It is reported that in 2009, the Indonesian government implemented non-automatic import licensing procedures on a broad range of products, including electronics through the issuance of Ministry of Trade (MOT) Regulation No. 56/2009. It was extended by the MOT in 2010 and again in December 2012 through Regulation 83/M-DAG/PER/12/2012. The amended Decree retains a requirement for pre-shipment verification by designated companies at the importers’ expense and a restriction that limits the entry of imports to designated ports and airports. Indonesia has informally limited the application of the MOT Regulation to “final consumer goods”.
Regulation 83/M-DAG/PER/12/2012 has been replaced several times, the last one being MOT No. 28/2020. This new regulation, which added a list of products exempted from the non-automatic import licensing procedures, still implements non-automatic import licensing procedures to electronics products such as mobile phones as set out in the previous regulation. Furthermore, the MOT issued MOT Regulation No. 36/M-DAG/PER/7/2014 as amended by MOT Regulation No. 51/2020 regarding ports of entry and mandatory provisions at loading ports. The regulation includes the verification at the loading port of a Notification Letter or Distribution Permit Agreement Letter for certain products that are regulated.

The Ministry of Trade Regulation 38/2013 imposes requirements on importers of mobile phones, handheld computers, and tablets to prove previous import activities and local aftersales activity as well as requirements regarding the distribution and the establishment of industrial activity in Indonesia. In addition, the Ministry of Industry Regulation 68/M-IND/PER/9/2016 includes new licensing requirements for different types of importers of tablets, cellular phones, and handheld computers. These differ depending on:
- whether the importer is working with an Indonesian producer,
- whether the importer is also the producer of the goods,
- whether the imports are conducted with a specific purpose (i.e., specialized orders) or concerning after-sales services.

Pursuant to Art. 24 of the Trade Act and Art. 5 of the Limited Liability Company Act, all exporters and importers are subject to a licence issued by the government, which is subject to a commercial presence requirement.

According to the Minister of Communication and Informatics Regulation No. 5 of 2020 on Private Electronic System Operators, foreign Private Electronic System Operators (ESOs) are required to register their businesses with the relevant ministry through the online single submission system. ESOs should also appoint liaison officers, who have to be domiciled in Indonesia. The duty of the liaison officer is to facilitate any access request by government authorities and takedown requests. According to the regulation, ESOs are persons, business entities, or communities that operate an electronic system. ESOs include electronic system operators that are supervised by ministers or institutions in accordance with laws and regulations, and electronic system operators that have an online portal, site, or application through the internet. The requirement was first enacted with Government Regulation No. 71/2019 regarding the Provision of Electronic Systems and Transaction which repealed the Government Regulation No. 82 of 2012.

According to regulation MR5 of 2020, Private Electronic System Operators (ESOs), except cloud providers, are required to ensure that their service, websites, or platforms do not contain and do not facilitate the dissemination of prohibited information or documents. Private ESOs are then required to ensure that their system does not carry prohibited content or information, which will in practice require a general monitoring obligation and the adoption of content filters.

It is reported that in 2014, Indonesia blocked video-sharing websites: Reddit and Imgur. In addition, in 2015, Indonesia blocked the video-sharing website Vimeo. In March 2020, the online subtitling service Subscene.com was reportedly blocked. Political content has also been subject to blocking. Academic and civil society researchers have found that numerous blogs and other sites carrying criticism of the government or Islam are blocked. Online news outlets and websites with information about the provinces of Papua and West Papua, where military forces have been accused of violently suppressing an independence movement, have been blocked in recent years.
In addition, in January 2018, the Ministry of Communication and Information Technology (MCIT) launched “Cyber Drone 9,” a crawler system driven by AI tools that are designed to proactively detect content violations. It is reported that this tool replaced the Trust+ system, which relied on a passive database. A specialized task force monitors the new system and reviews the material it flags for filtering and blocking; the blocking itself is still carried out by ISPs. Each ISP may employ its software for blocking and thus may blacklist additional sites at its discretion. This has increased the likelihood of arbitrary, inconsistent blocking, creating uncertainty for users seeking redress when content is wrongfully blocked. In July 2020, the MCIT stated that it planned to purchase more sophisticated technology to block more categories of negative content and websites.

The Ministry of Communication and Informatics Circular Letter No. 3/2016 requires the providers of Over the Top (OTT) services to use local IP numbers. It is reported that the requirement could present compliance problems for foreign service providers and raise competition concerns and trade barriers.

