Policy Briefing — Indonesia Personal Data Protection Law Enacted
Indonesia promulgated its first comprehensive Personal Data Protection Law, introducing consent requirements, sanctions, and a supervisory authority.
Indonesia’s Personal Data Protection Law (Law No. 27 of 2022) was promulgated on 17 Oct 2022, creating a GDPR-style framework covering data controllers, processors, and government agencies.
- 17 Oct 2022 — Law enacted. The statute establishes lawful bases, data minimisation, and cross-border transfer approvals overseen by the government.
- 2022 — Enforcement architecture. The law mandates creation of an independent supervisory authority with powers to impose administrative fines up to 2% of annual income and suspend processing.
- Two-year transition. Organisations receive a 24-month grace period to align governance, breach notification, and data subject rights procedures with the new law.
Zeph Tech is mapping Indonesia PDP requirements to global privacy programmes, including consent design, localisation, and enforcement escalation plans.