Indonesia personal data and cybersecurity quarterly update — October 2025 edition

This latest edition of our quarterly overview of key legal and regulatory developments impacting Indonesia’s cyber security and personal data protection environment includes:

• Indonesia Constitutional Court's decision on conditions for appointing Data Protection Officers
• Framework for future Indonesia-US Reciprocal Trade Agreement, enabling transfer of personal data to the US
• OJK launching cybersecurity guidelines for digital financial assets
• National AI Roadmap to be issued by the Ministry of Communications and Digital Affairs
• Overview of notable global headlines
• Recent cyber security incidents and emerging risks in Indonesia

Indonesian regulatory updates and developments

Constitutional Court clarifies conditions for appointing Data Protection Officers 

On 30 July 2025, Indonesia's Constitutional Court (the Court) issued Decision No. 151/PUU-XXII/2024, providing much needed clarity on the conditions for appointing Data Protection Officers (DPOs) under Article 53(1)(b) of Law No. 27 of 2022 on Personal Data Protection (the PDP Law).¹

The PDP Law had only required personal data controllers and processors to appoint a DPO when all three of these conditions were met: 

1. the processing of personal data for public services;
2. core activities involve large-scale regular and systematic monitoring of personal data; and
3. core activities consist of large-scale processing of specific and/or criminal-related personal data.

This cumulative interpretation significantly limited the DPO requirement by potentially excluding many organisations from compliance obligations. In its ruling, the Court found that the word "and" in Article 53(1)(b) was unconstitutional, as it conflicted with the intent of the PDP Law and the constitutional right to personal data protection under Article 28G of the Indonesian Constitution. The Court held instead that these conditions should be read as "and/or" provisions, such that meeting any one of the criteria would be sufficient for a DPO to be required.

This change significantly broadens the scope of entities subject to the DPO requirement. The Court's ruling therefore emphasises that protection of personal data is a fundamental constitutional protection.  

Following the Court's ruling, all organisations should review their data processing practices to ensure that they align with the broader interpretation of the requirements for appointing a DPO.

Framework for Indonesia-US Reciprocal Trade Agreement to enable transfer of personal data to the US

On 22 July 2025, the Republic of Indonesia and the United States made a joint statement on a Framework to negotiate a Reciprocal Trade Agreement (Framework), building on the 1996 Trade and Investment Framework Agreement. Both countries will now work on negotiating and finalising the Reciprocal Trade Agreement.²

In the joint statement, Indonesia has (among other things) committed to recognising the United States as a jurisdiction that provides adequate data protection under Indonesian law. This recognition is intended to provide legal certainty for the transfer of personal data from Indonesia to the US, particularly in the context of commercial activities.

The Indonesian government has indicated that the data transfers contemplated by the Framework will be strictly supervised by Indonesian authorities, with adequate protection of data under Indonesian law through secure and reliable data governance.

OJK launches cybersecurity guidelines for digital financial assets

In August 2025, Indonesia’s Financial Services Authority (OJK) launched Cyber Security Guidelines for Digital Financial Asset Trading Operators in Indonesia (the DFA Cyber Security Guidelines) to strengthen the integrity and resilience of a rapidly evolving digital financial asset trading ecosystem.³

The DFA Cyber Security Guidelines emphasise the importance of building secure-by-design and resilient-by-architecture information systems to maintain sectoral stability and foster public confidence. Key principles include:

• adopting a Zero Trust model;
• Implementing robust cyber risk management aligned with global standards;
• using cold wallet usage and end-to-end encryption for data protection;
• establishing coordinated incident response plans; and
• continuously enhancing technical capabilities through training, certification and simulations.

The Guidelines are part of the implementation of Law No. 4 of 2023 on the Development and Strengthening of the Financial Sector (the Financial Omnibus Law), which mandates OJK to regulate and supervise Technological Innovation in the Financial Sector, Digital Financial Assets and Crypto Assets (IAKD), commencing in January 2025.⁴

Indonesian Ministry of Communications and Digital Affairs to issue National AI Roadmap

The Ministry of Communications and Digital Affairs (MOCD) is finalising a white paper on Indonesia's National Artificial Intelligence (AI) Roadmap, which will set out the country's vision to build an ethical, inclusive and globally competitive AI ecosystem.⁵

This white paper will serve as the foundation for two upcoming presidential regulations, one of which will establish safety and security guidelines for the use and development of AI. The draft presidential regulation is currently undergoing harmonisation, involving 41 ministries and agencies, before it is promulgated.

