Indonesia personal data and cyber security

Indonesia personal data and cybersecurity quarterly update - March 2026 edition

Our latest overview of key legal and regulatory developments affecting Indonesia’s cybersecurity and personal data protection environment includes:

recent constitutional reviews of the PDP Law;
BSSN entering MoUs with several government agencies to enhance cybersecurity cooperation;
Indonesia signing an Agreement on Reciprocal Trade with the United States that recognises the US as a jurisdiction with adequate data protection;
an overview of notable global headlines; and
recent cybersecurity incidents and emerging risks in Indonesia.

The Indonesian government has also been progressing its data protection framework through a draft Presidential Regulation on the Personal Data Protection Agency (Badan Pelindungan Data Pribadi or the PDP Agency). In our next edition, we will provide our insights and commentary on the draft and what it may mean in practice for regulated entities. The PDP Agency is expected to take over the responsibilities and functions currently carried out by the Directorate General for the Supervision of Digital Space at the Ministry of Communication and Digital Affairs.

Indonesian regulatory updates and developments

Ongoing constitutional review of PDP Law

A petition for constitutional review was lodged with the Indonesian Constitutional Court (the Court) under case no. 284/PUU-XXII/2025) on 31 December 2025, seeking to review the constitutionality of Article 20(2)(a) of Law No. 27 of 2022 on Personal Data Protection (the PDP Law).

The provision being challenged requires explicit valid consent as a legal basis for processing personal data.

The petition was lodged after an alleged breach, reportedly resulted in the unauthorised use of the petitioner’s identity for an online loan application. The petitioner claims to have suffered financial loss, safety concerns, reputational harm, and adverse credit‑scoring as a result.

Article 20(2)(a) of the PDP Law provides that:

"Bases for the processing of Personal Data as referred to in paragraph (1) include: (a) valid explicit consent from the Personal Data Subject for one or more specific purposes that have been communicated by the Personal Data Controller to the Personal Data Subject.”

The petitioner argues that the PDP Law does not define what constitutes “valid explicit consent,” creating ambiguity and the risk of broad interpretation. In particular, the petitioner contends that the provision could be construed to permit consent to be obtained through a simple ‘click‑box’ mechanism, which could be done by another party.

The petition requests the Court to declare Article 20(2)(a) of the PDP Law unconstitutional and non-binding, unless interpreted to require that:

valid explicit consent must be given by the personal data subject; and
where personal data processing carries a high potential risk and is conducted through electronic systems, consent must be provided using an electronic signature secured with an electronic certificate, in accordance with applicable law.

It is not yet clear whether the Court will accept the petition. As of 27 January 2026, the petitioner was revising the petition following feedback from the Court at the preliminary hearing on 14 January 2026. [1]

Indonesia officially signs Agreement on Reciprocal Trade with the United States, recognising the US as a jurisdiction with adequate data protection

Further to our last newsletter, the Republic of Indonesia and the United States of America officially entered into an Agreement on Reciprocal Trade (ART) in February 2026. One area on which the parties agreed concerned digital trade and technology, including provisions on data protection and cross-border transfers.

Under the ART, Indonesia confirms the ability to move personal data out of its territory to the United States of America by recognising the United States of America as a country or jurisdiction providing adequate data protection under Indonesian law. [2]

Under the PDP Law, transferring personal data outside Indonesia is permitted provided that the transferring personal data controller ensures that the recipient country (ie the place where the receiving personal data controller and/or processor is located) offers an equal or higher level of personal data protection. Where this requirement cannot be met, the transferring personal data controller must ensure that adequate personal data protection is in place and that such protection is binding in nature. If neither condition is met, the explicit consent of the personal data subject must be obtained.

It is currently unclear whether personal data controllers can rely solely on Indonesia’s recognition of adequacy under the ART when they intend to transfer personal data to the US or whether they must still conduct a separate assessment of the US’s level of personal data protection to satisfy the PDP Law. If the latter, the PDP Law does not expressly state how a personal data controller can make such an assessment. Further, despite Indonesia’s recognition that the US’s level of data protection is adequate through the ART, some have voiced concerns over the lack of comprehensive data protection regulations in the US. [3]

Meanwhile, Indonesia’s Coordinating Ministry of Economic Affairs has stated that there will be no transfer of data sovereignty (kedaulatan data) under the ART, and that a secure and reliable data governance framework shall be observed in transfers of data to the US. It is also clarified that the “data” in the ART refers to data required for businesses (application systems), the transfer of which is a primary infrastructure for e-commerce, digital financial services, cloud and other digital services. [4]

BSSN signs MoU with Ministry of National Development Planning and Ministry of Labour

In December 2025, Indonesia’s State Cyber and Cryptography Agency (BSSN) entered into a five-year Memorandum of Understanding (MoU) with the Ministry of National Development Planning/National Development Planning Agency (Kementerian PPN/Bappenas).

