Indonesia does not have a policy or regulation regarding the protection of personal data in a special law. The stipulations about personal data are scattered in some laws and regulations. At present, Indonesia only has a bill specifically regulates personal data protection.

Regulations on personal data protection in Indonesia can be found in the Ministerial Regulation (Permen) Number 20 of 2016 on Personal Data Protection (PDP). This regulation was established by the government on November 7, 2016, and came into force on December 1, 2016.

Article 1 of the ministerial regulation defines Personal Data as “certain individual data that is stored, maintained, and maintained by the truth and protected by confidentiality”.

In addition to the Ministerial Regulation, the provisions on the protection of personal data, especially for Internet users, are regulated in Article 26 paragraph (1) of Law No. 19 of 2016 on Amendments to Law Number 11 of 2008 on Electronic Information and Transactions, stating:

“Unless otherwise specified by legislation, the use of any electronic information relating to a person’s personal data must be done with the consent of the Person concerned”

The dissemination of a person’s personal data is one such form of violation. Examples are abuse when we register personally such as attaching a photo of Identity Card / Family Card to an application, or abuse using “Zoom”, the video conferencing application to take photos or videos of important / personal documents that are then spread by irresponsible parties. These perpetrators have the potential to violate the article mentioned above.

Article 26 paragraph 2 of the law stipulates that

Any person who is violated his or her rights as intended in paragraph (1) may file a lawsuit for damages incurred under this Law.”

From the explanation above, it can be concluded that the act of spreading the contents of messages that are personal or contain personal data through electronic media is prohibited. If the content of the message is disseminated to a third party, its dissemination must have obtained the consent of the person involved in the communication.

Personal Data Protection Bill

The Personal Data Protection Bill which is currently under discussion specifically mentions about “important data that must be protected”. The data mentioned are related to biometric data, genetic data and personal financial data which are essentially data supporting each individual’s personal life.

In addition to personal data, the Personal Data Protection Bill also regulates general data and specific personal data as stipulated in Article 3 of the Bill:

1. Personal Data of a general nature, are including:

a. full name;
b. gender;
c. nationality;
d. religion; dan/or
e. Personal Data combined to identify a person.

2. Personal Data of a specific nature, are including:

a. data and health information;
b. biometrics;
c. genetic data;
d. life/sexual orientation;
e. political views;
f. crime records;
g. child data;
h. personal financial data; and/or
i. other data in accordance with the provisions of the laws and regulations.

In the Personal Data Protection Bill, sanctions for electronic data organizers such as market places involve in acts that deliberately leak personal data belonging to someone are stipulated in Article 61 Paragraph 2:

  • Any Person who intentionally and unlawfully discloses Personal Data that does not belong to him as intended in Article 51 Paragraph 2 shall be punished with imprisonment for a maximum of 2 (two) years or a maximum fine of Rp.20,000,000,000.00 (twenty billion rupiah).


Protecting Personal Data

In today’s digital age, almost all personal data can be recorded and accessed online. This makes personal data vulnerable to data theft. Often we hear news about data leaks, especially on e-commerce platforms  in Indonesia. There are some other websites that suffer such data theft such as Canva, Netflix, Wattpad, and Facebook. Rumors suggested that the user data was on sale. Whatever the motive for the data theft, it will be terrible for users. For this reason, users must consistently maintain the security of each data.

The following efforts can be used as a guide to keep personal data protected from possible data theft:

    1. ensuring users provide personal data to the right parties, for example in accessing online applications whether financial lending applications, e-commerce or social media;
    2. re-check the permissions of the accessed applications;
    3. not lazy to read the terms and conditions before agreeing to the terms and conditions of the application used;
    4. be careful in using Wi-Fi networks in public places such as airports, avoid access points that have the potential to ask for usernames, passwords, and other personal data information.


Author / Contributor:

 Saghara Luthfillah Fizara, S.H.



Mail       :

Phone    : +62-21 799 7973 / +62-21 799 7975