Indonesia's PDP Law Compliance Realities: Delayed Implementing Regulations and Interim Transfer Procedures

Although the two-year transition period for Indonesia’s Personal Data Protection Law (Law No. 27/2022 - PDP Law) officially expired in October 2024, the full enforcement of its strict cross-border data transfer framework remains in a transitional state as of 2026. This delay stems from the pending finalization of implementing regulations and the delayed establishment of the national Data Protection Authority (DPA).

Status of Implementing Regulations & DPA (2025 – 2026)

• Draft Government Regulation (Draft GR on PDP): The Indonesian Government, through the Ministry of Communication and Digital Affairs (MOCDA - formerly Kominfo) and the National Cyber and Crypto Agency (BSSN), is still finalizing the Draft GR on PDP (or RPP PDP). As of early 2026, the draft is in the "harmonization stage" at the Ministry of Law.
• Absence of the DPA (Lembaga PDP): The formal regulatory body tasked with supervising PDP Law compliance and issuing formal adequacy decisions has not yet been established or made fully operational. It is anticipated to become active later in 2026.

Interim Cross-Border Data Transfer Requirements

Article 56 of the PDP Law outlines three conditions under which personal data may be transferred outside Indonesia (adequacy of the recipient country, binding safeguards/SCCs, or explicit consent). However, because the DPA is not yet established, these formal channels are not fully operational.

To adapt, compliance teams must follow an interim procedure mandated by MOCDA for Electronic System Providers (ESPs) transferring data overseas:

1. Prior and Post Notifications: ESPs must formally notify MOCDA both before and after any cross-border data transfer.
2. MOCDA Notification Template: MOCDA provides an internal template for this notification letter to guide companies through the reporting process.
3. Mandatory ESP Registration: Under MOCDA Regulation No. 5 of 2020 and the updated MOCDA Regulation No. 5 of 2025, public and private ESPs that offer online services, portals, or applications in Indonesia must register with MOCDA to obtain an ESP registration certificate.

Practical Steps for Compliance Teams

While waiting for the final Draft GR on PDP and the formal establishment of the DPA, multinational companies operating in Indonesia should focus on:

• Record-Keeping: Maintaining a Record of Data Processing Activities (ROPA) to track all data processing, which satisfies the general record-keeping obligations of the PDP Law.
• Data Retention: Aligning electronic systems with the 5-year data retention requirement, which starts when a data subject ceases to use the electronic system.
• Interim Reporting: Filing the required pre- and post-transfer notifications with MOCDA for any system utilizing overseas cloud infrastructure (such as AWS, Google Cloud, or Azure) or central HR management systems.