Indonesian Constitutional Court Reinterprets Key Provision in Personal Data Protection Law
Indonesia’s Constitutional Court (Mahkamah Konstitusi or “MK”) recently issued a landmark decision on the criteria to appoint a Data Protection Officer (“DPO”), establishing clarity on the scope of the personal data protection framework under Law No. 27 of 2022 on Personal Data Protection (the “PDP Law”).[1]
I. The Original Legal Framework
The original Article 53(1) of the PDP Law requires a Personal Data Controller or Processor to appoint a DPO if:
- it processes personal data for public services[2];
- its core activities have such a nature, scope, and/or purpose that require regular and systematic monitoring of personal data on a large scale; and
- its core activities involve large-scale processing of specific/sensitive or crime-related personal data.
The coordinating conjunction “and” implies that the criteria are cumulative, meaning that all three criteria must be met to trigger the obligation to appoint a DPO.
A group of petitioners challenged Article 53(1) of PDP Law before the Constitutional Court, arguing that each criterion under Article 53(1) constitutes a high-risk activity and should therefore independently trigger the obligation to appoint a DPO. Applying a cumulative approach would affect proper oversight of personal data processing, they argued. The petitioners proposed changing “and” to “and/or”, so that the obligation to appoint a DPO would apply upon the fulfilment of any of the criteria listed under Article 53 (1) of the PDP Law, to strengthen oversight and align with the constitutional right to personal security (Article 28G(1) of the Amended 1945 Constitution).
The Government, however, maintained that the existing wording should already be read as an alternative requirement, meaning that satisfying any one of the criteria would be sufficient to trigger the obligation to appoint a DPO.
In its decision, the Court argued that using the coordinating conjunction “and” in Article 53(1) of the PDP Law creates legal uncertainty and undermines the PDP Law’s objective of ensuring adequate personal data protection Accordingly, it sided with the petitioners and decided that Article 53(1) of the PDP Law should be interpreted as using the coordinating conjunctions “and/or” — making each of the listed criteria sufficient to trigger the obligation to appoint a DPO.
II. Practical Implications and Recommended Actions
In light of the Constitutional Court’s decision, businesses that are involved in personal data processing activities, primarily as Personal Data Controllers, should immediately reassess their obligations under Article 53. Key steps include:
Risk Assessment – Review whether their core activities fall within any of the criteria under Article 53(1).
DPO Appointment – If any criterion is met, appoint a qualified DPO without delay to ensure compliance.
Policy Updates – Review and revise their internal data protection policies, procedures, and governance structures to reflect the expanded scope and ensure ongoing legal alignment.
Ongoing Compliance – Monitor regulatory updates and prepare for potential supervisory enforcement based on this new interpretation.
By acting proactively, businesses can strengthen their data protection posture, avoid compliance risks, and demonstrate accountability in handling personal data.
III. ABNR Commentary
This ruling provides much-needed clarity for businesses navigating the obligation under the PDP Law to appoint a DPO. By affirming that each risk criterion stands independently, the Constitutional Court has removed a key source of ambiguity and simplified compliance expectations. The decision bolsters the establishment of a more robust data protection framework in Indonesia, balancing regulatory oversight with practical implementation. Businesses can now move forward with greater certainty, strengthening accountability in handling personal data.
However, the effective implementation of Article 53(1) of the PDP Law is still subject to the enactment of implementing regulations. Business undertakings require clear rules and guidelines as to how to interpret each condition under Article 53(1) of the PDP Law, such as:
What qualifies as “regular and systematic monitoring of Personal Data”; and
The threshold for “large-scale” processing of Personal Data.
Beyond the mandatory appointment of a DPO, businesses should also consider establishing a dedicated compliance function within their organization, to achieve an accountable, efficient, and organized state of compliance with the PDP Law.
By partner Agus Ahadi Deradjat (aderadjat@abnrlaw.com), foreign counsel Gustaaf Reerink (greerink@abnrlaw.com), senior associate Mahiswara Timur (mtimur@abnrlaw.com), associates Dhan Kaur (dkaur@abnrlaw.com), and Vanessa Nethania (vnethania@abnrlaw.com)
This ABNR News and its contents are intended solely to provide a general overview, for informational purposes, of selected recent developments in Indonesian law. They do not constitute legal advice and should not be relied upon as such. Accordingly, ABNR accepts no liability of any kind in respect of any statement, opinion, view, error, or omission that may be contained in this legal update. In all circumstances, you are strongly advised to consult a licensed Indonesian legal practitioner before taking any action that could adversely affect your rights and obligations under Indonesian law.
[1] Constitutional Court Decision No. 151/PUU-XXII/2024
[2] Although the Constitutional Court does not address this point in its own decision, Decision No. 151/PUU-XXII/2024 does indicate that the government’s interpretation of the scope of “public services” is limited to those related to state administration services, in accordance with Law No. 25 of 2009 on Public Services.
