|

Indonesia’s Constitutional Court Strengthens Data Privacy: Broader Obligation to Appoint Data Protection Officers 

ADCO Law

Data Protection Officers

Indonesia’s Constitutional Court has expanded the obligation to appoint Data Protection Officers (“DPO”) through Decision No. 151/PUU-XXII/2024, shifting the criteria from cumulative to alternative. This landmark ruling means that organizations engaging in any high-risk personal data processing, whether in public services, large-scale monitoring, or handling sensitive data, must now appoint a DPO. The decision strengthens constitutional privacy rights, increases accountability for organizations, and aligns Indonesia more closely with global standards such as the GDPR. While challenges remain, businesses are urged to act proactively by appointing and training DPOs. 

 

In a groundbreaking decision, Indonesia’s Constitutional Court has expanded the scope of organizations required to appoint Data Protection Officers (“DPO”). Constitutional Court Decision No. 151/PUU-XXII/2024, handed down on 30 July 2025, marks an important step in strengthening personal data protection and aligns Indonesia more closely with international standards. 

Why Was the Law Challenged? 

In September 2024, Eric Cihanes and Garin Arian Reswara filed a judicial review petition against Article 53 paragraph (1) of Indonesia’s Personal Data Protection (Law No. 27/2022). Their concern rested on a single word: “and”, hinting that the requirement to appoint a DPO only applies to organizations that meet all the 3 (three) conditions: 

  1. Processing data for public services, 
  2. Conducting systematic, large-scale monitoring of personal data, and 
  3. Handling sensitive or criminal-related personal data on a large scale. 

This “all-or-nothing” approach meant that organizations engaging in just one high-risk activity, such as monitoring user behavior online, were not required to appoint a DPO. The petitioners argued that this undermined privacy protections, as each condition on its own already posed serious risks to individuals’ personal data. 

Data Protection Officers

Read More: Compliance Challenges under the Personal Data Protection Law

Judicial Considerations 

The Court’s reasoning was guided by constitutional principles and established jurisprudence: 

  1. The petitioners, as Indonesian citizens, claimed their constitutional rights under Article 28G paragraph (1) of the 1945 Constitution. 
  2. In their daily lives, the petitioners engage in activities involving the use of personal data, both electronically and non-electronically, in public services and private sectors, which carry high-risk personal data processing. 
  3. The word “and” in the article rendered the criteria cumulative, meaning that the obligation to appoint a DPO only arises when all three criteria (a, b, and c) were fulfilled. This narrowed down the scope of the obligation, excluding parties that met only one or two high-risk criteria from the obligation to appoint a DPO. 
  4. Had the provision used “and/or,” the criteria would have been both cumulative and alternative, thus ensuring that entities meeting one, two, or all criteria would be required to appoint a DPO, thereby addressing the petitioners’ concern about high-risk personal data processing.
  5. In reviewing whether the word “and” in that Article limited the obligation to appoint a DPO, thereby harming the petitioners’ constitutional rights, the court considered that the rapid growth of cross-border technologies has enabled massive data collection and processing. Hence, it is the State’s constitutional duty to guarantee the protection of personal data as part of human rights. This duty is embodied in Law No. 27/2022 through the roles of controllers, processors, and DPOs to ensure compliance and mitigate privacy risks.
  6. On that basis, the Court concluded that Article 53 paragraph (1) letter (b) of Law No. 27/2022 had failed to adequately safeguard the right to personal security, and therefore contravened Article 28G paragraph (1) of the 1945 Constitution.

The Court’s Ruling 

The Constitutional Court has ruled that the word “and” should now be interpreted as and/or.” This means the obligation to appoint a DPO now applies if one, or a combination of any, of the three conditions is met, not just when all three occur together. This provision is broader than the GDPR provision, which uses “or”, hence requiring just one of the categories to be met. 