The MoU establishes a framework for coordinatinon and synergy between BSSN and Bappenas on cybersecurity and cryptography matters. The cooperation covers, among other things, the use of electronic certificates within Bappenas, support for national development planning in cybersecurity and cryptography, use of data and information, and technical and advisory services.

Through the MoU, BSSN and Bappenas reaffirmed their shared commitment to strengthening national cyber resilience and advancing Indonesia’s digital transformation agenda, in line with broader government policy priorities. [5]

Around the same time, BSSN signed a separate MoU with the Ministry of Labour for cooperation in six main areas:

sharing and using data and information;
strengthening cybersecurity and cryptographic capabilities;
using electronic certificates to improve the security of electronic transactions;
securing information and communication technology systems;
developing and enhancing human resource competencies; and
assigning and using personnel to support these initiatives. [6]

Taken together, these two MoUs reflect a broader regulatory and institutional trend in Indonesia towards closer alignment across government agencies on matters of cybersecurity, cryptography, secure digital identity, and the use of certified electronic signatures. This coordination is expected to support government efforts to strengthen trust and security in public sector digital systems.

Global headlines

Media Land LLC jointly sanctioned by the US, Australia, and UK

On 19 November 2025, the United States, Australia, and the United Kingdom announced coordinated sanctions against Media Land LLC, a Russian bulletproof hosting service provider, and its network for their role in supporting ransomware operations. Bulletproof hosting service providers help malicious cyber actors evade detection. They play a role in supporting online ransomware actors such as Lockbit, BlackSuit, and Play in targeting businesses in the US and around the world. [7] [8]

Australian Clinical Labs fined A$5.8m by the Federal Court of Australia

On 8 October 2025, the Federal Court of Australia imposed an A$5.8 million penalty on Australian Clinical Labs (ACL) under the Privacy Act, following a data breach that compromised the sensitive information of 223,000 individuals. The incident occurred after ACL’s 2021 acquisition of Medlab Pathology (Medlab), which involved taking over two operating laboratories and associated IT systems. During the six-month post-acquisition integration period, vulnerabilities at Medlab were exploited, leading to a data breach. The court found that ACL had failed to adequately identify, remedy and respond to deficiencies in Medlab’s IT environment, both before and after the acquisition. [9]

Launch of EU Digital Omnibus package

The European Commission has introduced two proposals under its Digital Omnibus package to simplify and modernise EU digital laws, bringing reforms to the GDPR, ePrivacy rules, the Data Act, and cybersecurity incident reporting. The changes include a single-entry point for streamlined incident reporting across frameworks such as NIS2, DORA, and the GDPR, higher thresholds and longer deadlines for breach notifications, a more flexible definition of personal data, and new legal bases for processing sensitive data in AI development.

The proposals also simplify privacy notice obligations, create exemptions for research, expand cookie consent exceptions to reduce fatigue, and consolidate rules on data sharing, trade secrets, and cloud switching. These reforms are designed to reduce the administrative burden for SMEs by up to 35 percent, harmonise compliance across the EU, and provide greater legal certainty while continuing to protect individual rights. [10]

Indonesian cyberattacks and data incidents making the news

Nutrition Fulfilment Service Unit of National Nutrition Agency

On 31 October 2025, the Nutrition Fulfilment Service Unit of Pangauban (Satuan Pelayanan Pemenuhan Gizi or SPPG Pangauban), which prepared approximately 3,500 daily lunch portions for eight schools in the Batujajar area under Indonesia’s free nutritious meals (Makan Bergizi Gratis or MBG) programme, fell victim to a phishing and social‑engineering scam.

According to reports, an individual posing as a bank representative instructed the head of SPPG Pangauban to follow a link to “update” the unit’s account password for security purposes, which they did. The following day, SPPG Pangauban discovered that its account balance had been severely depleted. The substantial financial loss forced the unit to temporarily cease operations, disrupting the delivery of essential nutrition services to local schoolchildren. [11]

Register now for your free, tailored, daily legal newsfeed service.

Indonesia personal data and cyber security

Filed under

Topics

Organisations

Laws

Popular articles from this firm

Shifting gears: Regulatory readiness for autonomous vehicles in Asia *

Paradigm Shift: Indonesia’s New Regulatory Framework for Payments *

Indonesia Update: IDX Regulation Introduces New Free Float Share Requirements *

Ethical Guidelines on Use of Artificial Intelligence (AI) in Indonesia *

Indonesian M&A - structured solutions for foreign investment in restricted sectors *

Professional development

Related practical resources PRO

Related research hubs

GDPR

European Commission

Indonesia

Litigation

IT & Data Protection