Regulation No. 71/2019, consent must be obtained from data subjects for cross-border transfers of personal data. Such consent must be “lawful consent”, i.e. consent that is delivered explicitly, cannot be concealed, and is not based on error, negligence or coercion.

Art. 2 of the Financial Service Authority (OJK) Circular Letter No. 14/SEOJK.07/2014 stipulates that financial service institutions should not disclose the data of their customers to a third party unless they get consent from the data owner. The consent should be expressed in writing.

Art. 21 of Government Regulation No. 71/2019 allows electronic system operators (ESOs) in the private sector to store and process electronic transaction data outside Indonesia, provided certain conditions are met. Companies must ensure that their electronic systems and data remain accessible to Indonesian authorities for supervision and law enforcement. ESOs in the private sector are defined as individuals, business entities, or communities that either (i) are regulated and supervised by the relevant Ministry or Institution based on laws and regulations or (ii) own portals, websites, or applications within the internet network used in, or offered in Indonesia, including those involved in selling, managing, operating, or offering goods and services, as well as search engines. Regulation of Minister of Communication and Informatics No. 5 of 2020 on Private Electronic System Operators ("Regulation 5") implements Government Regulation No. 71/2019.

Art. 59 of the Government Regulation No. 80/2019 states that personal data collected in e-commerce activities cannot be sent overseas unless the relevant Ministries confirm that the foreign country has the same level of personal data protection standard as Indonesia.

Indonesia has joined an agreement with binding commitments to open transfers of data across borders: Indonesia - Australia Comprehensive Economic Partnership Agreement (Art. 13.11).

Law No. 27 establishes a general framework for the protection of personal data in Indonesia. It is closely aligned with international data privacy standards and is largely modelled on the European Union’s General Data Protection Regulation. Data controllers, data processors, and relevant parties that process personal data are given a two-year transition period following the enactment of Law No. 27, which is up to 17 October 2024, to conform to it. Once the transition period elapses, all such parties must comply with all the provisions of Law No. 27, and any noncompliance thereto may possibly be enforced.

The Minister of Communication and Informatics Regulation No. 20 of 2016 mandates the minimum retention for stored personal data at five years (unless stated otherwise in other laws and regulations). An exemption to this provision is stipulated under Art. 16 of Law No. 27, where personal data must be destroyed and/or deleted after the expiry of the retention period or at the request of the data subject.

Indonesia has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

Indonesia has a telecommunications authority: the Indonesian Telecommunication Regulatory Authority (BRTI). However, it is reported that this entity's decision-making process is not fully independent of the government.

The Ministry of Manpower and Transmigration Regulation No. 40/2012 specified 19 positions that are reserved for Indonesian nationality only, ranging from Chief Executive Officer to various directors, managers, and supervisors positions within a company.

Pursuant to Art. 24 of the Trade Act and Art. 5 of the Limited Liability Company Act, all exporters and importers are subject to a licence issued by the government, which is subject to a commercial presence requirement.

The Ministry of Communications and Informatics issued Circular Letter No. 3/2016 on 31 March 2016, establishing the regulatory framework for the delivery of application and content services via the Internet, commonly referred to as Over the Top (OTT) Services. The Circular categorises OTT Services into two main types. The first, OTT Application Services, involves the use of internet protocol-based telecommunications networks to provide functions such as text messaging, voice and video calls, online chatting, financial transactions, data storage, gaming, social networking, and related services. The second, OTT Content Services, encompasses the provision of digital information in formats such as text, sound, images, animations, videos, music, films, and games, delivered via streaming or downloads over telecommunications networks.
According to Section 5.3 of the Circular, foreign individuals or business entities may provide OTT Services only if they establish a Permanent Business Entity in Indonesia, in compliance with the country’s prevailing tax regulations. Furthermore, the Circular imposes specific obligations on OTT Service Providers, including the mandatory use of Indonesia’s National Payment Gateway and Indonesian internet protocol numbers (Sections 5.5.5 and 5.5.6).

Indonesia is a party to the Patent Cooperation Treaty (PCT). However, the country does not consider itself bound by Art. 59 related to disputes.

Indonesia has a copyright regime under the Law of the Republic of Indonesia No. 28 of 2014 on Copyright. However, the exceptions do not follow the fair use or fair dealing model, therefore limiting the lawful use of copyrighted work by others. Art. 43 lists the exceptions, which include publication, distribution, communication, and/or reproduction of State emblems and national anthems in accordance with their original nature; the production and distribution of the Copyrighted content through information technology and communication media that are not commercial and/or lucrative for the Author or related parties, or the Author expresses no objection to the manufacture and dissemination in question; among others.

Copyright is not adequately enforced online in Indonesia. It is reported that online piracy through piracy devices and applications is a concern, and unauthorised camcording and unlicensed use of software remain problematic.