Indonesia has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

Indonesia has a telecommunications authority: the Indonesian Telecommunication Regulatory Authority (BRTI). However, it is reported that this entity's decision-making process is not fully independent of the government.

In accordance with Art. 35 of OJK Regulation (POJK) No. 11/POJK.03/2022, banks are required to place their electronic systems in data centres and disaster recovery centres in Indonesia. Yet, banks may place them outside Indonesia upon obtaining authorisation from the Financial Services Authority (OJK). According to Art. 36, banks may apply for an authorisation provided that they:
- meet the regulatory provisions on the use of IT service providers in IT implementation;
- submit the results of the country risk analysis;
- ensure that the placement of the electronic systems in data centres and/or disaster recovery centres outside Indonesia does not diminish the effectiveness of OJK’s supervision as demonstrated by a statement letter;
- ensure that information regarding the bank’s confidentiality is only disclosed on the condition that such disclosure complies with the provisions of the statutory regulations in Indonesia, as evidenced by the cooperation agreement between the bank and the IT service provider;
- ensure that the written agreement with the IT service provider contains a choice of law clause;
- submit a no-objection letter from the supervisory authority of the IT service provider outside Indonesia so that OJK can conduct inspections on the IT service provider;
- submit a statement letter that the bank shall periodically submit the results of assessments conducted by the bank office(s) outside Indonesia on the application of risk management on the IT service provider;
- ensure that the placement plan of the electronic systems in data centres and/or disaster recovery centres outside Indonesia delivers more benefits than the costs for the bank; and
- submit the bank's plan to improve the bank's human resources capacity, both in IT implementation and in business transactions or products offered.
In addition, according to Art. 39, banks are required to process IT-based transactions within the Indonesian territory. However, the processing of IT-based transactions by the IT service providers outside Indonesia can be carried out provided that the bank has obtained authorisation from OJK. Banks may apply for an authorisation on the condition that:
- IT service providers comply with the prudential principle, with the regulatory provisions on the IT service providers in IT implementation, and take heed of consumer protection.
- the supporting documents for financial administration for transactions conducted at the bank offices in Indonesia are administered at the bank offices in Indonesia; and
- the bank's business plan demonstrates efforts to increase its role in developing Indonesia’s economy.
OJK Regulation (POJK) No. 11/POJK.03/2022 revoked and declared null and void OJK Regulation (POJK) No. 38/POJK.03/2016, which already required foreign banks and payments networks to locate data centres and process electronic transactions in Indonesia.

Art. 35 of Bank Indonesia Regulation No. 22/23/PBI/2020 requires domestic processing of initiation-authorisation-clearing-settlements phases of payment transactions for instruments issued by Indonesia's payment service provider and conducted within the territory of the Republic of Indonesia. Indonesia opens the possibility of such payment transactions being processed outside of Indonesian territory for the purpose of global reconciliation, integrated risk management system, and anti-money laundering. However, this is subject to Bank Indonesia's approval.

Art. 20 of Regulation No. 71 provides that public electronic system operators (ESOs) are required to manage, process, and/or store electronic systems and electronic data in the territory of Indonesia, except if the technology is not yet available. Private ESOs can manage, process, and/or store electronic systems and electronic data in Indonesia and/or outside the country (Art. 21). However if management is carried out outside, it must ensure the effectiveness of supervision by the ministry, etc.
Art. 1 contains several key definitions:
- Electronic system: a set of electronic equipment and procedures that have the function of preparing, collecting, processing, analysing, storing, displaying, announcing, delivering, and/or disseminating electronic information.
- ESO: any persons, state administrators, business entities and the public that provide, manage and/or operate an electronic system individually or jointly to electronic system users for its own interests and/or the interests of another party.
- Public ESO: an electronic system operation by a state administrator agency or institutions appointed by a state administrator agency.
- Private ESO: an electronic system operated by a person, business entity, and the public.
With the entry into force of Regulation No. 71, Regulation No. 82 was repealed and declared null and void. Under Art. 17 of Regulation No. 82, ESOs for public services had to establish data centres and a disaster recovery centre in Indonesia, impacting many private sector companies.

Art. 21 of Government Regulation No. 46/2020 mandates that the health data should be stored in Indonesia.

Under Art. 23 Regulation No. 4/05/2021, non-bank financial institutions are obligated to place their data centre and/or disaster recovery centre within the territory of Indonesia. An exemption of this obligation may only be applicable after obtaining prior approval from the Financial Services Authority (Otoritas Jasa Keuangan, OJK) and only for certain purposes of the electronic system.

Under Arts. 7, 11, 14 and 18 of Bappebti Regulation No. 8/2021, the stakeholders of crypto asset trade (i.e., futures market, futures clearing institution, crypto asset physical trader, and crypto asset depository manager) are obligated to place their disaster recovery centre as well as a server or cloud server within Indonesia. The disaster recovery centre must be located within a maximum distance of 20 km from the main server. A crypto asset is defined as a digital, intangible commodity that utilises cryptography, information technology networks, and distributed ledgers to create new units, verify transactions, and secure them without third-party intervention.

Art. 56 of Law No. 27 on Personal Data Protection allows the cross-border transfer of personal data from a controller to a controller and/or processor outside the jurisdiction of Indonesia if the recipient country has an adequate level of protection. If the country is not adequate, the controller must ensure an adequate and binding personal data protection. Alternatively, the controller must obtain the consent of the data subject.

Indonesia has ratified the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.

Government Regulation No. 71/2019 mandates that providers of bespoke software must either provide or escrow the source code associated with their services. This requirement has been in effect since the introduction of Government Regulation No. 82/2012, which was later replaced by Regulation No. 71/2019.

Law of the Republic of Indonesia No. 30 of 2000 on Trade Secrets provides a framework for effective protection of trade secrets. According to Art. 1 of the law, trade Secrets are legally defined as information in the field of technology and/or business that is not known by the public and has economic value as it is useful in business activities, and the confidentiality of which is maintained by its owner. Any person who deliberately and without rights uses the Trade Secret of another party or conducts any acts as referred to in Arts. 13 and 14 shall be sentenced to imprisonment of at most two years and a fine.
However, it is reported that it is necessary to prove that the suspected party has unlawfully obtained the trade secret. Proving this may be difficult as the litigation procedure is not equipped with a discovery procedure to uncover relevant evidence of the suspected party. It may help if the trade secret holder can prove that the local company had some form of relationship previously with it or was previously given access to the trade secret.

It is reported that there is an obligation for passive infrastructure sharing in Indonesia to deliver telecom services to end users.

The Ministry of Communications and Informatics Regulation No. 12/2019, which replaces Regulation No. 41/PER/M.KOMINFO/10/2009 by the Ministry of Communication and Information Technology mandates that Indonesian telecommunication operators allocate at least 50% of their total capital expenditures for network development to locally sourced components or services. The regulation also stipulated that any telecommunication device/material which contains a minimum of 50% local component will be considered to have 100% local component (Art. 6). The regulation also requires companies to report the percentage of local content procured annually and have that information “authenticated” by the government or a survey institute appointed by the government. These requirements have been in place since 2009.

According to Presidential Regulation No. 10/2021, the telecommunications sector was liberalised, allowing full foreign ownership of telecommunication service providers and telecommunication towers. However, according to Art. 1.2 and 77 of the State-owned Enterprises Act 19/2003, there is a limit of 49% on the shares that can be acquired by foreign investors in government-controlled firms. This includes foreign participation in state-owned entreprisese (SOEs) in the telecommunication sector, as regulated in Government Regulation No. 15/2013, amended by Government Regulation No. 41/2021.