A close-up of Indonesia’s regulatory approach to data governance, content moderation, competition and more.
This is the twentieth issue of the “DPA Digital Digest” series based on the Digital Policy Alert database. This series provides concise summaries of each G20 nation’s recent policy changes in data governance, content moderation, competition and further domestic focal points.
Tommaso Giardini, Nils Deeg, Jens Neese
16 Aug 2023
Indonesia is one of the world’s biggest and fastest-growing internet markets. Google, Temasek and Bain estimate that the value of Indonesia’s digital economy grew from USD 41 billion in 2019 to USD 77 billion in 2022 and will reach USD 130 billion by 2025. In 2021, Indonesia accounted for approx. 42 per cent of ASEAN’s digital economy, according to ERIA. Indonesia boasts the third-largest number of Facebook users and features in the top ten countries in terms of YouTube, TikTok, Twitter, Instagram, and WhatsApp user numbers.
But what do Indonesia’s domestic digital policies stand for? The twentieth DPA Digital Digest provides a succinct overview of the latest policy and enforcement developments in major policy areas and country-specific points of emphasis.
In data governance, Indonesia adopted a comprehensive data protection law, including a new data transfer regime, and focused its enforcement action on cybersecurity.
In content moderation, Indonesia amended its Criminal Code to codify cyber offences and established a strict content moderation regime, which led to several blockings.
In competition policy, Indonesia adopted rules on market definition and mergers, enforced unilateral conduct in digital markets and approved mergers of local platforms.
Indonesia’s points of emphasis include registration requirements, customs duties on electronic transmissions and the taxation of the digital economy
Jump directly to the section that interests you most:
Discover the details of Indonesia's regulatory approach on our dedicated country page.
Remain up-to-date on new and upcoming developments with our free notification service.
Written by Tommaso Giardini, Nils Deeg and Jens Neese. Edited by Johannes Fritz.
In October 2024, Indonesia’s comprehensive Personal Data Protection Bill enters into force, replacing a patchwork of data governance rules. The Bill establishes data subject rights, including access, rectification and deletion, as well as principles and obligations for data processing. Controllers must have a legal basis for data processing, e.g. consent and contractual necessity, implement preventive, detective, and responsive cybersecurity measures, and report data breaches to authorities within 72 hours. The Bill differentiates between general and “specific” personal data, including biometric, genetic, economic and children’s data. The Bill defines high-risk data processing activities, including automatic decision-making, and large-scale data processing, for which it requires data protection impact assessments. Controllers whose core activities involve regular and systemic large-scale data monitoring or large-scale processing of specific personal data must nominate data protection officers. Administrative fines for breaches of data protection rules can reach 2 per cent of annual revenue. In addition, the Bill establishes criminal liability for intentionally unlawfully obtaining, disclosing or falsifying personal data, with maximum punishments of up to six years of prison or fines of IDR 6 billion (approx. USD 392 million). The government is currently deliberating implementing regulations, having won several legal challenges regarding the law’s applicability to small businesses and exemptions for national security and defence purposes.
Until the Personal Data Protection Bill enters into force, several obligations enshrined in various policies apply. The 2008 Law Regarding Electronic Information and Transactions (ITE Law) established cybersecurity requirements, required consent for data use and demanded the deletion of electronic information that is no longer relevant. Additional requirements apply to “Electronic System Operators” (ESOs), i.e. entities providing, managing, or operating electronic systems for use by others. Regulation 20/2016 set out personal data protection principles for ESOs, including, the prerequisite of individual consent for data collection, processing, and dissemination. Regulation 71/2019 further enshrined the consent principle, detailed requirements regarding the deletion of information, and set out obligations regarding the integrity and privacy of electronic information. In addition, the mandatory registration requirement (see below) requires ESOs to provide details on the types of data they process and their data protection practices. Further sectoral data governance rules apply to e-commerce providers, which must retain certain types of data but also provide users with a right to deletion.
Indonesia mandates sectoral data localisation. Public ESOs must store data within the country. The requirement for private ESOs was loosened, though they must remain subject to supervision by Indonesian authorities and grant data access, for which they must nominate a local representative. Other sectoral data localisation obligations apply to the banking sector and providers of electronic certification and digital signatures, while e-commerce providers must obtain authorisation from the Ministry of Trade for data transfers.
Indonesia currently requires data transferors to coordinate with the Ministry of Communications and Informatics (Kominfo) before and after transfers. Transferors must submit an implementation plan and report, specifying the purpose and result of the transfer, respectively. Once implemented, the Personal Data Protection Bill will allow data transfers if (1) the recipient country has an equivalent or higher level of data protection (though no whitelist was issued to date), (2) the transferor enters into a binding contract with the recipient stipulating adequate levels of protection, or (3) the data subject consents to the transfers. Implementing regulations will provide details on these mechanisms.
Currently, Kominfo is responsible for the supervision and enforcement of data protection rules and can impose administrative sanctions, including warnings, fines, suspensions, blockings and deregistrations. In 2022, Kominfo consulted on regulations concerning sanctioning procedures. The Personal Data Protection Bill foresees the establishment of a data protection authority for which implementing regulations are reportedly being drafted. The authority will formulate secondary legislation, carry out investigations and impose sanctions.
