Database

Browse Database

INDONESIA

Since April 2008, entry into force in April 2010, as amended in November 2016, last amended in January 2024

Pillar Content access  |  Indicator Blocking or filtering of commercial web content
Law No. 11 on Electronic Information and Transactions (Undang-undang (UU) Nomor 11 Tahun 2008 tentang Informasi dan Transaksi Elektronik)
Art. 40 of the Law on Electronic Information and Transactions confers upon the government the authority to terminate access to electronic information and/or electronic documents, or to instruct electronic system operators to do so, where such material contains unlawful content. Any such instruction addressed to an electronic system operator may take the form of access termination and/or independent content moderation in respect of electronic information and/or electronic documents containing pornographic material, gambling-related content, or other forms of content as stipulated under the applicable laws and regulations, insofar as such measures are technologically feasible. In addition, the government is empowered to require electronic system operators to undertake content moderation of electronic information and/or electronic documents that are deemed harmful to the safety of life or to the health of individuals or the public at large.
It is reported that, in May 2025, the authorities briefly blocked access to the digital library Archive.org. This temporary restriction formed part of the government’s enforcement actions in response to potential copyright infringements and the identification of content alleged to contravene the Law on Electronic Information and Transactions.
Coverage Digital library Archive.org

INDONESIA

Since November 2019

Pillar Cross-border data policies  |  Indicator Conditional flow regime
Government Regulation of the Republic of Indonesia No. 80 of 2019 on Trading Through Electronic Systems (Peraturan Pemerintah Republik Indonesia Nomor 80 Tahun 2019 Tentang Perdagangan Melalui Sistem Elektronik)
Art. 59 of the Government Regulation No. 80/2019 states that personal data collected in e-commerce activities cannot be sent overseas unless the relevant Ministries confirm that the foreign country has the same level of personal data protection standard as Indonesia.
Coverage E-commerce activities

INDONESIA

Since December 2016

Pillar Cross-border data policies  |  Indicator Conditional flow regime
Regulation of Minister of Communication and Informatics No. 20 of 2016 on Personal Data Protection in Electronic Systems (Peraturan Menteri Komunikasi dan Informatika Nomor 20 Tahun 2016 tentang Perlindungan Data Pribadi Dalam Sistem Elektronik)
Pursuant to Arts. 1, 3, and 6 of the "Regulation of the Minister of Communication and Informatics No. 20 of 2016 on Personal Data Protection in Electronic Systems", electronic system operators are required to obtain the consent of data subjects prior to any cross-border transfer of personal data. Such consent must be provided either in Bahasa Indonesia or in a bilingual format and may be obtained either electronically or in hard copy.
For the purposes of this regulation, an electronic system operator is defined as any individual, state authority, business entity, or community group that provides, manages, and/or operates electronic systems, either independently or jointly, for the benefit of users of electronic systems, whether for their own purposes or on behalf of third parties.
Coverage Electronic system operators

INDONESIA

Signed in March 2019, entry into force in July 2020

Pillar Cross-border data policies  |  Indicator Participation in trade agreements committing to open cross-border data flows
Indonesia - Australia Comprehensive Economic Partnership Agreement
Indonesia has joined an agreement with binding commitments to open transfers of data across borders: Indonesia - Australia Comprehensive Economic Partnership Agreement (Art. 13.11).
Coverage Horizontal

INDONESIA

Since September 2022, entry into force in October 2022

Pillar Domestic data policies  |  Indicator Framework for data protection
Law No. 27 of 2022 on Personal Data Protection (Undang-undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi)
The Law on Personal Data Protection provides a comprehensive regime of data protection in Indonesia.
Coverage Horizontal

INDONESIA

Since December 2016
Since September 2022, entry into force in October 2022

Pillar Domestic data policies  |  Indicator Minimum period for data retention
Regulation of the Minister of Communication and Information Technology No. 20 of 2016 on Protection of Personal Data in Electronic Systems (Peraturan Menteri Komunikasi dan Informatika Nomor 20 Tahun 2016 Tentang Perlindungan Data Pribadi Dalam Sistem Elektronik)

Law No. 27 of 2022 on Personal Data Protection (Undang-undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi)
The Minister of Communication and Informatics Regulation No. 20 of 2016 mandates the minimum retention for stored personal data at five years (unless stated otherwise in other laws and regulations). An exemption to this provision is stipulated under Art. 16 of Law No. 27, where personal data must be destroyed and/or deleted after the expiry of the retention period or at the request of the data subject.
Coverage Electronic systems operators

INDONESIA

Since November 2019

Pillar Domestic data policies  |  Indicator Minimum period for data retention
Government Regulation of the Republic of Indonesia No. 80 of 2019 on Trading Through Electronic Systems (Peraturan Pemerintah Republik Indonesia Nomor 80 Tahun 2019 Tentang Perdagangan Melalui Sistem Elektronik)
Government Regulation No. 80/2019 states that domestic or foreign e-commerce platforms that operate in Indonesia should store data for at least 10 years for financial transactions and 5 years for non-financial transactions since the data were collected.
Coverage E-commerce platforms

