Jakarta, INTI – It has been two years since Indonesia’s Personal Data Protection Law (PDP Law) was passed in 2022. Yet, the supervisory authority responsible for enforcing the law has not been established. Without this institution, the PDP Law remains a paper tiger—strong in writing, but ineffective in practice.
In an exclusive interview with INTIMedia on May 2, 2025, Rudi Rusdiah, Chairman of the Indonesian Big Data & AI Association (ABDI), emphasized that the presence of this authority is not just important—it is absolutely critical to the enforcement of data protection regulations in Indonesia.
The PDP Authority Is a Pillar of Implementation
The PDP Law, particularly Articles 58 to 60, mandates that a data protection authority must be appointed by the President. This institution must be independent and report directly to the President. According to Rudi Rusdiah, without this body, many provisions in the law become inoperative, especially those related to penalties for data breaches.
For instance, companies that violate the law should face steep fines—up to 2% of their annual revenue, following the EU’s General Data Protection Regulation (GDPR) model. In Europe, this has resulted in multibillion-dollar penalties for companies like Google and Facebook. However, in Indonesia, such enforcement is not possible because there is no authority to impose these fines.
Challenges in Establishing the Authority
Establishing a new institution is never simple. Beyond the need for supporting regulations (such as a Government Regulation or PP), there are suspicions that certain parties are resistant to its formation.
“If the authority is created, penalties can be enforced—and that makes many large corporations nervous,” Rudi said. He also hinted at the possibility of lobbying by specific interest groups to delay the process. This suggests that, beyond technical and bureaucratic issues, political and economic interests may be at play.
The Strategic Role of DPOs and Industry Readiness
The PDP Law not only mandates the creation of an oversight authority, but also requires companies—particularly those handling large-scale data—to appoint a Data Protection Officer (DPO).
A DPO ensures that companies comply with the law and acts as the first responder in the event of a data breach. Companies are required to report incidents within three days—first to the authority (once formed), and also to the individuals affected. Without a functioning authority, however, the reporting mechanism and penalty enforcement remain unclear.
To prepare for this, some organizations are proactively training DPOs. ABDI, for instance, will conduct a training session from June 10 to 12, 2025, in Jakarta, aimed at equipping companies with the personnel necessary to comply with the law once enforcement begins.
Conclusion: Time Is Running Out—The Law Needs an Enforcer
Although the PDP Law has been in effect for two years, its implementation is stalled due to the absence of an enforcement body. Indonesia is falling behind countries like Singapore and EU member states, which already have fully operational data protection authorities.
Without swift action from the government to establish an independent supervisory institution, the personal data of Indonesian citizens remains vulnerable, and companies lack legal clarity. The responsibility now lies with the President: will this long-awaited authority finally be established, or will enforcement of the law remain in limbo?
Read More : Towards Technological Independence: Opportunities and Challenges in Indonesia’s ICT & Cybersecurity Industry