It is reported that in 2014, Indonesia blocked video-sharing websites: Reddit and Imgur. In addition, in 2015, Indonesia blocked the video-sharing website Vimeo. In March 2020, the online subtitling service Subscene.com was reportedly blocked. Political content has also been subject to blocking. Academic and civil society researchers have found that numerous blogs and other sites carrying criticism of the government or Islam are blocked. Online news outlets and websites with information about the provinces of Papua and West Papua, where military forces have been accused of violently suppressing an independence movement, have been blocked in recent years.
In addition, in January 2018, the Ministry of Communication and Information Technology (MCIT) launched “Cyber Drone 9,” a crawler system driven by AI tools that are designed to proactively detect content violations. It is reported that this tool replaced the Trust+ system, which relied on a passive database. A specialized task force monitors the new system and reviews the material it flags for filtering and blocking; the blocking itself is still carried out by ISPs. Each ISP may employ its software for blocking and thus may blacklist additional sites at its discretion. This has increased the likelihood of arbitrary, inconsistent blocking, creating uncertainty for users seeking redress when content is wrongfully blocked. In July 2020, the MCIT stated that it planned to purchase more sophisticated technology to block more categories of negative content and websites.

The Ministry of Communication and Informatics Circular Letter No. 3/2016 requires the providers of Over the Top (OTT) services to use local IP numbers. It is reported that the requirement could present compliance problems for foreign service providers and raise competition concerns and trade barriers.

Circular of the Minister of Communication and Information Technology No. 5/ 2016 provides the exemption to e-commerce providers from liability for failures to comply with the relevant laws in the event of force majeure, errors, or negligence. E-commerce providers will only be responsible for prohibited content posted on their platform if they are unable to prove that the uploading of such content was caused by the users.
In addition, Government Regulation No.80/2019 provides broad immunity to e-commerce service providers and intermediary service providers from the legal consequences arising from illegal third-party content. For e-commerce service providers, the regulation discharges them from any liability for illegal content found on their platforms, provided they have acted expeditiously to remove or disable access to such content after knowing of its existence (either by way of a report from a third party or finding it out themselves). To ensure that an e-commerce service provider is alerted of illegal content on its platform, the regulation requires such provider to provide terms of use/terms and conditions of the platform to its users and employ certain technology and/or feature in the platform for users to submit a report.
For intermediary service providers, the regulation discharges them from any liability for illegal content provided that such providers are acting as a mere conduit. If an intermediary service provider provides an 'interactive computer service', such as a social media platform, they will be discharged from any liability for restricting or removing access to content if such action was carried out in good faith and based on a report that such content is illegal.
Furthermore, MOCI Regulation 5 of 2020, provides that private ESOs hosting user-generated content may be exempted from legal liability for prohibited content transmitted or distributed on their electronic systems as long as they have fulfilled their governance obligations, shared information on subscribers who uploaded the prohibited content for monitoring and law enforcement purposes, and take down the prohibited content as regulated under MOCI Regulation 5. According to the law, private ESOs must ensure that their electronic systems do not (i) contain prohibited electronic information or documents and (ii) facilitate the dissemination of prohibited electronic information or documents. They also must take down prohibited content within 24 hours or four hours (the latter is for urgent prohibited content, such as child pornography content, terrorism content, and content that causes public unrest, which is very broad) after receiving the takedown notice. MOCI Regulation 5 classifies prohibited content into content that: is in violation of laws and regulations; causes anxiety for society and disturbs public order based on the government’s assessment; posts or provides access to prohibited content.

According to Art. 5 of the Minister of Communication and Information Technology Regulation No. 14 of 2017, to get a prepaid phone SIM card in Indonesia, a customer must register their phone prepaid SIM card with their valid national ID and family register card, or a passport for foreigners. For the Registration process using passport, the information to be registered includes at least name, passport number, citizenship, and place and date of birth.

The Law on State Intelligence passed in October 2011 mandates that the collection of information on a person, that is considered harmful to national interest and security, should be based on the Head of State Intelligence Agency's order. The Law broadly authorizes the Indonesian State Intelligence Agency (BIN) to engage in efforts “to prevent and/or to fight any effort, work, intelligence activity, and/or opponents that may be harmful to national interests and national security” (Art. 6). This may include communications surveillance. BIN's intelligence activities, including to collect information, should meet the following requirements: 1) they are for the purpose of intelligence function; 2) they are based on Head of BIN's order; 3) they should be conducted without making any arrest and/or detention; and 4) they should be conducted in a cooperation with law enforcement agency. Civil society advocates in Indonesia had denounced the draft bill, which was nevertheless passed.

