Indonesia PDP Law (UU PDP): Data Protection for AI Systems

What Is the Indonesia PDP Law?

Law No. 27 of 2022 on Personal Data Protection (Undang-Undang Perlindungan Data Pribadi, or UU PDP) is Indonesia's first comprehensive data protection law. Modeled on the EU's GDPR, it was enacted on 17 October 2022 and became fully effective on 17 October 2024 after a two-year grace period.

For AI companies, the PDP Law is the primary legal framework governing how personal data is used in AI development, training, and deployment. A dedicated PDP Agency is planned to be operational by 2026 to enforce the law.

Why Indonesia Matters for AI Compliance

Indonesia is Southeast Asia's largest economy with over 270 million people and rapidly growing digital adoption. Key facts:

• Indonesia's digital economy is growing at over 20% annually
• The government launched the Stranas KA (National AI Strategy) in August 2020, targeting development through 2045
• OJK (Financial Services Authority) has issued AI governance guidelines for financial institutions
• A Presidential Regulation (Perpres) on AI Ethics and Safety is expected in 2026 (pushed back from 2025), moving from voluntary to mandatory AI governance

Personal Data Categories Under PDP Law

The PDP Law distinguishes between general and specific (sensitive) personal data:

General Personal Data

• Full name
• Gender
• Nationality
• Religion
• Marital status
• Personal data combined to identify a person

Specific (Sensitive) Personal Data

• Health data and information
• Biometric data
• Genetic data
• Criminal records
• Children's data
• Personal financial data
• Any other data designated by regulations

For AI systems, the biometric, genetic, health, financial, and children's data categories are particularly important — AI applications in healthcare, fintech, security, and education frequently process these categories.

Core Requirements for AI Systems

Lawful Basis for Processing

Like GDPR, the PDP Law requires a lawful basis for processing personal data. The bases include:

• Consent: Explicit consent from the data subject
• Contractual necessity: Processing necessary to perform a contract
• Legal obligation: Processing required by law
• Vital interests: Processing necessary to protect life
• Public interest: Processing in the public interest
• Legitimate interests: Processing for legitimate interests (balancing test required)

Consent Requirements

When relying on consent for AI data processing:

• Consent must be specific, informed, and unambiguous
• Consent can be withdrawn at any time
• For sensitive data, explicit consent is required
• Consent for AI training purposes should clearly explain how data will be used

Data Controller and Data Processor

The PDP Law distinguishes between:

• Data controllers: Determine the purposes and means of processing (the company deploying AI)
• Data processors: Process data on behalf of controllers (AI vendors, cloud providers)

Both have specific obligations under the law. Data controllers cannot fully delegate responsibility to processors.

Cross-Border Data Transfer

Personal data can only be transferred outside Indonesia if:

• The destination country has adequate data protection laws
• Adequate safeguards are in place (contractual, binding corporate rules)
• The data subject consents

This affects AI systems using cloud infrastructure outside Indonesia.

Data Subject Rights

Individuals have the following rights:

• Right to be informed about data processing
• Right to access their personal data
• Right to rectify inaccurate data
• Right to delete personal data
• Right to restrict processing
• Right to data portability
• Right to object to profiling and automated decision-making

The right to object to automated decision-making is particularly relevant for AI systems that make or influence decisions about individuals.

OJK AI Guidelines for Financial Services

The OJK (Otoritas Jasa Keuangan) published AI Governance for Indonesian Banking guidelines on 29 April 2025. These are mandatory for financial institutions:

Six Basic Principles

1. Based on Pancasila: AI aligned with Indonesian national philosophy
2. Beneficial: AI should create value for customers and society
3. Fair and just: AI should not discriminate
4. Accountable: Clear responsibility for AI outcomes
5. Transparent and explainable: AI decisions should be understandable
6. Resilient and secure: AI systems should be robust

Key Focus Areas

• Consumer protection in AI-driven financial services
• Model and data reliability for credit scoring and risk assessment
• Financial inclusion — ensuring AI does not exclude underserved populations
• Data protection compliance with PDP Law
• Cyber resilience of AI systems

Upcoming: Perpres on AI Ethics and Safety

A Presidential Regulation (Perpres) on AI Ethics and Safety is expected in 2026 (pushed back from 2025). Key details:

• Status: Reported to be 90% complete as of late 2025
• Shift: Moves Indonesia from voluntary guidelines to mandatory requirements
• Key provisions (expected):
  • Mandatory registration of high-risk AI systems
  • Impact assessments for high-risk AI applications
  • Penalties for non-compliance with registration requirements
  • Alignment with Indonesia's National AI Strategy

How to Comply

Step 1: PDP Law Compliance

• Identify all personal data processing activities in your AI systems
• Determine the lawful basis for each processing activity
• Implement consent mechanisms for AI-related data processing
• Establish data subject rights handling procedures
• Appoint a data protection officer or designate a responsible team

Step 2: AI-Specific Data Governance

• Audit AI training data for personal data, especially sensitive categories
• Implement anonymization or pseudonymization where possible
• Document data provenance for AI training datasets
• Establish data retention and deletion policies for AI data

Step 3: OJK Compliance (Financial Services)

• Map AI systems against OJK's six principles
• Implement fairness monitoring for credit scoring and risk assessment
• Ensure explainability for customer-facing AI decisions
• Conduct regular audits of AI model performance

Step 4: Prepare for Perpres

• Monitor government announcements on the AI Ethics and Safety regulation
• Inventory AI systems that may be classified as high-risk
• Begin preparing impact assessments for high-risk applications
• Build documentation and registration capabilities

Related Regulations

• Singapore PDPA & AI: Comparable data protection framework with more mature AI guidance
• Malaysia PDPA 2010: Similar evolving data protection with AI implications
• ASEAN AI Governance Guide: Regional principles that Indonesia's framework aligns with
• EU GDPR: The model on which Indonesia's PDP Law is based