<![CDATA[Indonesia is facing a personal data protection crisis, as cases of sensitive information leaks from various public institutions continue to increase. Although Law No. 27 of 2022 on Personal Data Protection has been enacted, recurring incidents, such as the hacking of eHAC, BPJS Kesehatan, PeduliLindungi, and ransomware attacks on the National Data Center, demonstrate a weak implementation at the institutional level. This research aims to identify and analyze the forms of institutional dysfunction in personal data protection in Indonesia. This research uses a qualitative approach with a descriptive-analytical design, relying on data from literature studies, documentation, online media news, and in-depth interviews with informants from government institutions, academics, and digital rights activists. The research findings indicate that there are three primary forms of institutional dysfunction: weak formal structures, a bureaucratic culture that is unresponsive, and limited technical capacity. The absence of independent oversight institutions, overlapping inter-agency authorities, and minimal public accountability exacerbate this situation. These findings are analyzed using the new institutional theory, which emphasizes the importance of internal norms and the logic of appropriateness in institutional behavior. This research contributes to filling the gap in digital law studies in Indonesia by highlighting the role of institutional culture and legal politics in explaining the failure of data protection. In conclusion, adequate personal data protection is not sufficient with formal regulations alone, but requires institutional reforms that address structural and cultural aspects, as well as the establishment of an independent supervisory authority that is adaptive to digital threats.]]>
Copyrights © 2025
