What is Indonesia's PDPL and when did it take effect?

Indonesia's Personal Data Protection Law (UU PDP, Law No. 27 of 2022) was enacted October 17, 2022 and became fully enforceable on October 17, 2024 after a 2-year transition. It is Indonesia's first comprehensive federal data privacy law, covering both private and public sector processing with extraterritorial reach to any organization processing personal data of Indonesian residents.

What are Indonesia PDPL's rules on AI automated decisions?

Article 22 of UU PDP requires data controllers using automated processing to provide data subjects with a right to explanation and human review when AI decisions have significant effects on them. Controllers must document decision logic, criteria, and inputs. This applies to AI-driven decisions in credit scoring, hiring, insurance underwriting, fraud detection, and healthcare systems affecting Indonesian residents.

Who enforces Indonesia PDPL?

KOMDIGI (Ministry of Communication and Digital Technology) is Indonesia's data protection enforcement authority. KOMDIGI can issue warnings, suspend data processing, and refer criminal violations to the Attorney General. Criminal fines reach IDR 6 billion (~$370K) and imprisonment up to 6 years for the most serious violations. Individual executives face personal criminal liability, not just corporate fines.

What are PDPL cross-border transfer rules for AI API calls?

Article 56 UU PDP requires that transfers of Indonesian personal data to foreign countries be justified by: adequacy (KOMDIGI designation), appropriate safeguards (SCCs or BCRs), or government cooperation agreements. API calls to overseas AI providers like OpenAI, Anthropic, and Google that include Indonesian personal data in inference requests are cross-border transfers requiring Data Processing Agreements. KOMDIGI has not yet published a formal adequacy list.

What is the breach notification deadline under Indonesia PDPL?

Article 46 UU PDP requires notification to KOMDIGI and affected data subjects within 14 calendar days of breach discovery. The notification must describe the data compromised, when and how the breach occurred, potential impact on data subjects, and remediation measures. AI systems processing large volumes of Indonesian personal data must have automated breach detection to reliably meet this window.

How does Indonesia PDPL compare to GDPR for AI compliance?

UU PDP is GDPR-inspired but with key differences: PDPL breach notification is 14 days (GDPR: 72 hours); PDPL fines are criminal (IDR 6B max, IDR ~$370K) while GDPR uses administrative fines (up to €20M or 4% global revenue); PDPL Art.22 automated decision rights are less prescriptive than GDPR Art.22 (no explicit prohibition model); PDPL lacks GDPR's Article 9 explicit prohibition framework for sensitive data. PDPL's 6 lawful bases parallel GDPR but legitimate interests cannot be used for sensitive personal data processing.

What lawful bases exist for AI processing under Indonesia PDPL?

Article 20 UU PDP provides 6 lawful bases: explicit consent; contractual necessity; legal obligation; vital interests; public task; and legitimate interests of the controller or third party. For AI processing of sensitive personal data (health, biometric, financial, religious, political data), only explicit consent or specific legal obligations apply — legitimate interests is excluded for sensitive data categories.

Indonesia PDPL AI Compliance: Automated Decisions, KOMDIGI Enforcement, and Cross-Border Transfer Rules

Q: Does Indonesia PDPL require a Data Protection Officer?

Yes, under Article 53 UU PDP. DPO appointment is mandatory for: public authorities or bodies; organizations where core activities involve large-scale systematic monitoring of individuals; and organizations where core activities involve large-scale processing of sensitive personal data (health, biometric, financial). AI platforms conducting profiling, behavioral scoring, or sensitive data analytics at scale require a DPO with expertise in data protection law and practice.

Indonesia's Personal Data Protection Law (UU PDP, Law No. 27 of 2022) came into full enforcement on October 17, 2024, after a 2-year transition period. It is Indonesia's first comprehensive data privacy law, replacing over 30 fragmented sector regulations. For AI teams, the critical provisions are Article 22 (automated decision rights — data subjects may request explanation and human review of AI decisions with significant effects), Article 56 (cross-border transfers — DPAs required for overseas AI API calls to OpenAI, Anthropic, Google), Article 53 (DPO appointment mandatory for large-scale AI profiling), and Article 46 (14-day breach notification). KOMDIGI (Ministry of Communication and Digital Technology) is the enforcement authority. Penalties: criminal fines up to IDR 6 billion (~$370K USD) and imprisonment up to 6 years for the most serious violations. UU PDP has extraterritorial reach — any organization processing personal data of Indonesian residents is subject to the law. Indonesia's 270+ million population and fast-growing digital economy make PDPL compliance essential for any AI platform with APAC users.

UU PDP Key Structure: What AI Teams Must Know

UU PDP (Undang-Undang Perlindungan Data Pribadi) is organized around familiar GDPR-inspired principles: lawful basis, purpose limitation, data minimization, accuracy, storage limitation, security, and accountability. Article 4 defines two categories of personal data: general personal data (name, email, phone, address, date of birth, demographic information) and specific personal data (health/medical data, biometric data, genetic data, crime records, child data, personal financial data, other sensitive categories). Specific personal data requires explicit consent and receives heightened protection — AI systems processing health, biometric, or financial data of Indonesian users must obtain explicit consent separately from general terms. The law covers both controllers (organizations deciding purposes and means of processing) and processors (organizations processing on behalf of controllers). Cloud AI providers and API services acting on customer instructions are processors; the organization deploying the AI is the controller and bears primary compliance responsibility. Extraterritorial reach: Article 2 UU PDP applies to any processing of personal data of Indonesian residents, regardless of where the processing organization is located. Non-Indonesian AI companies serving Indonesian users are fully bound.