INDONESIA

Since September 2022, entry into force in October 2022
Since December 2016

Pillar Domestic data policies  |  Indicator Requirement to perform a Data Protection Impact Assessment (DPIA) or have a data protection officer (DPO)
Law No. 27 of 2022 on Personal Data Protection (Undang-undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi)

Regulation of the Minister of Communication and Information Technology No. 20 of 2016 on Protection of Personal Data in Electronic Systems (Peraturan Menteri Komunikasi dan Informatika Nomor 20 Tahun 2016 Tentang Perlindungan Data Pribadi Dalam Sistem Elektronik)
Art. 53 of Law No. 27 introduces the requirement for controllers and processors to appoint a data protection officer (DPO) in certain circumstances, namely where:
- the data processing is carried out for the benefit of public services;
- the nature, scope, and/or purposes of the main activity of the controller require organised and systematic supervision on a large scale; and
- the main activity of the controller consists of large-scale processing that is specific in nature and/or related to criminal conduct.
Additionally, while Regulation No. 20 do not stipulate the requirement of a DPO, Art. 28(i) requires electronic system operators to provide a point of contact who can be easily contacted by the data subject relating to the management of their personal data.
Coverage Horizontal

INDONESIA

Since September 2022, entry into force in October 2022
Since October 2019

Pillar Domestic data policies  |  Indicator Requirement to perform a Data Protection Impact Assessment (DPIA) or have a data protection officer (DPO)
Law No. 27 of 2022 on Personal Data Protection (Undang-undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi)

Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions (Peraturan Pemerintah Republik Indonesia Nomor 71 Tahun 2019 Tentang Penyelenggaraan Sistem Dan Transaksi Elektronik)
According to Art. 34 of Law No. 27, the data controller is obliged to conduct a Data Protection Impact Assessment if the personal data processing has a high potential risk to the personal data subjects. Personal data processing with high potential risk includes:
- automatic decision-making that has legal consequences or a significant impact on the data subject;
- processing of specific personal data;
- processing of large-scale personal data;
- processing of personal data for systematic evaluation, scoring, or monitoring of data subjects;
- processing of personal data for the activity of matching or combining a group of data;
- the use of new technologies in the processing of personal data; and/or
- the processing of personal data that limits the exercise of the rights of the data subject.
On the other hand, under Art. 12 of Government Regulation No. 71, electronic system providers must apply risk management towards damages or losses that they incur. Such provision provides the meaning of 'risk management', which is conducting risk analysis and formulating mitigation measures and countermeasures to overcome threats, disturbances, and obstacles to the electronic system it manages.
Coverage Horizontal

INDONESIA

Since December 2016

Pillar Domestic data policies  |  Indicator Requirement to allow the government to access personal data collected
Regulation of the Minister of Communication and Information Technology No. 20 of 2016 on Protection of Personal Data in Electronic Systems (Peraturan Menteri Komunikasi dan Informatika Nomor 20 Tahun 2016 Tentang Perlindungan Data Pribadi Dalam Sistem Elektronik)
Art. 23 of Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems provides that, for the purpose of the law enforcement process, electronic system providers are obliged to provide personal data that is contained in electronic systems or personal data generated by electronic systems, upon a legitimate request made by law enforcement officers in accordance with the provisions of laws and regulations.
Coverage Electronic system providers

INDONESIA

Since October 2011

Pillar Domestic data policies  |  Indicator Requirement to allow the government to access personal data collected
Law No. 17/2017 on State Intelligence 2011 (Undang-undang Republik Indonesia Nomor 17 Tahun 2011 Tentang Intelijen Negara)
The Law on State Intelligence passed in October 2011 mandates that the collection of information on a person that is considered harmful to national interest and security should be based on the Head of State Intelligence Agency's order. The Law broadly authorises the Indonesian State Intelligence Agency (BIN) to engage in efforts “to prevent and/or to fight any effort, work, intelligence activity, and/or opponents that may be harmful to national interests and national security” (Art. 6). This may include communications surveillance. BIN's intelligence activities, including to collect information, should meet the following requirements: 1) they are for the purpose of intelligence function; 2) they are based on the Head of BIN's order; 3) they should be conducted without making any arrest and/or detention; and 4) they should be conducted in cooperation with a law enforcement agency. Civil society advocates in Indonesia had denounced the draft bill, which was nevertheless passed.
Coverage Horizontal

INDONESIA

Since December 2016
Since November 2019

Pillar Intermediary liability  |  Indicator Safe harbour for intermediaries for copyright infringement
Circular of the Minister of Communication and Information Technology No. 5/2016

