Indonesia’s PDP Law Update: Broader DPO Mandate Confirmed, Further Clarity Expected on Data Disclosure and Cross-Border Transfers

As discussed in our previous client alerts (available here), Law No. 27 of 2022 on Personal Data Protection ("PDP Law") has raised questions about when data controllers must appoint a Data Protection Officer ("DPO") or Pejabat/Petugas Pelindungan Data Pribadi (in Bahasa Indonesia).
The PDP Law sets out three conditions under which a DPO must be appointed:
- The processing of personal data is for the public interest.
- The nature and scope of the data processing requires regular and systematic monitoring.
- The processing involves large-scale sensitive or specific types of personal data.
Until now, it was unclear whether all three conditions must be met simultaneously. Although implementing regulations have yet to be issued, the Indonesian Constitutional Court has clarified that meeting any one of these conditions is sufficient to trigger the mandatory appointment of a DPO.
We explain this clarification in more detail below.
Background
In September 2024, two individuals petitioned the Constitutional Court to review the constitutionality of Article 53(1) of the PDP Law.[1]
This article outlines three conditions under which organisations must appoint a DPO:
- They process personal data for public services (e.g., government agencies);
- They carry out a large-scale regular and systematic monitoring of data subjects as part of their core activities (e.g., online behaviour tracking); and
- They process large volume of sensitive personal data or data related to criminal convictions and offenses.
The PDP Law uses the conjunction "and" to connect these three conditions. As such, under a strict reading, it means that all three conditions must be met for the DPO requirement to apply.
The petitioners argued that this interpretation is too narrow. For example, an organisation handling large volumes of sensitive data might not be required to appoint a DPO if it does not meet the other two conditions. They claimed that this gap undermines data protection and violates the constitutional right to personal security under Article 28G(1) of the 1945 Constitution.
To address this, they asked the Court to interpret the provision using "or" instead of "and", so that meeting any one of the conditions would trigger the DPO requirement.
Court's Finding and Judgment
The Court confirmed its authority to hear the case and recognised the petitioners' legal standing. It acknowledged that personal data protection is inseparable from the constitutional right to personal security under Article 28G(1) of the 1945 Constitution. It also emphasised that high-risk data processing requires enhanced safeguards, including oversight through the appointment of a DPO.
While "and" typically implies a cumulative requirement, the Court found that this did not reflect the original legislative intent behind Article 53(1). Both the government and the House of Representatives (Dewan Perwakilan Rakyat or "DPR") clarified that the law was meant to require a DPO if any one of the listed conditions is met.
The Court agreed that the current wording could cause confusion and weaken data protection. It ruled that the use of "and" in Article 53(1)(b) is conditionally unconstitutional and should be interpreted as "and/or". This means a DPO must be appointed if any one, any two, or all three conditions apply.
Upcoming Judgments
Further legal developments are underway, with two new constitutional petitions that may impact the interpretation of the PDP Law.
-
Cross-border data transfers – governed under Articles 56(1) and (4) of the PDP Law
Filed on 29 July 2025, this petition challenges the current framework for cross-border personal data transfers under the PDP Law.[2] The petition coincides with Indonesia's agreement with the United States to establish a framework for negotiating a reciprocal trade agreement. As part of this framework, Indonesia has committed to providing legal certainty around the transfer of personal data of Indonesian residents to the U.S., including recognising the U.S. as a jurisdiction with adequate data protection.[3]
The applicant argues that, under a strict reading, the PDP Law currently allows data controllers to determine adequacy without parliamentary oversight. They claim that this undermines democratic accountability and could expose personal data to misuse. To address this, the petition seeks a conditional interpretation requiring that:
- Transfers to jurisdictions such as the U.S. be based on an international agreement ratified by the DPR; and
- Transfers to countries not deemed adequate be subject to explicit, informed consent from data subjects.
At the time of writing, the Court's decision is still pending. Its ruling may significantly affect the future legal framework for cross-border data flows in Indonesia.
-
Criminal liability for data disclosure – governed under Articles 65(2) and 67(2) of the PDP Law
On 30 July 2025, a coalition of civil society organisations and individuals operating under the name "SIKAP" filed a constitutional petition challenging the criminal provisions of the PDP Law related to unlawful disclosure of personal data.[4]
The applicants argue that Articles 65(2) and 67(2) lack clear definitions of what constitutes "unlawful" disclosure. This ambiguity creates legal uncertainty and risks criminalising constitutionally protected activities such as investigative journalism, academic research, artistic expression, and public interest advocacy.
To address this concern, the applicants seek a conditional interpretation that excludes legitimate, good-faith disclosures made in the context of constitutionally protected expression from criminal liability. They argue that the current wording disproportionately threatens freedom of expression and the public's right to information, both of which are protected under the 1945 Constitution.
This case highlights the growing tensions between data privacy enforcement and civil liberties in the digital age. The Court's forthcoming decision may provide important guidance on how to balance the right to privacy with freedom of expression and access to information in Indonesia.
Implications for Clients
The Constitutional Court's decision provides critical clarity on the scope of the DPO appointment obligation under Article 53(1) of the PDP Law. By confirming that organisations must appoint a DPO when any one of the listed high-risk criteria is met, the ruling broadens the compliance threshold and may affect entities previously considered exempt under the narrow interpretation.
For clients, this means that it is now essential to:
- Reassess internal data processing activities to determine whether they meet any of the clarified criteria;
- Review governance structures and ensure readiness to designate a DPO where required; and
- Monitor developments around implementing regulations, which may further define operational requirements.
In addition, two pending constitutional petitions concerning cross-border data transfers and the criminalisation of data disclosure could introduce further changes to Indonesia's data protection framework. These cases may impact how organisations manage international data flows and balance privacy obligations with freedom of expression.
We recommend that clients stay informed and proactively evaluate their data protection strategies in light of these evolving legal interpretations.
[1] Case No. 151/PUU-XXII/2024. Judgment date: 30 July 2025, available at https://www.mkri.id
[2] Petition No. 135/PUU/PAN.MK/AP3/07/2025, available at www.mkri.id.
[3] The White House. (2025, 22 July). Joint statement on framework for United States‑Indonesia agreement on reciprocal trade. Briefings & Statements. Retrieved 4 August 2025 from https://www.whitehouse.gov/briefings-statements/2025/07/joint-statement-on-framework-for-united-states-indonesia-agreement-on-reciprocal-trade/; The White House. (2025, 22 July). Fact sheet: The United States and Indonesia reach historic trade deal. Fact Sheets. Retrieved 4 August 2025, from https://www.whitehouse.gov/fact‑sheets/2025/07/fact‑sheet‑the‑united‑states‑and‑indonesia‑reach‑historic‑trade‑deal/
[4] Petition No. 138/PUU/PAN.MK/AP3/07/2025, available at www.mkri.id.
Have any Question please contact
TECHNOLOGY, MEDIA & TELECOMMUNICATIONS
Contribution Note
This Legal Update is contributed by the Contact Partners listed above, with the assistance of Daniar Supriyadi (Associate, Assegaf Hamzah & Partners).