According to Art. 5 of the Minister of Communication and Information Technology Regulation No.14 of 2017, to get a prepaid phone SIM card in Indonesia, a customer must register their phone prepaid SIM card with their valid national ID and family register card, or a passport for foreigners. For the Registration process using a passport, the information to be registered includes at least name, passport number, citizenship, and place and date of birth.

According to regulation MR5 of 2020, Private Electronic System Operators (ESOs), except cloud providers, are required to ensure that their service, websites, or platforms do not contain and do not facilitate the dissemination of prohibited information or documents. Private ESOs are then required to ensure that their system does not carry prohibited content or information, which will, in practice, require a general monitoring obligation and the adoption of content filters.

It is reported that websites and apps in Indonesia are frequently blocked for hosting what the government defines as “negative” content or for not complying with national regulations. For instance, in 2021, the Ministry of Communication and Information Technology (Kominfo) blocked the platforms Snack Video, TikTok Cash, and VTube on the grounds that they engaged in financial and other services without Financial Services Authority (OJK) licensing. In July and August 2022, Kominfo blocked access to major sites, including Yahoo, the gaming service Steam, and the payment processor PayPal, for several days. These sites were unblocked after complying with registration requirements under MR 5/2020. Additionally, between 2016 and July 2020, the film and television streaming service Netflix was inaccessible to Telkom Indonesia and Telkomsel customers despite the absence of a formal blocking notification from Kominfo. In September 2023, Kominfo blocked TikTok Indonesia. The Ministry of Trade stated that it is working to further regulate e-commerce, emphasising that transactions on social media platforms are not permitted in the country.

According to the Minister of Communication and Informatics Regulation No. 5 of 2020 on Private Electronic System Operators, foreign Private Electronic System Operators (ESOs) are required to register their businesses with the relevant ministry through the online single submission system. ESOs should also appoint liaison officers, who have to be domiciled in Indonesia. The duty of the liaison officer is to facilitate any access request by government authorities and takedown requests. According to the regulation, ESOs are persons, business entities, or communities that operate an electronic system. ESOs include electronic system operators that are supervised by ministers or institutions in accordance with laws and regulations and electronic system operators that have an online portal, site, or application through the Internet. The requirement was first enacted with Government Regulation No. 71/2019 regarding the Provision of Electronic Systems and Transaction which repealed the Government Regulation No. 82 of 2012.

Pursuant to Art. 24 of the Trade Act and Art. 5 of the Limited Liability Company Act, all exporters and importers are subject to a licence issued by the government, which is subject to a commercial presence requirement.

It is reported that according to the Ministry of Trade Regulation (MOT) 20/2021, which was amended by MOT Regulation 25/2022, pre-shipment verification by designated companies (known in Indonesia as “surveyors”) is required for a broad range of products, including electronics. It is reported that the verifications are conducted at the importer’s expense and impede the entry of imports to designated ports and airports. Despite reports about this regulation, the regulatory text could not be located online.

Companies have reported that, in some cases, the Ministry of Information is informally limiting import quantities under existing licenses (issued under the Ministry of Information's Regulation 108/2012) to protect locally manufactured cell phones, handheld computers, and tablets.

The Minister of Communication and Informatics Regulation No. 20 of 2016 mandates the minimum retention for stored personal data at five years (unless stated otherwise in other laws and regulations). An exemption to this provision is stipulated under Art. 16 of Law No. 27, where personal data must be destroyed and/or deleted after the expiry of the retention period or at the request of the data subject.

Government Regulation No. 80/2019 states that domestic or foreign e-commerce platforms that operate in Indonesia should store data for at least 10 years for financial transactions and 5 years for non-financial transactions since the data were collected.

Art. 53 of Law No. 27 introduces the requirement for controllers and processors to appoint a data protection officer (DPO) in certain circumstances, namely where:
- the data processing is carried out for the benefit of public services;
- the nature, scope, and/or purposes of the main activity of the controller require organised and systematic supervision on a large scale; and
- the main activity of the controller consists of large-scale processing that is specific in nature and/or related to criminal conduct.
Additionally, while Regulation No. 20 do not stipulate the requirement of a DPO, Art. 28(i) requires electronic system operators to provide a point of contact who can be easily contacted by the data subject relating to the management of their personal data.

According to Art. 34 of Law No. 27, the data controller is obliged to conduct a Data Protection Impact Assessment if the personal data processing has a high potential risk to the personal data subjects. Personal data processing with high potential risk includes:
- automatic decision-making that has legal consequences or a significant impact on the data subject;
- processing of specific personal data;
- processing of large-scale personal data;
- processing of personal data for systematic evaluation, scoring, or monitoring of data subjects;
- processing of personal data for the activity of matching or combining a group of data;
- the use of new technologies in the processing of personal data; and/or
- the processing of personal data that limits the exercise of the rights of the data subject.
On the other hand, under Art. 12 of Government Regulation No. 71, electronic system providers must apply risk management towards damages or losses that they incur. Such provision provides the meaning of 'risk management', which is conducting risk analysis and formulating mitigation measures and countermeasures to overcome threats, disturbances, and obstacles to the electronic system it manages.

Art. 23 of Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems provides that, for the purpose of the law enforcement process, electronic system providers are obliged to provide personal data that is contained in electronic systems or personal data generated by electronic systems, upon a legitimate request made by law enforcement officers in accordance with the provisions of laws and regulations.

The Law on State Intelligence passed in October 2011 mandates that the collection of information on a person that is considered harmful to national interest and security should be based on the Head of State Intelligence Agency's order. The Law broadly authorises the Indonesian State Intelligence Agency (BIN) to engage in efforts “to prevent and/or to fight any effort, work, intelligence activity, and/or opponents that may be harmful to national interests and national security” (Art. 6). This may include communications surveillance. BIN's intelligence activities, including to collect information, should meet the following requirements: 1) they are for the purpose of intelligence function; 2) they are based on the Head of BIN's order; 3) they should be conducted without making any arrest and/or detention; and 4) they should be conducted in cooperation with a law enforcement agency. Civil society advocates in Indonesia had denounced the draft bill, which was nevertheless passed.

Art. 21 of Government Regulation No. 46/2020 mandates that the health data should be stored in Indonesia.

Under Art. 23 Regulation No. 4/05/2021, non-bank financial institutions are obligated to place their data centre and/or disaster recovery centre within the territory of Indonesia. An exemption of this obligation may only be applicable after obtaining prior approval from the Financial Services Authority (Otoritas Jasa Keuangan, OJK) and only for certain purposes of the electronic system.