In practice, the decision dramatically widens the scope of organizations required to appoint a DPO. DPOs are no longer limited to government agencies or large corporations. Even smaller entities handling sensitive health data, financial institutions tracking customer transactions, or digital platforms monitoring user activity, or companies maintaining employee data are required to comply. 

Why Does This Matter? 

This ruling is significant for two reasons: 

  1. Stronger Protection for Citizens
    The Constitutional Court emphasizes that personal data protection is part of the constitutional right of Indonesian citizens to security and privacy, as guaranteed by Article 28G paragraph (1) of the 1945 Constitution. By expanding the obligation to appoint DPOs, the decision ensures that more organizations will have internal officers responsible for overseeing compliance and safeguarding citizens’ data. 
  2. Greater Accountability for Organizations
    With the broader scope, businesses and public bodies can no longer delay or avoid appointing a DPO. This adds a layer of accountability and helps prevent the misuse of personal information. Appointing a DPO is not simply a legal formality; it’s a concrete step towards building trust with customers, employees, and the wider public.

The Constitutional Court’s interpretation also aligns Indonesia’s personal data protection regime more closely with the spirit of Regulation (EU) 2016/679 on the General Data Protection Regulation (GDPR). Both frameworks are aimed at public service providers, large-scale, regular, and systematic data processing, as well as the handling of sensitive or criminal-related personal data. The main difference is GDPR lies in their scope and enforcement. While the GDPR applies broadly to all data controllers and processors, regardless of whether they are public or private entities, the Constitutional Court’s decision emphasizes state responsibility and constitutional recognition of personal data protection primarily within the context of public services. Moreover, the GDPR provides for comprehensive data subject rights, such as the right to erasure and portability, and imposes heavy administrative fines for non-compliance, whereas Indonesia’s framework is still more focused on establishing the legal foundation for protection and enforcement through judicial oversight rather than administrative penalties. This alignment, despite the differences, reflects Indonesia’s growing convergence with international best practices in data protection.  

What’s Next? 

While this ruling is a milestone, challenges remain. Indonesia has yet to establish the dedicated data protection authority mandated by the PDP Law. The certification mechanism for DPO qualifications is also unclear, leaving organizations uncertain about how to meet the new requirements. For now, the Ministry of Communication and Digital Affairs serves as the transitional authority. 

However, experts say companies should not wait. Nearly every organization processes personal data in some form, whether customer details, employee records, or transaction histories. Proactively appointing and training a DPO not only ensures compliance but also strengthens corporate governance and public trust. 

Looking Ahead 

The Constitutional Court’s decision reflects a growing global consensus: personal data is not just a business asset, but a fundamental right that must be protected. For Indonesia, this ruling is a turning point. Organizations across all sectors now need to reassess their data practices, appoint qualified DPOs, and treat data privacy as a core part of doing business. 

In an age where data breaches can erode trust overnight, protecting personal data is not an option; it’s a constitutional duty. 

***

About ADCO Law:

ADCO Law is a law firm that offers clients a wide range of integrated legal services, including commercial transactions and corporate disputes in a variety of industry sectors. Over the course of more than a decade, we have grown to understand our clients’ industries and businesses as well as the regulatory aspects. In dealing with business dynamics, we provide comprehensive, solid legal advice and solutions to minimize legal and business risks.

From Upstream to Downstream, We Understand Your Industry. In complex transactions and certain cases, we actively engage with financial, tax, and environmental specialists, accountants, and law firms from various jurisdictions to add value to our clients. Our strong relationships with Government agencies, regulators, associations, and industry stakeholders ensure that our firm has a holistic view of legal matters.

ADCO Law is a Proud Member of the Alliott Global Alliance (AGA) in Indonesia. Founded in 1979, AGA is one of the largest and fastest-growing global multidisciplinary alliances, with 215 member firms in 95 countries. As a law firm, we also believe in regeneration. To stay abreast of business changes and stay relevant, our formation of lawyers is comprised of the top graduates from Indonesian and international law schools.