Loading...
Data Protection Failure on Trial: Lessons from Indonesia’s Cases
By Setyawati Fitrianggraeni, Reynalda Basya Ilyas, Aga Kristiana Silaen and Cassey Jovenia
Introduction
While compliance to Law Number 27 Year 2022 concerning Personal Data Protection (“PDP Law”) has started since October 2024, learning how violation cases are handled and actors are sanctioned is essential as risk of failure is realistically will always be present. By examining precedent cases, practical lessons can be extracted for actors in constructing their risk management. Under the PDP Law, controllers and processors are subject to administrative sanctions, criminal charges, and possible civil claim. However, as the compliance only recently started, there are not many cases directly regarding PDP Law yet. Nevertheless, data protection is not solely regulated by PDP Law as there are several other laws and regulations that were promulgated long before it, among others Law Number 11 Year 2008 concerning Electronic Information and Transactions as last amended by Law Number 19 Year 2016 and Law Number 1 Year (“ITE Law”), Government Regulation Number 71 Year 2019 concerning Implementation of Electronic Systems and Transactions (“GR 71/2019”), Ministry of Communication and Informatics Regulation Number 20 Year 2016 concerning Personal Data Protection in Electronic System (“MCIR 20/2016”).
Criminal Case
Since the PDP Law was enacted, several criminal cases related to the law was found. The cases found are regarding individual liability, as follows
| Case Number | Defendant | Crime Description | Legal Provision Violated | Sentence |
| 5/Pid.Sus/2023/PN Krg (16 March 2023) | Heri Irawan | Impersonated a police officer using a fake WhatsApp profile to solicit money. Victim suffered Rp10,000,000 loss. | Article 68 in conjunction with Article 66 of the PDP Law | 4 years imprisonment and a fine of Rp 1 billion |
| 77/Pid.Sus/2024/PN Tng (4 April 2024) | Raja Firdaus | Unlawfully used and sold 900 individuals’ personal data (Civil ID & Family Card) for SIM card registration. | Article 65 paragraph (3) in conjunction with Article 67 paragraph (3) of the PDP Law | 1 year 6 months imprisonment and a fine of Rp 50,000,000 |
| 78/Pid.Sus/2024/PN Tng (4 April 2024) | Andi Irma Malasari | Bought 900 individuals’ personal data and used it to register new SIM cards. | Article 65 paragraph (3) in conjunction with Article 67 paragraph (3) of the PDP Law | 1 year 6 months imprisonment and a fine of Rp 50,000,000 |
The cases involve individual misconduct, with no major corporate breaches yet. Sentencing lacks clarity on how penalties are determined, but criminal sanctions have been applied even before the PDP Law’s grace period ends.
Civil Case
Throughout the years since PDP Law was enacted, there has been no civil cases that have been granted or have its merits considered. There are only two civil cases found in the Supreme Court website and one derived from the Case Tracking Information System, all of them are declared inadmissible due to error in formality, as follows:
| Case Number | Plaintiff | Defendant(s) | Claim/Decision | Court Decision |
| 235/Pdt.G/2020/PN.Jkt.Pst | Komunitas Konsumen Indonesia | Ministry of Communication and Information (Defendant I), PT Tokopedia (Defendant II) | Plaintiff claims failure of Defendant I in supervising Defendant II’s data security leading to a data breach of Tokopedia users | Court ruled that the case should be filed in the Administrative Court due to lack of jurisdiction and dismissed the lawsuit |
| 615/Pdt.G/2023/PN Sby | Samsuduri | PT Bank Mandiri (Defendant I), Andriani Eka Diah (Defendant II) | Plaintiff claims Defendant I and II leaked personal data, violating banking and PDP laws | Court ruled Defendant I not liable; Plaintiff’s case rejected due to insufficient evidence |
| 396/Pdt.G/2018/PN JKT.SEL | Lembaga Pengembangan Pemberdayaan Masyarakat Informasi Indonesia (Plaintiff I) & Indonesia ICT Institute (Plaintiff II) | Facebook (Defendant I), Facebook Indonesia (Defendant II), Cambridge Analytica (Defendant III) | Plaintiffs claimed unlawful acts in data misuse/leak related to the Cambridge Analytica scandal | Court declared the class action illegitimate, appeal upheld by DKI Jakarta High Court |
Although related to personal data protection, none of these civil cases are solely based on PDP Law, but regulations before the PDP Law. This means, it is still possible and likely that personal data protection civil disputes are based on other related regulations.