Circular of the Minister of Communication and Information Technology No. 5/ 2016 provides the exemption to e-commerce providers from liability for failures to comply with the relevant laws in the event of force majeure, errors, or negligence. E-commerce providers will only be responsible for prohibited content posted on their platform if they are unable to prove that the uploading of such content was caused by the users.
In addition, Government Regulation No.80/2019 provides broad immunity to e-commerce service providers and intermediary service providers from the legal consequences arising from illegal third-party content. For e-commerce service providers, the regulation discharges them from any liability for illegal content found on their platforms, provided they have acted expeditiously to remove or disable access to such content after knowing of its existence (either by way of a report from a third party or finding it out themselves). To ensure that an e-commerce service provider is alerted of illegal content on its platform, the regulation requires such provider to provide terms of use/terms and conditions of the platform to its users and employ certain technology and/or feature in the platform for users to submit a report.
For intermediary service providers, the regulation discharges them from any liability for illegal content provided that such providers are acting as a mere conduit. If an intermediary service provider provides an 'interactive computer service', such as a social media platform, they will be discharged from any liability for restricting or removing access to content if such action was carried out in good faith and based on a report that such content is illegal.
Furthermore, MOCI Regulation 5 of 2020, provides that private ESOs hosting user-generated content may be exempted from legal liability for prohibited content transmitted or distributed on their electronic systems as long as they have fulfilled their governance obligations, shared information on subscribers who uploaded the prohibited content for monitoring and law enforcement purposes, and take down the prohibited content as regulated under MOCI Regulation 5. According to the law, private ESOs must ensure that their electronic systems do not (i) contain prohibited electronic information or documents and (ii) facilitate the dissemination of prohibited electronic information or documents. They also must take down prohibited content within 24 hours or four hours (the latter is for urgent prohibited content, such as child pornography content, terrorism content, and content that causes public unrest, which is very broad) after receiving the takedown notice. MOCI Regulation 5 classifies prohibited content into content that: is in violation of laws and regulations; causes anxiety for society and disturbs public order based on the government’s assessment; posts or provides access to prohibited content.

According to Art. 5 of the Minister of Communication and Information Technology Regulation No. 14 of 2017, to get a prepaid phone SIM card in Indonesia, a customer must register their phone prepaid SIM card with their valid national ID and family register card, or a passport for foreigners. For the Registration process using passport, the information to be registered includes at least name, passport number, citizenship, and place and date of birth.

The Law on State Intelligence passed in October 2011 mandates that the collection of information on a person, that is considered harmful to national interest and security, should be based on the Head of State Intelligence Agency's order. The Law broadly authorizes the Indonesian State Intelligence Agency (BIN) to engage in efforts “to prevent and/or to fight any effort, work, intelligence activity, and/or opponents that may be harmful to national interests and national security” (Art. 6). This may include communications surveillance. BIN's intelligence activities, including to collect information, should meet the following requirements: 1) they are for the purpose of intelligence function; 2) they are based on Head of BIN's order; 3) they should be conducted without making any arrest and/or detention; and 4) they should be conducted in a cooperation with law enforcement agency. Civil society advocates in Indonesia had denounced the draft bill, which was nevertheless passed.

Circular of the Minister of Communication and Information Technology No. 5/ 2016 provides the exemption to e-commerce providers from liability for failures to comply with the relevant laws in the event of force majeure, errors, or negligence. E-commerce providers will only be responsible for prohibited content posted on their platform if they are unable to prove that the uploading of such content was caused by the users.
In addition, Government Regulation No.80/2019 provides broad immunity to e-commerce service providers and intermediary service providers from the legal consequences arising from illegal third-party content. For e-commerce service providers, the regulation discharges them from any liability for illegal content found on their platforms, provided they have acted expeditiously to remove or disable access to such content after knowing of its existence (either by way of a report from a third party or finding it out themselves). To ensure that an e-commerce service provider is alerted of illegal content on its platform, the regulation requires such provider to provide terms of use/terms and conditions of the platform to its users and employ certain technology and/or feature in the platform for users to submit a report.
For intermediary service providers, the regulation discharges them from any liability for illegal content provided that such providers are acting as a mere conduit. If an intermediary service provider provides an 'interactive computer service', such as a social media platform, they will be discharged from any liability for restricting or removing access to content if such action was carried out in good faith and based on a report that such content is illegal.

Art. 23 of Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems provides that, for the purpose of the law enforcement process, electronic system providers are obliged to provide personal data that is contained in electronic systems, or personal data generated by electronic systems, upon a legitimate request made by law enforcement officers in accordance with the provisions of laws and regulations.

Art. 53 of Law No. 27 introduces the requirement for controllers and processors to appoint a data protection officer (DPO) in certain circumstances, namely where:
- the data processing is carried out for the benefit of public services;
- the nature, scope, and/or purposes of the main activity of the controller require organised and systematic supervision on a large scale; and
- the main activity of the controller consists of large-scale processing which is specific in nature and/or which is related to criminal conduct.
Additionally, while Regulation No. 20 do not stipulate the requirement of a DPO, Art. 28(i) requires electronic system operators to provide a point of contact who can be easily contacted by the data subject relating to the management of their personal data.

According to Art. 34 of Law No. 27, the data controller is obliged to conduct a Data Protection Impact Assessment if the personal data processing has a high potential risk to the personal data subjects. Personal data processing with high potential risk includes:
- automatic decision-making that has legal consequences or a significant impact on the data subject;
- processing of specific personal data;
- processing of large-scale personal data;
- processing of personal data for systematic evaluation, scoring, or monitoring of data subjects;
- processing of personal data for the activity of matching or combining a group of data;
- the use of new technologies in the processing of personal data; and/or
- the processing of personal data that limits the exercise of the rights of the data subject.
On the other hand, under Art. 12 of Government Regulation No. 71, electronic system providers must apply risk management towards damages or losses that they incurred. Such provision provides the meaning of 'risk management' as conducting risk analysis and formulating mitigation measures and countermeasures to overcome threats, disturbances, and obstacles to the electronic system which it manages.

The Minister of Communication and Informatics Regulation No. 20 of 2016 mandates the minimum retention for stored personal data at five years (unless stated otherwise in other laws and regulations). An exemption to this provision is stipulated under Art. 16 of Law No. 27, where personal data must be destroyed and/or deleted after the expiry of the retention period or at the request of the data subject.