A Year of Inaction: Indonesia's Data Law Is Still Just Words on Paper

It has been one year since the two-year transition period for the Personal Data Protection (PDP) Law officially ended, yet its implementation remains far from public expectations. 

Dr. Pratama Persadha

In an increasingly complex digital world fraught with threats to individual privacy, the PDP Law should have been a crucial milestone for Indonesia to assert data sovereignty and protect citizens' rights to their personal information. However, without concrete execution and a strong implementing institution, this regulation will lose its meaning.

The urgency of implementing the PDP Law can no longer be delayed. Over the past year, Indonesians have continuously been targeted by various forms of digital crime, ranging from personal data breaches in both the public and private sectors, rampant online fraud, the proliferation of online gambling, to various scams utilizing social engineering and artificial intelligence. 

This pattern of digital attacks indicates that citizens' personal data has become a commodity traded illegally in cyberspace. The absence of an authoritative body to strictly perform oversight and law enforcement functions makes this situation increasingly alarming.

The Personal Data Protection Agency (Badan PDP), mandated by the PDP Law, should have been at the forefront of ensuring compliance with data protection principles by institutions and companies. Unfortunately, to date, its establishment has not been carried out by the President. 

The law has also not been effectively realized because the Government Regulations (PP), which serve as the technical basis for implementation, have not been issued. Without the PDP Agency and the PDP Regulations, mechanisms for law enforcement, data governance, and compliance standards lack operational clarity. 

Consequently, the regulation that should provide a sense of security remains merely a symbol without executive power.

The existence of the PDP Agency is not just an administrative necessity but a national strategic urgency. 

This institution must be formed on a strong foundation, independent, and free from political intervention. More importantly, its leadership must not be based merely on political appointments but must be grounded in technical competence and deep experience in cybersecurity, data governance, and digital privacy. 

The figure leading the PDP Agency must understand not only the legal aspects but also the technical dynamics of cyberattacks, cross-sectoral data structures, and risk mitigation strategies that are adaptive to global technological developments. Without competent leadership, this agency risks becoming just an administrative symbol, incapable of effectively enforcing its data protection mandate.

This moment also nearly coincides with the one-year mark of the Prabowo-Gibran administration, yet the Personal Data Protection Agency (Badan PDP), which is explicitly mandated to the President under Article 58 of the PDP Law, has still not been formed. Given that the establishment of the PDP Agency is a legal obligation placed directly on the President, this delay could lead to the public perception that the President has violated the law's mandate. 

It also risks eroding public trust in the state's commitment to protecting its citizens' digital rights. Therefore, this moment serves as a strategic reminder to the President to take immediate, concrete steps to establish the Personal Data Protection Agency, to ensure the implementation of the PDP Law proceeds in accordance with the mandate of Article 28G(1) of the 1945 Constitution, and to maintain the government's credibility in upholding the law in the digital space.

The public increasingly needs real protection. In the past year, reports of digital identity theft, bank account breaches via phishing and social engineering, and the misuse of personal data for online gambling account registrations have all increased. 

Many victims are unaware that their data has been leaked from official sources, such as e-commerce platforms, public services, and even financial institutions. This situation is causing a crisis of confidence in the national digital system and threatens the foundation of Indonesia's rapidly growing digital economy.

If the government wants to ensure the digital transformation proceeds safely and sustainably, then accelerating the implementation of the PDP Law and the establishment of the PDP Agency must be a top priority. The PDP Regulations need to be issued immediately to provide clear technical guidelines regarding oversight mechanisms, violation reporting, and administrative and criminal sanctions for perpetrators of personal data violations. 

Without these, data protection will remain mere rhetoric amidst ongoing data exploitation practices. In an increasingly interconnected global digital ecosystem, personal data is a strategic asset of invaluable worth. 

Developed countries have long realized this, building strict data protection systems such as the GDPR in Europe or the PDPA in Singapore. Indonesia cannot continue to lag behind in this regard. The PDP Law is already a strong legal foundation, but without implementative steps and an empowered enforcement agency, the regulation will lose its meaning amidst constantly evolving digital threats.

Now, the challenge is no longer merely drafting regulation, but enforcing it consistently. The government must demonstrate a commitment that personal data protection is not just an individual responsibility, but a state responsibility to protect the dignity and security of its citizens in the digital age. 

The establishment of a credible PDP Agency, supported by clear regulations (PP), and led by a figure with high integrity and competence, will be the key to ensuring the PDP Law truly lives and works to protect the people—not just remain words on paper.

By Dr. Pratama Persadha, Chairman, CISSReC Cybersecurity Research Center