Government Regulation of the Republic of Indonesia No. 80 of 2019 on Trading Through Electronic Systems (Peraturan Pemerintah Republik Indonesia Nomor 80 Tahun 2019 Tentang Perdagangan Melalui Sistem Elektronik)
Circular of the Minister of Communication and Information Technology No. 5/2016 provides the exemption to e-commerce providers from liability for failures to comply with the relevant laws in the event of force majeure, errors, or negligence. E-commerce providers will only be responsible for prohibited content posted on their platform if they are unable to prove that the uploading of such content was caused by the users.
In addition, Government Regulation No. 80/2019 provides broad immunity to e-commerce service providers and intermediary service providers from the legal consequences arising from illegal third-party content. For e-commerce service providers, the regulation discharges them from any liability for illegal content found on their platforms, provided they have acted expeditiously to remove or restrict access to such content after knowing of its existence (either by way of a report from a third party or finding it out themselves). To ensure that an e-commerce service provider is alerted of illegal content on its platform, the regulation requires such provider to provide terms of use/terms and conditions of the platform to its users and employ certain technology and/or features in the platform for users to submit a report.
The regulation discharges intermediary service providers from any liability for illegal content, provided that such providers act as a mere conduit. If an intermediary service provider provides an 'interactive computer service', such as a social media platform, they will be discharged from any liability for restricting or removing access to content if such action was carried out in good faith and based on a report that such content is illegal.
Coverage Internet Intermediaries

INDONESIA

Since December 2016
Since November 2019
Since November 2020, last amended in November 2021

Pillar Intermediary liability  |  Indicator Safe harbour for intermediaries for any activity other than copyright infringement
Circular of the Minister of Communication and Information Technology No. 5/2016

Government Regulation of the Republic of Indonesia No. 80 of 2019 on Trading Through Electronic Systems (Peraturan Pemerintah Republik Indonesia Nomor 80 Tahun 2019 Tentang Perdagangan Melalui Sistem Elektronik)

Regulation of the Minister of Communications and Informatics of the Republic of Indonesia No. 5 of 2020 on Private Electronic System Operators (“Regulation 5”) (Peraturan Menteri Komunikasi Dan Informatika Republik Indonesia Nomor 5 Tahun 2020 Tentang Penyelenggara Sistem Elektronik Lingkup Privat)
Circular of the Minister of Communication and Information Technology No. 5/ 2016 provides the exemption to e-commerce providers from liability for failures to comply with the relevant laws in the event of force majeure, errors, or negligence. E-commerce providers will only be responsible for prohibited content posted on their platform if they are unable to prove that the uploading of such content was caused by the users.
In addition, Government Regulation No. 80/2019 provides broad immunity to e-commerce service providers and intermediary service providers from the legal consequences arising from illegal third-party content. For e-commerce service providers, the regulation discharges them from any liability for illegal content found on their platforms, provided they have acted expeditiously to remove or restrict access to such content after knowing of its existence (either by way of a report from a third party or finding it out themselves). To ensure that an e-commerce service provider is alerted of illegal content on its platform, the regulation requires such provider to provide terms of use/terms and conditions of the platform to its users and employ certain technology and/or features in the platform for users to submit a report.
The regulation discharges intermediary service providers from any liability for illegal content, provided that such providers act as a mere conduit. If an intermediary service provider provides an 'interactive computer service', such as a social media platform, they will be discharged from any liability for restricting or removing access to content if such action was carried out in good faith and based on a report that such content is illegal.
Furthermore, MOCI Regulation 5 of 2020 provides that private ESOs hosting user-generated content may be exempted from legal liability for prohibited content transmitted or distributed on their electronic systems as long as they have fulfilled their governance obligations, shared information on subscribers who uploaded the prohibited content for monitoring and law enforcement purposes, and take down the prohibited content as regulated under MOCI Regulation 5. According to the law, private ESOs must ensure that their electronic systems do not (i) contain prohibited electronic information or documents and (ii) facilitate the dissemination of prohibited electronic information or documents. They also must take down prohibited content within 24 hours or four hours (the latter is for urgent prohibited content, such as child pornography content, terrorism content, and content that causes public unrest, which is very broad) after receiving the takedown notice. MOCI Regulation 5 classifies prohibited content into content that is in violation of laws and regulations, causes anxiety for society, and disturbs public order based on the government’s assessment, posts, or provides access to prohibited content.
Coverage Internet Intermediaries

INDONESIA

Since September 2017

Pillar Intermediary liability  |  Indicator User identity requirement
Minister of Communication and Information Technology Regulation No. 14 of 2017
According to Art. 5 of the Minister of Communication and Information Technology Regulation No.14 of 2017, to get a prepaid phone SIM card in Indonesia, a customer must register their phone prepaid SIM card with their valid national ID and family register card, or a passport for foreigners. For the Registration process using a passport, the information to be registered includes at least name, passport number, citizenship, and place and date of birth.
Coverage Telecommunications sector

INDONESIA

Since November 2020

Pillar Intermediary liability  |  Indicator Monitoring requirement
Regulation of the Minister of Communication and Information Technology No. 5 of 2020 concerning Electronic System Operators for Private Scope (MR5)
According to regulation MR5 of 2020, Private Electronic System Operators (ESOs), except cloud providers, are required to ensure that their service, websites, or platforms do not contain and do not facilitate the dissemination of prohibited information or documents. Private ESOs are then required to ensure that their system does not carry prohibited content or information, which will, in practice, require a general monitoring obligation and the adoption of content filters.
Coverage Internet Intermediaries

Report issue     Report new measure