Article 22: Automated Decision Rights — The AI Compliance Core

Article 22 UU PDP establishes that data subjects have the right to obtain an explanation about automated decisions that affect them and to request human review of such decisions. This applies to any AI or algorithmic system that: processes personal data of Indonesian residents; makes or significantly contributes to decisions; and produces outcomes with significant effects on those individuals — employment, credit, insurance, healthcare, housing, law enforcement, or access to services. Implementation requirements: (1) Decision documentation — every significant AI decision must be logged with the inputs processed, model or logic version, decision output, and confidence/rationale metadata; (2) Explanation capability — the organization must be able to generate a meaningful explanation of why the AI reached its decision, at a level understandable to the data subject, not only to technical staff; (3) Human review pathway — a workflow must exist for data subjects to request human review; the human reviewer must have access to the decision record and authority to override the AI outcome; (4) Response time — UU PDP does not specify a deadline for Art.22 responses, but KOMDIGI guidance indicates "without undue delay" consistent with other data subject rights (typically 14-30 days); (5) Training staff — human reviewers must understand the AI system they are reviewing to provide substantive, not rubber-stamp, oversight.

Article 56: Cross-Border AI Data Transfers

Article 56 creates a significant operational requirement for AI teams using overseas AI API providers. Any transfer of personal data of Indonesian residents to a foreign country must be justified by one of: (1) adequacy — the destination country must be assessed by KOMDIGI as providing equivalent protection; (2) appropriate safeguards — standard contractual clauses, binding corporate rules, or equivalent binding instruments; (3) government-to-government cooperation agreements. KOMDIGI has not yet published a formal adequacy list (as of May 2026), but implementing regulations are in development. For AI teams in practice: every call to OpenAI, Anthropic, Google Cloud, AWS, or any overseas AI API that includes Indonesian personal data in the payload is a cross-border transfer. Required steps: (a) Execute a Data Processing Agreement (DPA) with each overseas AI provider — review their standard DPA for PDPL-alignment (adequacy, security, breach notification, data subject request support); (b) Document the legal basis for each transfer type; (c) Log API calls with data residency metadata to demonstrate compliance in a KOMDIGI audit; (d) Implement data minimization — strip unnecessary personal identifiers from inference inputs before they leave Indonesian jurisdiction; (e) Notify KOMDIGI when initiating large-scale overseas transfer programs. Transfers for AI training data are treated the same as inference transfers — training datasets sent overseas require the same justification.

DPO Requirements, Lawful Bases, and Breach Notification

Three additional UU PDP provisions require specific AI compliance programs. Data Protection Officer (Article 53): DPO appointment is mandatory where processing is carried out by a public authority or body; where core activities involve large-scale systematic monitoring of individuals; or where core activities involve large-scale processing of specific personal data (health, biometric, financial). For AI platforms conducting user profiling, behavioral analytics, or credit/risk scoring at scale, DPO appointment is mandatory. The DPO must have expertise in data protection law and practice, report to the highest management level, and be reachable by data subjects. Lawful bases (Article 20): UU PDP provides 6 lawful bases analogous to GDPR: explicit consent; contractual necessity; legal obligation; vital interests; public task; legitimate interests (not available for specific/sensitive personal data processing). For sensitive data AI processing, only explicit consent or specific legal compulsion applies — legitimate interests is not available. Breach notification (Article 46): 14 calendar days from discovery to notify both KOMDIGI and affected data subjects. The notification must describe: what data was compromised; how and when the breach occurred; potential impact on data subjects; and remediation measures. AI systems must have automated breach detection — manual discovery processes will not reliably achieve the 14-day window at scale.

Indonesia PDPL Enforcement and the Evolving Regulatory Landscape

KOMDIGI (Kementerian Komunikasi dan Digital, formed from the October 2024 renaming of KOMINFO) is building its enforcement infrastructure following the law's October 2024 effective date. Two-year transition (2022-2024) allowed organizations to adapt; 2025-2026 is the active enforcement period. Criminal penalties under UU PDP: unlawful collection/processing of personal data — up to 5 years and/or IDR 5 billion; unlawful use/disclosure of personal data — up to 4 years and/or IDR 4 billion; unauthorized use for forgery or impersonation — up to 6 years and/or IDR 6 billion. Administrative sanctions: written warning, temporary suspension of data processing, suspension of operations, deletion orders for unlawfully processed data. Unlike GDPR's DPA-led civil enforcement model, UU PDP includes criminal liability — individual executives (directors, DPOs) can face personal criminal prosecution for serious violations, not only corporate fines. KOMDIGI has flagged AI systems, biometric processing, and digital platform data practices as 2025-2026 enforcement priorities. Indonesia is also developing sector-specific AI regulations (financial services, healthcare) that will layer on top of UU PDP — PDPL compliance provides the baseline for these sector-specific requirements.