Other Non-Litigation Cases
Aside from cases that were examined and adjudicated by the court, there are personal data protection failures found through official websites of the institution and news. On May 2023, personal data protection failure (confidentiality breach, integrity breach, and availability breach) happened in Bank Syariah Indonesia (“BSI”) and they cooperated with authorities including National Cyber and Encryption Agency (BSSN) to carry forensic investigation.[1] The Ministry of Communication and Information did not sanction BSI under the grounds of PDP Law, however they will give BSI a warning, improvement, and recommendation. It is mentioned that the PDP Law was not yet effective back then, hence the sanction was unable to be imposed.[2]
Other than this, in relation to the Facebook – Cambridge Analytica Scandal, it was found that Cambridge Analytica has mined millions of Indonesian Facebook user. This triggered a meeting between Ministry of Communication and Information and Facebook representative in Indonesia in 2018. In the meeting, the Ministry demanded details of user’s data classification used by Cambridge Analytica and Facebook’s audit result on third-party apps. Under MCIR 20/2016, the Ministry issued a written warning.[3] The cases show that clear violations can still lead to sanctions from the Ministry of Communication and Information, even under pre-PDP regulations, meaning controllers and processors remain at risk.
Conclusions
Indonesia’s early data protection enforcement shows that while criminal sanctions under the PDP Law have been applied to individuals, civil cases have failed due to procedural issues, and no corporate liability has been tested. Regulators still impose sanctions based on pre-PDP regulations, highlighting that legal risk persists. These cases emphasize the need for proactive compliance and risk management by data controllers and processors.
Bibliography
BBC News Indonesia, ‘BSI Diduga Kena Serangan Siber, Pengamat Sebut Sistem Pertahanan Bank “Tidak Kuat”’ (2023) <https://www.bbc.com/indonesia/articles/cn01gdr7eero>
Damarjati D, ‘Cambridge Analytica Panen Facebookers RI, Dipakai Untuk Politik?’ (DetikNews, 2018) <https://news.detik.com/berita/d-3957252/cambridge-analytica-panen-facebookers-ri-dipakai-untuk-politik>
Septiani L, ‘Kominfo: BSI Tak Akan Dijerat Sanksi UU Perlindungan Data Pribadi’ (KataData.co.id, 2023) <https://katadata.co.id/digital/teknologi/646b2ee611cc8/kominfo-bsi-tak-akan-dijerat-sanksi-uu-perlindungan-data-pribadi>
DISCLAIMER:
This disclaimer applies to the publication of articles by Anggraeni and Partners. By accessing or reading any articles published by Anggraeni and Partners, you acknowledge and agree to the terms of this disclaimer:
No Legal Advice: The articles published by Anggraeni and Partners are for informational purposes only and do not constitute legal advice. The information provided in the articles is not intended to create an attorney-client relationship between Anggraeni and Partners and the reader. The articles should not be relied upon as a substitute for seeking professional legal advice. For specific legal advice tailored to your individual circumstances, please consult a qualified attorney.
Accuracy and Completeness: Anggraeni and Partners strive to ensure the accuracy and completeness of the information presented in the articles. However, we do not warrant or guarantee the accuracy, currency, or completeness of the information. Laws and legal interpretations may vary, and the information in the articles may not be applicable to your jurisdiction or specific situation. Therefore, Anggraeni and Partners disclaim any liability for any errors or omissions in the articles.
No Endorsement: Any references or mentions of third-party organizations, products, services, or websites in the articles are for informational purposes only and do not constitute an endorsement or recommendation by Anggraeni and Partners. We do not assume responsibility for the accuracy, quality, or reliability of any third-party information or services mentioned in the articles.
No Liability: Anggraeni and Partners, its partners, attorneys, employees, or affiliates shall not be liable for any direct, indirect, incidental, consequential, or special damages arising out of or in connection with the use of the articles or reliance on any information contained therein. This includes but is not limited to, loss of data, loss of profits, or damages resulting from the use or inability to use the articles.
No Attorney-Client Relationship: Reading or accessing the articles does not establish an attorney-client relationship between Anggraeni and Partners and the reader. The information provided in the articles is general in nature and may not be applicable to your specific legal situation. Any communication with Anggraeni and Partners through the articles or any contact form on the website does not create an attorney-client relationship or establish confidentiality.
By accessing or reading the articles, you acknowledge that you have read, understood, and agreed to this disclaimer. If you do not agree with any part of this disclaimer, please refrain from accessing or reading the articles published by Anggraeni and Partners.
For further information, please contact:
WWW.AP-LAWSOLUTION.COM
P: 6221. 7278 7678, 72795001
H: +62 811 8800 427
Anggraeni and Partners, an Indonesian law practice with a worldwide vision, provides comprehensive legal solutions using forward-thinking strategies. We help clients manage legal risk and resolve disputes on admiralty and maritime law, complicated energy and commercial issues, arbitration and litigation, tortious claims handling, and cyber tech law
S.F. Anggraeni
Managing Partner
Reynalda Basya Ilyas
Managing Associate
Aga Kristiana Silaen
Senior Associate
Cassey Jovenia
Junior Associate
Related insights
Underrated Harm to Marine Environment: Legal Perspectives on Underwater Noise Pollution due to “Horeg” Phenomenon
The Feasibility of Artificial Intelligence (AI) Arbitrators in the Indonesian Arbitration Landscape
ARBITRATION CLAUSES IN BILLS OF LADING: DO THEY BIND THIRD-PARTY HOLDERS IN MARITIME DISPUTES?