Indonesia UU PDP
Indonesia Personal Data Protection Law (UU PDP / Law 27/2022)
Indonesia's comprehensive data protection law. Health and children's data = "specific personal data" with enhanced protections. Criminal penalties up to 6 years imprisonment.
Jurisdiction
Indonesia
ID
Enacted
Oct 17, 2022
Effective
Oct 17, 2024
Enforcement
Ministry of Communication and Informatics (Kominfo)
What It Requires
Who Must Comply
This law applies to:
- • Data controllers/processors in Indonesia
- • Foreign entities processing Indonesian residents' data
Who bears obligations:
Safety Provisions
- • Article 4: Specific personal data includes health and children's data
- • Article 34: DPIA required before processing specific data
- • Article 35: DPO required for large-scale specific data processing
- • Article 57: Rights regarding automated decision-making
- • Article 65: Explicit consent for specific personal data
- • Cross-border transfer restrictions
Enforcement
Enforced by
Ministry of Communication and Informatics (Kominfo)
Penalties
IDR 6.0B + 2% revenue; criminal (up to 6yr)
Administrative: up to 2% revenue. Criminal: up to IDR 6B (~$375K); 4-6 years imprisonment.
Quick Facts
- Binding
- Yes
- Mental Health Focus
- Yes
- Child Safety Focus
- Yes
- Algorithmic Scope
- Yes
Why It Matters
Fourth largest country (~275M). Criminal penalties create personal liability. Health classification applies to mental health AI.
Recent Developments
Full enforcement October 2024. Main implementing Government Regulation (PP) still being finalized.
What You Need to Comply
You need: explicit consent for health/mental health data; DPIA; DPO if large-scale; automated decision mechanisms; cross-border safeguards.
NOPE can helpCite This
APA
Indonesia. (2022). Indonesia Personal Data Protection Law (UU PDP / Law 27/2022). Retrieved from https://nope.net/regs/id-uu-pdp
BibTeX
@misc{id_uu_pdp,
title = {Indonesia Personal Data Protection Law (UU PDP / Law 27/2022)},
author = {Indonesia},
year = {2022},
url = {https://nope.net/regs/id-uu-pdp}
} Related Regulations
Indonesia PP 17/2025
Indonesia's comprehensive child online protection regulation establishing age-appropriate design requirements for electronic systems accessible to children. Most granular age classification globally (5 groups). Requires risk assessments, privacy-by-default, parental consent, DPIAs, and prohibits data profiling of children. First of its kind in Asia and Global South.
Brunei PDPO
Brunei's personal data protection order requiring DPIA and imposing penalties up to 10% Brunei turnover or $1M.
India DPDP Act
STRICTEST children's provisions in APAC. Children = under 18; verifiable parental consent MANDATORY; PROHIBITION on tracking, behavioral monitoring, targeted advertising to children.
Nepal AI Policy
Nepal national AI policy establishing governance framework and development priorities. Creates AI Governance Council (chaired by Minister for Communications and IT), AI Regulation Council, National AI Centre, and AI Regulatory Authority. Six pillars including ethics, human resource development, and sectoral application.
Pakistan AI Policy
Pakistan's national AI roadmap establishing six strategic pillars: AI Innovation Ecosystem, Awareness and Readiness, Research and Development, Infrastructure, Governance, and International Cooperation. Creates National AI Fund (NAIF), Centres of Excellence in 7 cities, and targets training 200,000 individuals annually.
Myanmar Cybersecurity Law
Myanmar's cybersecurity law requiring platforms with 100,000+ users to register and imposing data retention requirements. Enacted post-2021 coup with uncertain enforcement.