Establishing an independent data protection authority in Indonesia: a future–forward perspective

ABSTRACT The Indonesian government enacted the Personal Data Protection Law (‘PDP Law’) in September 2022. This legislation was long in the making and intended to be an urgent response to the unprecedented rise in data breaches and illegal online surveillance in the country. The PDP Law mimics several features of the EU’s General Data Protection Regulation but fails to underline provisions for an independent supervisory authority. In this article, we argue that the existence of an independent data protection authority will be crucial in safeguarding the privacy of Indonesians in a meaningful manner and benefit Indonesia’s long-term economic and political interests, including getting international recognition for being a safe data destination. Therefore, we propose that the Indonesian government must set up an organizationally and, more importantly, functionally independent data protection authority at the earliest possible and indicate various ways in which it can do so. This reform will be fundamental in establishing a robust data protection regime in the country, especially given the limitations of Indonesia’s corrupt judicial system and the government’s strong leaning towards digital sovereignty.