Indonesia: Personal Data Protection Law Update: Court Clarifies Data Protection Officer (DPO) Requirements and Reviews Cross-Border Transfer and Criminal Provisions

A shift in how the DPO requirement is understood

For some time, there has been uncertainty surrounding Article 53(1) of the PDP Law[1], which sets out three high-risk scenarios in which a Personal Data Controller or Processor is required to appoint a DPO if it:

• processes personal data for public services;
• conducts core activities that require regular and systematic large-scale monitoring of personal data; and
• carries out core activities involving large-scale processing of specific/sensitive or crime-related personal data.

Because the law uses “and,” many assumed that all three criteria had to be met before a DPO was required, which greatly limited the situations in which the rule applied.
The Court has clarified that this is not the intended meaning.[2]

The Court held that each condition triggers the DPO obligation on its own. This means that processing public-interest data, conducting large-scale monitoring, or handling sensitive data—individually—is enough to require a DPO. The text must therefore be read as “and/or.”

Why the Court stepped in

The case originated from a petition arguing that the narrow interpretation weakened personal data protection and conflicted with the constitutional right to personal security. The Court agreed, highlighting that high-risk processing should not escape oversight simply because an organization does not meet all three conditions at once.

Two new challenges that may reshape the PDP Law further

Cross-border data transfers

A 2025 petition argues that the current mechanism gives data controllers too much freedom to determine whether foreign jurisdictions (such as the US) offer adequate protection. The petition seeks stronger democratic oversight—such as requiring parliamentary ratification of adequacy decisions—and clearer consent rules for transfers to non-adequate countries.[3]

Criminal liability for data disclosure

On 30 July 2025, the civil society coalition “SIKAP” filed a petition challenging the PDP Law’s criminal provisions on unlawful disclosure of personal data.

The petitioners argue that Articles 65(2) and 67(2) of the PDP law, particularly the term “unlawful” are too vague, creating legal uncertainty and potentially criminalizing legitimate activities such as investigative journalism, academic research, artistic expression, and public-interest advocacy. They request a definition or conditional interpretation that would exempt good-faith disclosures made in the context of constitutionally protected expression.

This case underscores the tension between data privacy enforcement and civil liberties in Indonesia. The Court’s decision may clarify how to balance privacy rights with freedom of expression and the public’s right to information.[4]

What this means for businesses/organizations

The immediate and most concrete shift is the lowered threshold for appointing a DPO:
many businesses/organizations previously considered exempt may now fall within the mandatory category. Businesses should reassess the nature of their data processing, review internal governance, and monitor ongoing court developments that may impact cross-border data flows and criminal exposure.

At ZeLo, we provide legal services to support Japanese companies expanding overseas, including to Indonesia, as well as foreign companies entering the Japanese market.

Please let us know if you have further questions or may need assistance on this matter. For further information on the above, about our firm or any other matters, please contact through the form (https://zelojapan.com/en/contact).

---

[1] Undang-Undang Republik Indonesia Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi / Law of the Republic of Indonesia Number 27 of 2022 on Personal Data Protection (“PDP Law”).

[2]  Judgment for Case No. 151/PUU-XXII/2024 – source available at https://www.mkri.id .

[3] Case Number 137/PUU-XXIII/2025 – source:https://tracking.mkri.id/index.php?page=web.TrackPerkara&id=137/PUU-XXIII/2025 .

[4] Case Number 135/PUU-XXIII/2025 - source: https://tracking.mkri.id/index.php?page=web.TrackPerkara&id=135%2FPUU-XXIII%2F2025 .

---

The information provided in this article does not, and is not intended to, constitute legal advice and is for general informational purposes only. Readers of this article should contact an attorney to obtain advice with respect to any particular legal matter.