Indonesia's Privacy Duties Are Live, the Enforcer Isn't | TLY

AI Regulation Tracker  /  Enforcement gap

Indonesia's Data-Protection Duties Are In Force, But No Enforcement Agency Exists Yet

Indonesia's Personal Data Protection Law has bound companies since the grace period ended in October 2024, yet the independent agency meant to levy administrative fines still has not been created. Companies owe full duties into an enforcement gap.

Indonesia's Data-Protection Duties Are In Force, But No Enforcement Agency Exists Yet regulation briefing
The Leveraged Years AI Regulation Tracker

Indonesia has one of Southeast Asia's most consequential data-protection regimes on the books, and companies have owed its full duties since October 2024. What it does not have is the body meant to enforce them. The independent Personal Data Protection Agency, the Lembaga or Badan Pelindungan Data Pribadi that Law No. 27/2022 anticipates to run administrative sanctions and issue fines, still does not exist. For any firm processing Indonesian personal data, that combination is the story: the obligations are live, the dedicated cop on the beat is not.

Duties in force, enforcer absent

Law No. 27/2022, Indonesia's Personal Data Protection Law, was enacted in October 2022 with a two-year transition. That grace period expired in October 2024, which means the substantive obligations, on lawful basis, security, data-subject rights, and breach handling, are fully binding today. The administrative-sanction machinery that the statute contemplates, however, is designed to sit with an independent agency. Because that agency has not been established, the fines regime it would administer is not operational. The Ministry of Communication and Digital, Komdigi, supervises on an interim basis, but it is a stand-in rather than the purpose-built authority the law describes.

A long road with no finish line yet

The path to establishing the agency is well documented and still incomplete. The president gave a go-ahead on March 4, 2025. An inter-ministerial committee ran from March to September 2025 to work through the design. Harmonization of the draft instrument began in October 2025. Komdigi has publicly targeted 2026 for the agency's formation, a target that, as of this writing, has not been met. The vehicle is a draft Presidential Regulation. Notably, that draft carries no assigned number and no promulgation date, so anyone citing a specific regulation number for the agency is ahead of the official record.

Challenged as an institutional vacuum

The non-formation has not gone unnoticed inside Indonesia. According to reporting tied to the Constitutional Court (Mahkamah Konstitusi) and to Kemenko Polkam, the failure to stand up the independent authority has been framed as an institutional vacuum, a "kekosongan lembaga," and challenged on that basis. The argument is straightforward: the legislature created binding duties and promised an independent enforcer, and the second half of that bargain has not arrived. The timeline and the vacuum framing here are drawn from Kemenko Polkam, Constitutional Court, and Antara reporting rather than from a single official gazette entry.

What it does not mean: no enforcement at all

The absence of the fines agency should not be read as an absence of legal risk. Criminal enforcement of the law's data-misuse provisions is active and does not depend on the administrative agency. Prosecutors and police can pursue the statute's criminal offenses now. So the practical picture is layered: administrative fines from a dedicated regulator are on hold, interim supervision by Komdigi is real, and criminal exposure for misuse of personal data is already in play. A company that treats "no agency" as "no consequences" misreads the situation.

The cross-border angle for US firms

For a US company with operations, customers, or data flows touching Indonesia, the takeaway is concrete. The law reaches organizations that process Indonesian data subjects' information, so the duties apply regardless of where the processing happens. What is uncertain is not whether you are regulated but who will regulate you and how hard. That ambiguity complicates risk assessment: the eventual agency's enforcement priorities, fine calibration, and audit posture are unknown. Prudent firms build to the statute now and avoid betting that the enforcement gap will stay open. When the agency does stand up, it is unlikely to grant a fresh grace period for conduct that has been non-compliant since 2024.

The steadier read is to treat Indonesia as a fully binding jurisdiction with a delayed enforcer. Document lawful basis and consent, keep security and breach processes defensible, and watch for the Presidential Regulation that finally names and empowers the agency.

Frequently Asked Questions

What changed in Indonesia's data-protection law?

Nothing new was enacted here. The point is that the duties under Law No. 27/2022 have been fully in force since the grace period expired in October 2024, while the independent enforcement agency meant to levy fines still has not been created. The gap between live duties and an absent enforcer is the development.

Who does this affect?

Any organization that processes the personal data of Indonesian data subjects, including foreign firms with an Indonesian nexus. Banks, insurers, telecoms, fintech, healthcare providers, and multinational platforms are squarely in scope. The duties apply regardless of where the processing physically occurs.

Can companies be penalized while no agency exists?

Administrative fines from a dedicated data-protection authority are not being levied because that authority has not been established. However, Komdigi supervises on an interim basis, and criminal enforcement of the law's data-misuse provisions is active and independent of the administrative agency, so legal exposure exists now.

When will the agency be established?

There is no confirmed date. The president signaled a go-ahead in March 2025, an inter-ministerial committee worked through mid-2025, and harmonization began in October 2025. Komdigi has targeted 2026, but that target has not yet been met, and the establishing Presidential Regulation carries no number or date at this time.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.