In view of several prominent cyberattacks in Indonesia, Kominfo’s enforcement focuses on cybersecurity. In November 2022, Kominfo announced five cybersecurity investigations. Previously, Kominfo investigated a range of data breaches concerning power and telecommunications providers, a recruitment website, a life insurance company, a financial services platform and an e-commerce platform. Beyond cybersecurity, Kominfo issued a warning regarding data misuse, announced a cooperation to investigate the misuse of minors’ personal data, and requested that WhatsApp and Facebook update and clarify their privacy policies to improve compliance with data protection rules.
In January 2023, Indonesia promulgated a new Criminal Code, effective in January 2026, which codifies offences committed by means of information technology. Offences include insults against government figures and institutions, incitations of violence and hate crimes, and the spreading of unlawfully recorded images. In February 2023, Kominfo announced amendments to other policies to harmonise the regulation of cybercrimes, e.g. defamation and hate speech.
Content moderation obligations are enshrined in several policies. The 2008 Law Regarding Electronic Information and Transactions (ITE Law) prohibits the transmission, distribution, and enabling of access to prohibited content, e.g. content that is amoral, defaming, threatening, or inciting hatred. Since 2016, the government can prevent the dissemination of prohibited content through blockings. Kominfo can block content and users to prevent the dissemination of prohibited content, following requests by enforcement agencies or the public.
Electronic System Operators (ESOs) are responsible for ensuring that their systems do not contain or facilitate the distribution of prohibited content and must comply with blocking orders. Private ESOs must respond to takedown requests within 24 hours, or 4 hours in urgent cases involving terrorism-related content or child pornography. In addition, private ESOs hosting user-generated content must implement content management and complaint mechanisms. Failure to comply can result in (repeated) administrative fines and blockings. Finally, e-commerce providers must remove illegal content and prioritise and promote local products.
Kominfo actively blocks content and user accounts, though enforcement action is not always documented by public, official sources. Kominfo has recently pursued blockings regarding content on gambling, COVID-19 misinformation, blasphemy, pornography and prostitution. Furthermore, non-official sources reported blockings related to intellectual property violations, as well as Twitter’s rebranding to X.com.
Indonesia’s competition policy builds on the 1999 Law on the Prohibition of Monopolistic Practices and Unfair Business Competition, which introduced rules regarding abuse of dominance, anti-competitive agreements and mergers. In January 2023, the Indonesian Competition Commission (KPPU) updated its criteria to identify relevant markets to consider characteristics of the digital economy, e.g. multi-sided markets. Previously, the KPPU published a study on market structures in the digital and platform economy.
In March 2023, the KPPU adopted new merger notification rules, updating merger notification processes and changing the criteria for calculating assets (to only include Indonesian assets). In February 2021, a regulation specified the KPPU’s enforcement powers, including functions, procedures and conditions for sanctions and appeals, as well as penalty amounts.
The KPPU enforces both unilateral conduct and merger rules in digital markets. In September 2022, the KPPU launched an investigation into Google for imposing its payment system on third-party app developers and charging 15-30% service fees on in-app purchases. The investigation will determine whether Google engaged in abuse of dominance, conditional sales (tying) and discriminatory practices. In April 2021, the KPPU ruled in favour of two telecommunications providers that blocked access to Netflix. The KPPPU found that there was no violation of competition rules because the telecommunications providers acted to avoid liability for content moderation rules and Netflix did not prove losses.
Regarding mergers, in March 2022, the KPPU approved the merger of two of Indonesia’s largest digital platforms, Tokopedia and Gojek, after concluding that the merger would not have significant negative effects on competition in the market. In 2019, KPPU also approved the acquisition of PT Globalnet Sejahtera by PT Global Digital Niaga, two e-commerce companies.
Indonesia requires Electronic System Operators (ESOs) to register with Kominfo before providing services to users, including private ESOs based in other countries with business activities in Indonesia. Private ESOs must provide a basic description of their system, security measures and the data types they process, and guarantee cooperation with authorities. Foreign private ESOs must further notify the number of users and transaction values originating from Indonesia. Kominfo issues certifications upon proper registration and maintains a list of registered ESOs.
The registration requirement is rigorously enforced and has resulted in several blockings. The registration deadline, originally set to 10 October 2020, was extended several times, until 20 July 2022. Shortly before the deadline, Kominfo issued warnings to several large digital service providers, including Google, Instagram, TikTok, WhatsApp, Netflix, and Facebook. After the deadline passed, Kominfo started to issue blockings, targeting Origin, Epic Games, Paypal, Yahoo Search and Valve. Kominfo later unblocked several ESOs following their registration.
Indonesia does not currently impose customs duties on electronic transmissions but has enacted policies that would enable the imposition of such duties. Indonesia subjects intangible goods to customs procedures and, in 2006, clarified that imports and exports by electronic means are covered by its customs regime. In March 2018, Indonesia specified the types of intangible goods covered by its customs regime by expanding its import tariffs book with a chapter on software and other digital goods (still not imposing a specific duty thereon). In January 2023, Indonesia implemented an import declaration procedure for software and other digital goods, requiring an import declaration within 30 days of payment, without levying a duty.
In March 2020, Indonesia adopted a regulation requiring foreign e-commerce providers providing intangible goods and services within Indonesia to pay Value-Added Tax (VAT). Subsequently, the Minister of Finance specified the scope of the VAT duty, defining the specific goods covered and the obligations of foreign e-commerce providers. Notably, e-commerce providers are subject to the VAT if their annual revenue exceeds IDR 600 million (approx. USD 40’000) or their annual Indonesian user base exceeds 12,000. In March 2022, the government announced that it had designated 103 companies as subject to the VAT. A regulation adopted in April 2022 specified the tax rate to be 11 per cent and provided details on reporting duties.