<![CDATA[The rapid development of information and communication technology has led to an increased use of electronic systems for managing personal data across various sectors, both public and private. Alongside this progress, the risk of personal data breaches has also risen, potentially causing material and immaterial losses and threatening individuals’ privacy rights. This study aims to analyze the regulation of criminal liability for personal data breaches by electronic system providers and to examine the application of such liability within the framework of Law Number 27 of 2022 concerning Personal Data Protection. This research employs a normative juridical method by analyzing legal norms contained in legislation, legal doctrines, and relevant scientific literature related to personal data protection and criminal law. The results indicate that the Personal Data Protection Law provides a comprehensive legal framework governing the rights of data subjects, the obligations of data controllers, and criminal sanctions for unlawful acts such as obtaining, disclosing, or using personal data without authorization. Criminal liability may arise if the elements of unlawful conduct and fault whether intentional or negligent are established. Furthermore, criminal liability for personal data breaches can be imposed on both individuals and corporations. Individual liability applies to parties who directly commit unlawful acts, while corporate liability may arise when breaches occur due to weak internal policies, inadequate security systems, or negligence in the management of personal data. However, the enforcement of criminal liability still faces several challenges, including difficulties in proving fault and causation, technological complexity, limited law enforcement capacity in digital forensics, jurisdictional issues in cross-border cases, and the lack of standardized technical security measures. In conclusion, although the legal framework governing criminal liability for personal data protection in Indonesia is relatively adequate, its effectiveness depends on stronger implementation, clearer technical regulations, and improved compliance among electronic system providers.]]>
