Indonesia: Government Regulation Number 17 of 2025 concerning Governance of Electronic System Implementation in Child Protection including data protection regulation entered into force with grace period

On 27 March 2025, the Government of Indonesia Regulation Number 17 of 2025 concerning Governance of Electronic System Implementation in Child Protection entered into force with a grace period. According to Article 49, all relevant parties must adjust their operations to comply with the regulation within two years of its enactment. Under this regulation, Electronic System Operators (ESOs) are mandated to ensure personal data protection for children defined as individuals under 18 years of age. The data protection requirements include the mandatory implementation of a data protection impact assessment prior to the processing of children's personal data, parental or guardian consent as a prerequisite for data collection and usage, and the designation of a data protection officer responsible for safeguarding children’s data. The regulation prohibits profiling and unauthorised geolocation tracking of children and imposes limits on the collection and processing of data solely for age verification purposes. Additionally, ESOs must apply default high-privacy settings and offer children and parents accessible mechanisms for data correction, complaint submission, and objection to age-detection decisions. Risk-based classification of digital products, services, and features is enforced, where high-risk profiles trigger mandatory Ministerial verification and stricter data handling obligations.