Art. 2 of the Financial Service Authority (OJK) Circular Letter No. 14/SEOJK.07/2014 stipulates that financial service institutions should not disclose the data of its customer to a third party unless they get consent from the data owner. The consent should be expressed in writing.

The Ministry of Communication and Informatics (MOCI) Regulation No. 20 of 2016 stipulates that consent from the data subject is necessary for the transfer of data, such consent must also be in Bahasa Indonesia (or in bilingual format) and collected online or by paper hard copies. The Regulation also mandates that personal data that is electronically stored should be encrypted.
Under Government Regulation No. 71/2019, consent must be obtained from data subjects for cross-border transfers of personal data. Such consent must be “lawful consent”, i.e. consent that is delivered explicitly, cannot be concealed, and is not based on error, negligence or coercion.

Art. 56 of Law No. 27 regarding Personal Data Protection allows the cross-border transfer of personal data from a controller to a controller and/or processor outside the jurisdiction of Indonesia if recipient country has an adequate level of protection. If the country is not adequate, the controller must ensure an adequate and binding personal data protection. Alternatively, the controller must obtain the consent of the data subject.

Art. 20 of Regulation No. 71 provides that the public electronic system operators (ESOs) are required to manage, process, and/or store electronic systems and electronic data in the territory of Indonesia, except if the technology is not yet available. Private ESOs can manage, process, and/or store electronic systems and electronic data in Indonesia and/or outside the country (Art. 21). However, if management is carried out outside, it must ensure the effectiveness of supervision by the ministry, etc.
Art. 1 contains several key definitions:
- Electronic system: a set of electronic equipment and procedures which have the function to prepare, collect, process, analyze, store, display, announce, deliver and/or disseminate electronic information.
- ESO: any persons, state administrators, business entities and the public that provide, manage and/or operate an electronic system individually or jointly to electronic system users for its own interests and/or the interests of another party.
- Public ESO: an electronic system operation by a state administrator agency or institutions appointed by a state administrator agency.
- Private ESO: an electronic system operation by a person, business entity and the public.
With the entry into force of Regulation No. 71, Regulation No. 82 was repealed and declared null and void. Under Art. 17 of Regulation No. 82, ESOs for public services had to establish a data centre in Indonesia resulting in many private sector companies being subject to the requirement to place a data center within Indonesia.

Art. 21 of Government Regulation No. 46/2020 mandates that the health data should be stored in Indonesia.

In accordance with Art. 35 of OJK Regulation (POJK) No. 11/POJK.03/2022, banks are required to place their electronic systems in data centers and disaster recovery centers in Indonesia. Yet, banks may place them outside Indonesia upon obtaining authorization from the Financial Services Authority (OJK). According to Art. 36, banks may apply for an authorization provided that they:
- meet the regulatory provisions on the use of IT service providers in IT implementation;
- submit the results of the country risk analysis;
- ensure that the placement of the electronic systems in data centers and/or disaster recovery centers outside Indonesia does not diminish the effectiveness of OJK’s supervision as demonstrated by a statement letter;
- ensure that information regarding the bank’s confidentiality is only disclosed on the condition that such disclosure complies with the provisions of the statutory regulations in Indonesia, as evidenced by the cooperation agreement between the bank and the IT service provider;
- ensure that the written agreement with the IT service provider contains a choice of law clause;
- submit a no-objection letter from the supervisory authority of the IT service provider outside Indonesia that OJK can conduct inspections on the IT service provider;
- submit a statement letter that the bank shall periodically submit the results of assessments conducted by the bank office(s) outside Indonesia on the application of risk management on the IT service provider;
- ensure that the placement plan of the electronic systems in data centers and/or disaster recovery centers outside Indonesia delivers more benefits than the costs for the bank; and
- submit the bank's plan to improve the bank's human resources capacity, both in IT implementation and in business transactions or products offered.
In addition, according to Art. 39, banks are required to process IT-based transactions within the Indonesian territory. However, the processing of IT-based transactions by the IT service providers outside Indonesia can be carried out provided that the bank has obtained authorization from OJK. Banks may apply for an authorization on the condition that:
- IT service providers comply with the prudential principle, with the regulatory provisions on the IT service providers in IT implementation, and take heed of consumer protection.
- the supporting documents for financial administration for transactions conducted at the bank offices in Indonesia are administered at the bank offices in Indonesia; and
- the bank's business plan demonstrates efforts to increase the bank’s role in developing Indonesia’s economy.
OJK Regulation (POJK) No. 11/POJK.03/2022 revoked and declared null and void OJK Regulation (POJK) No. 38/POJK.03/2016, which already required foreign banks and payments networks to locate data centers and process electronic transactions in Indonesia.

Art. 35 of Bank Indonesia Regulation No. 22/23/PBI/2020 requires domestic processing of initiation-authorization-clearing-settlements phases of payment transactions for instruments issued by Indonesia's payment service provider and conducted within the territory of the Republic of Indonesia. Indonesia opens the possibility of such payment transactions to be processed outside of Indonesian territory for the purpose of global reconciliation, integrated risk management system/anti-money laundering. However, this is subject to Bank Indonesia's approval.

Indonesia has a telecommunications authority: Indonesian Telecommunication Regulatory Authority (BRTI). However, it is reported that the decision making process of this entity is not fully independent from the government.

Indonesia has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

PT Telekomunikasi Indonesia (Telekom), the incumbent, is a semi-privatized, majority State-owned company. The Government of Indonesia is the majority shareholder with 52.1% shares. It has a dominant market share in terms of mobile phone subscribers (approximately 45 to 50%). In 2019, Telekom's cellular network had 59.6% market shares making it the biggest player among the competitors.

Indonesia mandates functional and accounting separation for operators with significant market power (SMP) in the telecom market (Art. 8 of the Government Regulations No. 52 regarding Telecommunications Operations).

According to the Presidential Regulation No. 10/2021, the telecommunications sector was liberalized allowing full foreign ownership in telecommunication service providers and telecommunication towers. However, according to Art. 1(2) and 77 of the State-owned Enterprises Act 19/2003, there is a limit of 49% on the shares that can be acquired by foreign investors in government-controlled firms. This includes foreign participation in telecommunication and delivery service sector SOEs (as regulated in Government Regulation No. 15/2013, amended by Government Regulation No. 41/2021).

Law of the Republic of Indonesia No. 30 of 2000 regarding trade secrets provides a framework for effective protection of trade secrets. According to Art. 1 of the law, trade Secrets are legally defined as information in the field of technology and/or business that is not known by the public and has economic value as it is useful in business activities, and the confidentiality of which is maintained by its owner. Any person who deliberately and without rights uses the Trade Secret of another party, or conducts any acts as referred to in Arts. 13 and 14 shall be sentenced to imprisonment of at most two years and a fine.
However, it is reported that it is necessary to prove that the suspected party has unlawfully obtained the trade secret. Proving this may be difficult as the litigation procedure is not equipped with a discovery procedure to uncover relevant evidence of the suspected party. It may help if the trade secret holder can prove that the local company had some form of relationship previously with it or was previously given access to the trade secret.

It is reported that there is an obligation for passive infrastructure sharing in Indonesia to deliver telecom services to end users.

Indonesia has ratified the World Intellectual Property Organization (WIPO) Performances and Phonograms Treaty.