More Legal Updates
- 30 Oct 2025 New Local Content Rules: Key Changes Under MOI Regulation No. 35 of 2025
- 29 Oct 2025 OJK Issues Unified Fit-Proper Test Rules for Financial Sector Technology Innovation, Digital Financial Assets & Crypto Assets Sector
- 29 Oct 2025 ABNR Lawyers Earn Top Recognition in the 2025 Asialaw Rankings
- 29 Oct 2025 ABNR Achieves Top-Tier Recognition in the 2025 Asialaw Rankings
- 15 Oct 2025 Benchmark Litigation 2025: ABNR ranked Tier 1 in Commercial & Transactions
- 14 Oct 2025 Four ABNR partners featured in the 2025 Lexology Index (formerly Who’s Who Legal)
NEWS DETAIL
09 Oct 2025
Indonesian Constitutional Court Reinterprets Key Provision in Personal Data Protection Law
Indonesia’s Constitutional Court (Mahkamah Konstitusi or “MK”) recently issued a landmark decision on the criteria to appoint a Data Protection Officer (“DPO”), establishing clarity on the scope of the personal data protection framework under Law No. 27 of 2022 on Personal Data Protection (the “PDP Law”).[1]
I. The Original Legal Framework
The original Article 53(1) of the PDP Law requires a Personal Data Controller or Processor to appoint a DPO if:
- it processes personal data for public services[2];
- its core activities have such a nature, scope, and/or purpose that require regular and systematic monitoring of personal data on a large scale; and
- its core activities involve large-scale processing of specific/sensitive or crime-related personal data.
The coordinating conjunction “and” implies that the criteria are cumulative, meaning that all three criteria must be met to trigger the obligation to appoint a DPO.
A group of petitioners challenged Article 53(1) of PDP Law before the Constitutional Court, arguing that each criterion under Article 53(1) constitutes a high-risk activity and should therefore independently trigger the obligation to appoint a DPO. Applying a cumulative approach would affect proper oversight of personal data processing, they argued. The petitioners proposed changing “and” to “and/or”, so that the obligation to appoint a DPO would apply upon the fulfilment of any of the criteria listed under Article 53 (1) of the PDP Law, to strengthen oversight and align with the constitutional right to personal security (Article 28G(1) of the Amended 1945 Constitution).
The Government, however, maintained that the existing wording should already be read as an alternative requirement, meaning that satisfying any one of the criteria would be sufficient to trigger the obligation to appoint a DPO.
In its decision, the Court argued that using the coordinating conjunction “and” in Article 53(1) of the PDP Law creates legal uncertainty and undermines the PDP Law’s objective of ensuring adequate personal data protection Accordingly, it sided with the petitioners and decided that Article 53(1) of the PDP Law should be interpreted as using the coordinating conjunctions “and/or” — making each of the listed criteria sufficient to trigger the obligation to appoint a DPO.
II. Practical Implications and Recommended Actions
In light of the Constitutional Court’s decision, businesses that are involved in personal data processing activities, primarily as Personal Data Controllers, should immediately reassess their obligations under Article 53. Key steps include:
Risk Assessment – Review whether their core activities fall within any of the criteria under Article 53(1).
DPO Appointment – If any criterion is met, appoint a qualified DPO without delay to ensure compliance.
Policy Updates – Review and revise their internal data protection policies, procedures, and governance structures to reflect the expanded scope and ensure ongoing legal alignment.
Ongoing Compliance – Monitor regulatory updates and prepare for potential supervisory enforcement based on this new interpretation.
By acting proactively, businesses can strengthen their data protection posture, avoid compliance risks, and demonstrate accountability in handling personal data.
III. ABNR Commentary
This ruling provides much-needed clarity for businesses navigating the obligation under the PDP Law to appoint a DPO. By affirming that each risk criterion stands independently, the Constitutional Court has removed a key source of ambiguity and simplified compliance expectations. The decision bolsters the establishment of a more robust data protection framework in Indonesia, balancing regulatory oversight with practical implementation. Businesses can now move forward with greater certainty, strengthening accountability in handling personal data.
However, the effective implementation of Article 53(1) of the PDP Law is still subject to the enactment of implementing regulations. Business undertakings require clear rules and guidelines as to how to interpret each condition under Article 53(1) of the PDP Law, such as:
What qualifies as “regular and systematic monitoring of Personal Data”; and
The threshold for “large-scale” processing of Personal Data.
Beyond the mandatory appointment of a DPO, businesses should also consider establishing a dedicated compliance function within their organization, to achieve an accountable, efficient, and organized state of compliance with the PDP Law.
By partner Agus Ahadi Deradjat (aderadjat@abnrlaw.com), foreign counsel Gustaaf Reerink (greerink@abnrlaw.com), senior associate Mahiswara Timur (mtimur@abnrlaw.com), associates Dhan Kaur (dkaur@abnrlaw.com), and Vanessa Nethania (vnethania@abnrlaw.com)
This ABNR News and its contents are intended solely to provide a general overview, for informational purposes, of selected recent developments in Indonesian law. They do not constitute legal advice and should not be relied upon as such. Accordingly, ABNR accepts no liability of any kind in respect of any statement, opinion, view, error, or omission that may be contained in this legal update. In all circumstances, you are strongly advised to consult a licensed Indonesian legal practitioner before taking any action that could adversely affect your rights and obligations under Indonesian law.
[1] Constitutional Court Decision No. 151/PUU-XXII/2024
[2] Although the Constitutional Court does not address this point in its own decision, Decision No. 151/PUU-XXII/2024 does indicate that the government’s interpretation of the scope of “public services” is limited to those related to state administration services, in accordance with Law No. 25 of 2009 on Public Services.