Global headlines

ICO fines 23andMe

On 17 June 2025, the UK Information Commissioner's Office (ICO) fined 23andMe £2.31 million after a cyberattack exposed the personal data of over 155,000 UK users. The breach, caused by a credential stuffing attack, exploited previously stolen customer data.
The ICO also criticised the company’s delayed response, noting it missed multiple warnings before acting and stressed the importance of putting in place additional safeguards to protect special category data.⁶

Polish Data Protection Authority issues record GDPR fines against McDonald's for employee data breach

On 21 July 2025, the Polish Data Protection Authority (Urząd Ochrony Danych Osobowych or UODO) imposed a record fine of ~€3.9 million on McDonald’s Polska Sp. z o.o. (McDonald’s) and ~€43,000 on its data processor, 24/7 Communication Sp. z o.o. (the Processor) following a significant breach of the EU General Data Protection Regulation (GDPR).

McDonald’s had outsourced the processing of sensitive employee data to the Processor, for managing an employee scheduling module. Due to inadequate technical and organisational safeguards, a misconfigured server left sensitive employee data (including names, PESEL numbers (Polish national IDs), passport numbers, work hours, and job positions) exposed on a publicly accessible server. The breach affected employees at both corporate-owned and franchise restaurants. McDonald’s reported this personal breach to the UODO in July 2020, and the UODO commenced its investigation in November 2020, eventually concluding that neither party had carried out a risk assessment or implemented adequate technical and organisational security measures.⁷

Austrian court limits "consent or pay" model

In a landmark ruling, the Austrian Federal Administrative Court found that the implementation of the "consent or pay" model by a national news outlet, Der Standard, violated the GDPR.

The “consent or pay” model, which is increasingly used by online platforms, generally offers users three choices: (1) consent to the use of their personal data for personalised advertising in exchange for free access to a product or service; (2) pay a fee to access the service (without the need to consent to personalised advertising); or (3) decide not to use the product or service.

A key issue was the lack of granular consent. Users were forced to accept all data processing purposes – advertising, analytics, and social media plugins – via a single “agree” button. The court ruled this bundling invalidates consent, as the GDPR mandates that users must be able to choose which types of data processing they accept.⁸

Indonesian cyber attacks and data incidents making the news

MOCD temporarily suspends TikTok's TDPSE

On 3 October 2025, the MOCD temporarily suspended TikTok Pte Ltd (Tiktok)'s Electronic System Operator Certificate Registration (Tanda Daftar Penyelenggara Sistem Elektronik or TDPSE) following TikTok's refusal to comply with a government request for data related to TikTok live streaming activities during protests held in August 2025.

The MOCD's request was based on MOCD Regulation No. 5 of 2020 on Private Electronic System Operators, which requires electronic system operators to grant access to their electronic systems and data for supervisory purposes. The suspension was lifted the next day, once TikTok submitted the data that had been requested.⁹

State-owned banks face daily cyber attacks

At a Digital Resilience Summit held in Jakarta in September, Deputy Minister of State-Owned Enterprises Kartika Wirjoatmodjo revealed that apps under the Himbara group (eg Livin Mandiri, BRImo, Byond) were being targeted by hundreds of thousands of cyberattacks every day. He stressed the importance of built-in cybersecurity, rather than just reactive measures, and highlighted the role of individuals in forming cyber patrol teams.

BSSN reports more than 3 billion cyber attacks in H1 2025

Indonesia’s State Cyber and Cryptography Agency (BSSN) recorded more than 3 billion cyberattacks or traffic anomalies from January to July 2025.¹⁰

During the Digital Transformation Indonesia Conference & Expo (DTI-CX) in August 2025, Deputy for Cyber Security and Encryption Operations at BSSN, Bondan Widiawan, indicated that these numbers reflect not just potential threats but a present and escalating reality in Indonesia’s cyberspace. 

US$4.5 million investor account breach at BCA

On 9 September 2025, suspicious fund withdrawals were detected in the Investor Fund Accounts (RDN) of PT Panca Global Sekuritas (PGS) at Bank Central Asia (BCA). The transfers were allegedly made to an unregistered account via BCA Business Click, resulting in estimated losses of IDR70 billion (US$4.5 million).¹¹

BCA made a public disclosure on 12 September 2025 to the Indonesia Stock Exchange stating that its systems remained secure and that it was conducting a joint investigation with PGS. The bank emphasised that it would continue to protect data by implementing multi-layered security protocols and risk mitigation measures.¹²

Indonesia named largest source of Distributed Denial of Service (DDoS) attacks in Q2 2025 

According to a Q2 2025 DDoS Threat Report by Cloudfare, a US-based global cloud services provider, Indonesia ranked first globally as the source of DDoS attacks. This ranking reflects the location of botnet nodes, proxy or VPN endpoints, and not necessarily the country of origin of threat actors.¹³