Indonesia UU PDP

Indonesia Personal Data Protection Law (UU PDP / Law 27/2022)

Indonesia's comprehensive data protection law. Health and children's data = "specific personal data" with enhanced protections. Criminal penalties up to 6 years imprisonment.

Jurisdiction

Indonesia

Enacted

Oct 17, 2022

Effective

Oct 17, 2024

Enforcement

Ministry of Communication and Informatics (Kominfo)

BPK Indonesia

Why It Matters

Fourth largest country (~275M). Criminal penalties create personal liability. Health classification applies to mental health AI.

Recent Developments

Full enforcement October 2024. Main implementing Government Regulation (PP) still being finalized.

At a Glance

Requires

Transparency User Rights Data Minimization

Who Must Comply

Data controllers/processors in Indonesia
Foreign entities processing Indonesian residents' data

Obligations fall on:

Safety Provisions

Article 4: Specific personal data includes health and children's data
Article 34: DPIA required before processing specific data
Article 35: DPO required for large-scale specific data processing
Article 57: Rights regarding automated decision-making
Article 65: Explicit consent for specific personal data
Cross-border transfer restrictions

Compliance & Enforcement

Penalties

IDR 6.0B + 2% revenue; criminal (up to 6yr)

Criminal liability

Primary Source

BPK Indonesia

https://peraturan.bpk.go.id/Details/229798/uu-no-27-tahun-2022

View on map

Indonesia

Focus Areas

Mental health & crisis

Child safety

Algorithmic accountability

Active safeguards required

Cite This

APA

Indonesia. (2022). Indonesia Personal Data Protection Law (UU PDP / Law 27/2022).

Related Regulations

In Effect ID

Indonesia PP 17/2025

Indonesia's comprehensive child online protection regulation establishing age-appropriate design requirements for electronic systems accessible to children. Most granular age classification globally (5 groups). Requires risk assessments, privacy-by-default, parental consent, DPIAs, and prohibits data profiling of children. First of its kind in Asia and Global South.

In Effect BN

Brunei PDPO

Brunei's personal data protection order requiring DPIA and imposing penalties up to 10% Brunei turnover or $1M.

In Effect IN

India DPDP Act

STRICTEST children's provisions in APAC. Children = under 18; verifiable parental consent MANDATORY; PROHIBITION on tracking, behavioral monitoring, targeted advertising to children.

In Effect CN

China CSL Amendments

First major revision of China's foundational Cybersecurity Law since 2017. Introduces formal AI governance provisions, significantly increases penalties, and expands extraterritorial application to all cybersecurity violations.

In Effect AU

AU National AI Plan

National AI policy roadmap replacing previously proposed mandatory AI guardrails. Focuses on leveraging existing legal frameworks rather than new mandatory requirements. Establishes the Australian AI Safety Institute (AISI) to monitor, test, and share information on AI risks and harms.

In Effect IN

India AI Governance Guidelines

Voluntary AI governance framework built on seven core principles ('sutras'): Trust, People First, Innovation over Restraint, Fairness & Equity, Accountability, Understandable by Design, and Safety/Resilience/Sustainability. Establishes AI Governance Group, AI Safety Institute, and Technology & Policy Expert Committee.

All regulations Check if this applies to you

Last updated February 17, 2026. Verify against primary sources before relying on this information.