Indonesia: Personal Data Protection Law Update: Court Clarifies Data Protection Officer (DPO) Requirements and Reviews Cross-Border Transfer and Criminal Provisions

Indonesia’s data protection landscape is entering a period of significant reinterpretation. A recent ruling by the Constitutional Court has reshaped the understanding of when companies/organizations (as a controller or a processor) must appoint a Data Protection Officer (DPO), and several new constitutional petitions signal broader changes ahead.

#Cross Border Practice

Indonesia: Personal Data Protection Law Update: Court Clarifies Data Protection Officer (DPO) Requirements and Reviews Cross-Border Transfer and Criminal Provisions

CROSS-BORDER-PRACTICE

PROFILE

Attorney-at-law admitted in Indonesia

Fiesta Victoria

Profile

All

Fiesta Victoria is an Indonesian qualified lawyer with over 16 years of experience in M&A and general corporate. She graduated from the University of Pelita Harapan in 2006 and started her career as a lawyer in the same year at one of the largest and oldest law firms in Indonesia. She joined ZeLo in 2019 with the primary role of establishing and developing ZeLo’s Indonesian practice group. She won the title of "Business Development Lawyer of the Year" at the ALB Women in Law Awards 2021. Additionally, she was nominated as one of the top 5 finalists for "Foreign Lawyer of the Year" at the ALB Japan Law Awards 2023, following a nomination in the same category at the ALB Japan Law Awards 2022.

A shift in how the DPO requirement is understood
Why the Court stepped in
Two new challenges that may reshape the PDP Law further
- Cross-border data transfers
- Criminal liability for data disclosure
What this means for businesses/organizations

A shift in how the DPO requirement is understood

For some time, there has been uncertainty surrounding Article 53(1) of the PDP Law[1], which sets out three high-risk scenarios in which a Personal Data Controller or Processor is required to appoint a DPO if it:

processes personal data for public services;
conducts core activities that require regular and systematic large-scale monitoring of personal data; and
carries out core activities involving large-scale processing of specific/sensitive or crime-related personal data.

Because the law uses “and,” many assumed that all three criteria had to be met before a DPO was required, which greatly limited the situations in which the rule applied.
The Court has clarified that this is not the intended meaning.[2]

The Court held that each condition triggers the DPO obligation on its own. This means that processing public-interest data, conducting large-scale monitoring, or handling sensitive data—individually—is enough to require a DPO. The text must therefore be read as “and/or.”

Why the Court stepped in

The case originated from a petition arguing that the narrow interpretation weakened personal data protection and conflicted with the constitutional right to personal security. The Court agreed, highlighting that high-risk processing should not escape oversight simply because an organization does not meet all three conditions at once.

Two new challenges that may reshape the PDP Law further

Cross-border data transfers

A 2025 petition argues that the current mechanism gives data controllers too much freedom to determine whether foreign jurisdictions (such as the US) offer adequate protection. The petition seeks stronger democratic oversight—such as requiring parliamentary ratification of adequacy decisions—and clearer consent rules for transfers to non-adequate countries.[3]

Criminal liability for data disclosure

On 30 July 2025, the civil society coalition “SIKAP” filed a petition challenging the PDP Law’s criminal provisions on unlawful disclosure of personal data.

The petitioners argue that Articles 65(2) and 67(2) of the PDP law, particularly the term “unlawful” are too vague, creating legal uncertainty and potentially criminalizing legitimate activities such as investigative journalism, academic research, artistic expression, and public-interest advocacy. They request a definition or conditional interpretation that would exempt good-faith disclosures made in the context of constitutionally protected expression.

This case underscores the tension between data privacy enforcement and civil liberties in Indonesia. The Court’s decision may clarify how to balance privacy rights with freedom of expression and the public’s right to information.[4]

What this means for businesses/organizations

The immediate and most concrete shift is the lowered threshold for appointing a DPO:
many businesses/organizations previously considered exempt may now fall within the mandatory category. Businesses should reassess the nature of their data processing, review internal governance, and monitor ongoing court developments that may impact cross-border data flows and criminal exposure.

At ZeLo, we provide legal services to support Japanese companies expanding overseas, including to Indonesia, as well as foreign companies entering the Japanese market.

Please let us know if you have further questions or may need assistance on this matter. For further information on the above, about our firm or any other matters, please contact through the form (https://zelojapan.com/en/contact).

[1] Undang-Undang Republik Indonesia Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi / Law of the Republic of Indonesia Number 27 of 2022 on Personal Data Protection (“PDP Law”).

[2] Judgment for Case No. 151/PUU-XXII/2024 – source available at https://www.mkri.id .

[3] Case Number 137/PUU-XXIII/2025 – source:https://tracking.mkri.id/index.php?page=web.TrackPerkara&id=137/PUU-XXIII/2025 .

[4] Case Number 135/PUU-XXIII/2025 - source: https://tracking.mkri.id/index.php?page=web.TrackPerkara&id=135%2FPUU-XXIII%2F2025 .

The information provided in this article does not, and is not intended to, constitute legal advice and is for general informational purposes only. Readers of this article should contact an attorney to obtain advice with respect to any particular legal matter.