Circular of the Minister of Communication and Information Technology No. 5/ 2016 provides the exemption to e-commerce providers from liability for failures to comply with the relevant laws in the event of force majeure, errors, or negligence. E-commerce providers will only be responsible for prohibited content posted on their platform if they are unable to prove that the uploading of such content was caused by the users.
In addition, Government Regulation No.80/2019 provides broad immunity to e-commerce service providers and intermediary service providers from the legal consequences arising from illegal third-party content. For e-commerce service providers, the regulation discharges them from any liability for illegal content found on their platforms, provided they have acted expeditiously to remove or disable access to such content after knowing of its existence (either by way of a report from a third party or finding it out themselves). To ensure that an e-commerce service provider is alerted of illegal content on its platform, the regulation requires such provider to provide terms of use/terms and conditions of the platform to its users and employ certain technology and/or feature in the platform for users to submit a report.
For intermediary service providers, the regulation discharges them from any liability for illegal content provided that such providers are acting as a mere conduit. If an intermediary service provider provides an 'interactive computer service', such as a social media platform, they will be discharged from any liability for restricting or removing access to content if such action was carried out in good faith and based on a report that such content is illegal.

Art. 23 of Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems provides that, for the purpose of the law enforcement process, electronic system providers are obliged to provide personal data that is contained in electronic systems, or personal data generated by electronic systems, upon a legitimate request made by law enforcement officers in accordance with the provisions of laws and regulations.

Art. 53 of Law No. 27 introduces the requirement for controllers and processors to appoint a data protection officer (DPO) in certain circumstances, namely where:
- the data processing is carried out for the benefit of public services;
- the nature, scope, and/or purposes of the main activity of the controller require organised and systematic supervision on a large scale; and
- the main activity of the controller consists of large-scale processing which is specific in nature and/or which is related to criminal conduct.
Additionally, while Regulation No. 20 do not stipulate the requirement of a DPO, Art. 28(i) requires electronic system operators to provide a point of contact who can be easily contacted by the data subject relating to the management of their personal data.

According to Art. 34 of Law No. 27, the data controller is obliged to conduct a Data Protection Impact Assessment if the personal data processing has a high potential risk to the personal data subjects. Personal data processing with high potential risk includes:
- automatic decision-making that has legal consequences or a significant impact on the data subject;
- processing of specific personal data;
- processing of large-scale personal data;
- processing of personal data for systematic evaluation, scoring, or monitoring of data subjects;
- processing of personal data for the activity of matching or combining a group of data;
- the use of new technologies in the processing of personal data; and/or
- the processing of personal data that limits the exercise of the rights of the data subject.
On the other hand, under Art. 12 of Government Regulation No. 71, electronic system providers must apply risk management towards damages or losses that they incurred. Such provision provides the meaning of 'risk management' as conducting risk analysis and formulating mitigation measures and countermeasures to overcome threats, disturbances, and obstacles to the electronic system which it manages.

The Minister of Communication and Informatics Regulation No. 20 of 2016 mandates the minimum retention for stored personal data at five years (unless stated otherwise in other laws and regulations). An exemption to this provision is stipulated under Art. 16 of Law No. 27, where personal data must be destroyed and/or deleted after the expiry of the retention period or at the request of the data subject.

Government Regulation No. 80/2019 states that domestic or foreign e-commerce platform who operates in Indonesia should store the data at least 10 years for financial transaction and 5 years for non-financial transactions since the data were collected.

Law No. 27 establishes a general framework for the protection of personal data in Indonesia. It is closely aligned with international data privacy standards, and is largely modelled on the European Union’s General Data Protection Regulation. Data controllers, data processors and relevant parties that process personal data are given a two year transition period following the enactment of Law No. 27, thus up to 17 October 2024 to conform with it. Once the transition period elapses, all such parties must comply with all the provisions of Law No. 27 and any noncompliance thereto may possibly be enforced.

Indonesia has joined an agreement with binding commitments to open transfers of data across borders: Indonesia - Australia Comprehensive Economic Partnership Agreement (Art. 13.11).

Art. 59 of the Government Regulation No. 80/2019 states that personal data collected in e-commerce activities cannot be sent overseas unless the relevant Ministries confirm that the foreign country has the same level of personal data protection standard as Indonesia.

Art. 2 of the Financial Service Authority (OJK) Circular Letter No. 14/SEOJK.07/2014 stipulates that financial service institutions should not disclose the data of its customer to a third party unless they get consent from the data owner. The consent should be expressed in writing.