Art. 21 of Government Regulation No. 46/2020 mandates that the health data should be stored in Indonesia.

Under Art. 23 Regulation No. 4/05/2021, non-bank financial institutions are obligated to place their data centre and/or disaster recovery centre within the territory of Indonesia. An exemption of this obligation may only be applicable after obtaining prior approval from the Financial Services Authority (Otoritas Jasa Keuangan, OJK) and only for certain purposes of the electronic system.

Under Arts. 7, 11, 14 and 18 of Bappebti Regulation No. 8/2021, the stakeholders of crypto asset trade (i.e., futures market, futures clearing institution, crypto asset physical trader, and crypto asset depository manager) are obligated to place their disaster recovery centre as well as a server or cloud server within Indonesia. The disaster recovery centre must be located within a maximum distance of 20 km from the main server. A crypto asset is defined as a digital, intangible commodity that utilises cryptography, information technology networks, and distributed ledgers to create new units, verify transactions, and secure them without third-party intervention.

Art. 56 of Law No. 27 on Personal Data Protection allows the cross-border transfer of personal data from a controller to a controller and/or processor outside the jurisdiction of Indonesia if the recipient country has an adequate level of protection. If the country is not adequate, the controller must ensure an adequate and binding personal data protection. Alternatively, the controller must obtain the consent of the data subject.

The Ministry of Communication and Informatics (MOCI) Regulation No. 20 of 2016 stipulates that consent from the data subject is necessary for the transfer of data; such consent must also be in Bahasa Indonesia (or in bilingual format) and collected online or by paper hard copies. The Regulation also mandates that personal data that is electronically stored should be encrypted.
Under Government Regulation No. 71/2019, consent must be obtained from data subjects for cross-border transfers of personal data. Such consent must be “lawful consent”, i.e. consent that is delivered explicitly, cannot be concealed, and is not based on error, negligence or coercion.

Art. 2 of the Financial Service Authority (OJK) Circular Letter No. 14/SEOJK.07/2014 stipulates that financial service institutions should not disclose the data of their customers to a third party unless they get consent from the data owner. The consent should be expressed in writing.

Art. 21 of Government Regulation No. 71/2019 allows electronic system operators (ESOs) in the private sector to store and process electronic transaction data outside Indonesia, provided certain conditions are met. Companies must ensure that their electronic systems and data remain accessible to Indonesian authorities for supervision and law enforcement. ESOs in the private sector are defined as individuals, business entities, or communities that either (i) are regulated and supervised by the relevant Ministry or Institution based on laws and regulations or (ii) own portals, websites, or applications within the internet network used in, or offered in Indonesia, including those involved in selling, managing, operating, or offering goods and services, as well as search engines. Regulation of Minister of Communication and Informatics No. 5 of 2020 on Private Electronic System Operators ("Regulation 5") implements Government Regulation No. 71/2019.

Art. 59 of the Government Regulation No. 80/2019 states that personal data collected in e-commerce activities cannot be sent overseas unless the relevant Ministries confirm that the foreign country has the same level of personal data protection standard as Indonesia.

Indonesia has joined an agreement with binding commitments to open transfers of data across borders: Indonesia - Australia Comprehensive Economic Partnership Agreement (Art. 13.11).

Law No. 27 establishes a general framework for the protection of personal data in Indonesia. It is closely aligned with international data privacy standards and is largely modelled on the European Union’s General Data Protection Regulation. Data controllers, data processors, and relevant parties that process personal data are given a two-year transition period following the enactment of Law No. 27, which is up to 17 October 2024, to conform to it. Once the transition period elapses, all such parties must comply with all the provisions of Law No. 27, and any noncompliance thereto may possibly be enforced.

Indonesia mandates functional and accounting separation for operators with significant market power (SMP) in the telecom market (Art. 8 of the Government Regulations No. 52 regarding Telecommunications Operations).

Indonesia has appended the World Trade Organization (WTO) Telecom Reference Paper to its schedule of commitments.

Indonesia has a telecommunications authority: the Indonesian Telecommunication Regulatory Authority (BRTI). However, it is reported that this entity's decision-making process is not fully independent of the government.

The Ministry of Manpower and Transmigration Regulation No. 40/2012 specified 19 positions that are reserved for Indonesian nationality only, ranging from Chief Executive Officer to various directors, managers, and supervisors positions within a company.

Pursuant to Art. 24 of the Trade Act and Art. 5 of the Limited Liability Company Act, all exporters and importers are subject to a licence issued by the government, which is subject to a commercial presence requirement.