Government Regulation No. 80/2019 states that domestic or foreign e-commerce platform who operates in Indonesia should store the data at least 10 years for financial transaction and 5 years for non-financial transactions since the data were collected.

Law No. 27 establishes a general framework for the protection of personal data in Indonesia. It is closely aligned with international data privacy standards, and is largely modelled on the European Union’s General Data Protection Regulation. Data controllers, data processors and relevant parties that process personal data are given a two year transition period following the enactment of Law No. 27, thus up to 17 October 2024 to conform with it. Once the transition period elapses, all such parties must comply with all the provisions of Law No. 27 and any noncompliance thereto may possibly be enforced.

Art. 59 of the Government Regulation No. 80/2019 states that personal data collected in e-commerce activities cannot be sent overseas unless the relevant Ministries confirm that the foreign country has the same level of personal data protection standard as Indonesia.

Indonesia has joined an agreement with binding commitments to open transfers of data across borders: Indonesia - Australia Comprehensive Economic Partnership Agreement (Art. 13.11).

Art. 2 of the Financial Service Authority (OJK) Circular Letter No. 14/SEOJK.07/2014 stipulates that financial service institutions should not disclose the data of its customer to a third party unless they get consent from the data owner. The consent should be expressed in writing.

Art. 21 of Government Regulation No. 71/2019 states that the electronic systems operators for private scope can store and process the electronic transaction data outside Indonesia under certain conditions. The companies must ensure that their electronic systems and data are accessible to the Indonesian authority for supervision and law enforcement. ESOs for private scope are defined as the intended subject being a Person, Business Entity, or community consisting of (i) ESO that are regulated and supervised by the relevant Ministry or Institution based on laws and regulations, and (ii) ESO which own portals, websites, or applications within the internet network, whose electronic system is used in and/or offered in Indonesian territory, and is used, among others, to sell, manage and/or operate offers and/or trade goods and/or services and search engine. Regulation of Minister of Communication and Informatics No. 5 of 2020 on Private Electronic System Operators (“Regulation 5”) implements Government Regulation No. 71/2019.

The Ministry of Communication and Informatics (MOCI) Regulation No. 20 of 2016 stipulates that consent from the data subject is necessary for the transfer of data, such consent must also be in Bahasa Indonesia (or in bilingual format) and collected online or by paper hard copies. The Regulation also mandates that personal data that is electronically stored should be encrypted.
Under Government Regulation No. 71/2019, consent must be obtained from data subjects for cross-border transfers of personal data. Such consent must be “lawful consent”, i.e. consent that is delivered explicitly, cannot be concealed, and is not based on error, negligence or coercion.

Art. 56 of Law No. 27 regarding Personal Data Protection allows the cross-border transfer of personal data from a controller to a controller and/or processor outside the jurisdiction of Indonesia if recipient country has an adequate level of protection. If the country is not adequate, the controller must ensure an adequate and binding personal data protection. Alternatively, the controller must obtain the consent of the data subject.

Art. 20 of Regulation No. 71 provides that the public electronic system operators (ESOs) are required to manage, process, and/or store electronic systems and electronic data in the territory of Indonesia, except if the technology is not yet available. Private ESOs can manage, process, and/or store electronic systems and electronic data in Indonesia and/or outside the country (Art. 21). However, if management is carried out outside, it must ensure the effectiveness of supervision by the ministry, etc.
Art. 1 contains several key definitions:
- Electronic system: a set of electronic equipment and procedures which have the function to prepare, collect, process, analyze, store, display, announce, deliver and/or disseminate electronic information.
- ESO: any persons, state administrators, business entities and the public that provide, manage and/or operate an electronic system individually or jointly to electronic system users for its own interests and/or the interests of another party.
- Public ESO: an electronic system operation by a state administrator agency or institutions appointed by a state administrator agency.
- Private ESO: an electronic system operation by a person, business entity and the public.
With the entry into force of Regulation No. 71, Regulation No. 82 was repealed and declared null and void. Under Art. 17 of Regulation No. 82, ESOs for public services had to establish a data centre in Indonesia resulting in many private sector companies being subject to the requirement to place a data center within Indonesia.

Art. 21 of Government Regulation No. 46/2020 mandates that the health data should be stored in Indonesia.

In accordance with Art. 35 of OJK Regulation (POJK) No. 11/POJK.03/2022, banks are required to place their electronic systems in data centers and disaster recovery centers in Indonesia. Yet, banks may place them outside Indonesia upon obtaining authorization from the Financial Services Authority (OJK). According to Art. 36, banks may apply for an authorization provided that they:
- meet the regulatory provisions on the use of IT service providers in IT implementation;
- submit the results of the country risk analysis;
- ensure that the placement of the electronic systems in data centers and/or disaster recovery centers outside Indonesia does not diminish the effectiveness of OJK’s supervision as demonstrated by a statement letter;
- ensure that information regarding the bank’s confidentiality is only disclosed on the condition that such disclosure complies with the provisions of the statutory regulations in Indonesia, as evidenced by the cooperation agreement between the bank and the IT service provider;
- ensure that the written agreement with the IT service provider contains a choice of law clause;
- submit a no-objection letter from the supervisory authority of the IT service provider outside Indonesia that OJK can conduct inspections on the IT service provider;
- submit a statement letter that the bank shall periodically submit the results of assessments conducted by the bank office(s) outside Indonesia on the application of risk management on the IT service provider;
- ensure that the placement plan of the electronic systems in data centers and/or disaster recovery centers outside Indonesia delivers more benefits than the costs for the bank; and
- submit the bank's plan to improve the bank's human resources capacity, both in IT implementation and in business transactions or products offered.
In addition, according to Art. 39, banks are required to process IT-based transactions within the Indonesian territory. However, the processing of IT-based transactions by the IT service providers outside Indonesia can be carried out provided that the bank has obtained authorization from OJK. Banks may apply for an authorization on the condition that:
- IT service providers comply with the prudential principle, with the regulatory provisions on the IT service providers in IT implementation, and take heed of consumer protection.
- the supporting documents for financial administration for transactions conducted at the bank offices in Indonesia are administered at the bank offices in Indonesia; and
- the bank's business plan demonstrates efforts to increase the bank’s role in developing Indonesia’s economy.
OJK Regulation (POJK) No. 11/POJK.03/2022 revoked and declared null and void OJK Regulation (POJK) No. 38/POJK.03/2016, which already required foreign banks and payments networks to locate data centers and process electronic transactions in Indonesia.

Art. 35 of Bank Indonesia Regulation No. 22/23/PBI/2020 requires domestic processing of initiation-authorization-clearing-settlements phases of payment transactions for instruments issued by Indonesia's payment service provider and conducted within the territory of the Republic of Indonesia. Indonesia opens the possibility of such payment transactions to be processed outside of Indonesian territory for the purpose of global reconciliation, integrated risk management system/anti-money laundering. However, this is subject to Bank Indonesia's approval.

Indonesia has a telecommunications authority: Indonesian Telecommunication Regulatory Authority (BRTI). However, it is reported that the decision making process of this entity is not fully independent from the government.

Indonesia has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

PT Telekomunikasi Indonesia (Telekom), the incumbent, is a semi-privatized, majority State-owned company. The Government of Indonesia is the majority shareholder with 52.1% shares. It has a dominant market share in terms of mobile phone subscribers (approximately 45 to 50%). In 2019, Telekom's cellular network had 59.6% market shares making it the biggest player among the competitors.