Indonesia: Constitutional Court dismissed petition challenging definition of consent in Personal Data Protection Law

On 2 March 2026, the Constitutional Court of Indonesia rejected the petition for judicial review of Article 20(2)(a) of Law Number 27 of 2022 concerning Personal Data Protection (PDP Law). The petition challenged the phrase "explicit valid consent from the Personal Data Subject" in the PDP Law, on the grounds that the article does not define valid consent, allowing broad interpretation, including the use of click boxes by persons other than the personal data subject. The petitioner had requested the Court to declare the article conditionally unconstitutional unless interpreted to require, for high-risk personal data processing through an electronic system, consent given by means of an Electronic Signature secured by an Electronic Certificate. The Court found that Article 20(2)(a) of the PDP Law does not conflict with Article 28D paragraph (1) or Article 28G paragraph (1) of the 1945 Constitution of the Republic of Indonesia. The Court held that valid consent under the PDP Law requires the personal data controller to first provide the personal data subject with information on the legality and purpose of processing, the type and relevance of data, the retention period, details of information collected, the processing period, and the rights of the personal data subject. Valid consent must be provided in written or recorded form and may be conveyed electronically or non-electronically. If information changes, the personal data controller must notify the personal data subject prior to making those changes. Any agreement containing a request for processing of personal data that does not include explicit, valid consent from the personal data subject is null and void by law.