Art. 21 of Government Regulation No. 71/2019 allows electronic system operators (ESOs) in the private sector to store and process electronic transaction data outside Indonesia, provided certain conditions are met. Companies must ensure that their electronic systems and data remain accessible to Indonesian authorities for supervision and law enforcement. ESOs in the private sector are defined as individuals, business entities, or communities that either (i) are regulated and supervised by the relevant Ministry or Institution based on laws and regulations or (ii) own portals, websites, or applications within the internet network used in, or offered in Indonesia, including those involved in selling, managing, operating, or offering goods and services, as well as search engines. Regulation of Minister of Communication and Informatics No. 5 of 2020 on Private Electronic System Operators ("Regulation 5") implements Government Regulation No. 71/2019.

Art. 40 of the Law on Electronic Information and Transactions confers upon the government the authority to terminate access to electronic information and/or electronic documents, or to instruct electronic system operators to do so, where such material contains unlawful content. Any such instruction addressed to an electronic system operator may take the form of access termination and/or independent content moderation in respect of electronic information and/or electronic documents containing pornographic material, gambling-related content, or other forms of content as stipulated under the applicable laws and regulations, insofar as such measures are technologically feasible. In addition, the government is empowered to require electronic system operators to undertake content moderation of electronic information and/or electronic documents that are deemed harmful to the safety of life or to the health of individuals or the public at large.
It is reported that, in May 2025, the authorities briefly blocked access to the digital library Archive.org. This temporary restriction formed part of the government’s enforcement actions in response to potential copyright infringements and the identification of content alleged to contravene the Law on Electronic Information and Transactions.

Art. 59 of the Government Regulation No. 80/2019 states that personal data collected in e-commerce activities cannot be sent overseas unless the relevant Ministries confirm that the foreign country has the same level of personal data protection standard as Indonesia.

Pursuant to Arts. 1, 3, and 6 of the "Regulation of the Minister of Communication and Informatics No. 20 of 2016 on Personal Data Protection in Electronic Systems", electronic system operators are required to obtain the consent of data subjects prior to any cross-border transfer of personal data. Such consent must be provided either in Bahasa Indonesia or in a bilingual format and may be obtained either electronically or in hard copy.
For the purposes of this regulation, an electronic system operator is defined as any individual, state authority, business entity, or community group that provides, manages, and/or operates electronic systems, either independently or jointly, for the benefit of users of electronic systems, whether for their own purposes or on behalf of third parties.

Indonesia has joined an agreement with binding commitments to open transfers of data across borders: Indonesia - Australia Comprehensive Economic Partnership Agreement (Art. 13.11).

The Law on Personal Data Protection provides a comprehensive regime of data protection in Indonesia.

The Minister of Communication and Informatics Regulation No. 20 of 2016 mandates the minimum retention for stored personal data at five years (unless stated otherwise in other laws and regulations). An exemption to this provision is stipulated under Art. 16 of Law No. 27, where personal data must be destroyed and/or deleted after the expiry of the retention period or at the request of the data subject.

Government Regulation No. 80/2019 states that domestic or foreign e-commerce platforms that operate in Indonesia should store data for at least 10 years for financial transactions and 5 years for non-financial transactions since the data were collected.

Art. 53 of Law No. 27 introduces the requirement for controllers and processors to appoint a data protection officer (DPO) in certain circumstances, namely where:
- the data processing is carried out for the benefit of public services;
- the nature, scope, and/or purposes of the main activity of the controller require organised and systematic supervision on a large scale; and
- the main activity of the controller consists of large-scale processing that is specific in nature and/or related to criminal conduct.
Additionally, while Regulation No. 20 do not stipulate the requirement of a DPO, Art. 28(i) requires electronic system operators to provide a point of contact who can be easily contacted by the data subject relating to the management of their personal data.

According to Art. 34 of Law No. 27, the data controller is obliged to conduct a Data Protection Impact Assessment if the personal data processing has a high potential risk to the personal data subjects. Personal data processing with high potential risk includes:
- automatic decision-making that has legal consequences or a significant impact on the data subject;
- processing of specific personal data;
- processing of large-scale personal data;
- processing of personal data for systematic evaluation, scoring, or monitoring of data subjects;
- processing of personal data for the activity of matching or combining a group of data;
- the use of new technologies in the processing of personal data; and/or
- the processing of personal data that limits the exercise of the rights of the data subject.
On the other hand, under Art. 12 of Government Regulation No. 71, electronic system providers must apply risk management towards damages or losses that they incur. Such provision provides the meaning of 'risk management', which is conducting risk analysis and formulating mitigation measures and countermeasures to overcome threats, disturbances, and obstacles to the electronic system it manages.

Art. 23 of Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems provides that, for the purpose of the law enforcement process, electronic system providers are obliged to provide personal data that is contained in electronic systems or personal data generated by electronic systems, upon a legitimate request made by law enforcement officers in accordance with the provisions of laws and regulations.

The Law on State Intelligence passed in October 2011 mandates that the collection of information on a person that is considered harmful to national interest and security should be based on the Head of State Intelligence Agency's order. The Law broadly authorises the Indonesian State Intelligence Agency (BIN) to engage in efforts “to prevent and/or to fight any effort, work, intelligence activity, and/or opponents that may be harmful to national interests and national security” (Art. 6). This may include communications surveillance. BIN's intelligence activities, including to collect information, should meet the following requirements: 1) they are for the purpose of intelligence function; 2) they are based on the Head of BIN's order; 3) they should be conducted without making any arrest and/or detention; and 4) they should be conducted in cooperation with a law enforcement agency. Civil society advocates in Indonesia had denounced the draft bill, which was nevertheless passed.

Under Art. 23 Regulation No. 4/05/2021, non-bank financial institutions are obligated to place their data centre and/or disaster recovery centre within the territory of Indonesia. An exemption of this obligation may only be applicable after obtaining prior approval from the Financial Services Authority (Otoritas Jasa Keuangan, OJK) and only for certain purposes of the electronic system.

Annex I of Regulation 3/2021 mandates that providers of electronic certification and digital signature services establish their systems within the territory of Indonesia.

Under Arts. 7, 11, 14 and 18 of Bappebti Regulation No. 8/2021, the stakeholders of crypto asset trade (i.e., futures market, futures clearing institution, crypto asset physical trader, and crypto asset depository manager) are obligated to place their disaster recovery centre as well as a server or cloud server within Indonesia. The disaster recovery centre must be located within a maximum distance of 20 km from the main server. A crypto asset is defined as a digital, intangible commodity that utilises cryptography, information technology networks, and distributed ledgers to create new units, verify transactions, and secure them without third-party intervention.