<![CDATA[This study examines the Indonesian government’s accountability for the 2024 Taxpayer Identification Number (NPWP) data breach and evaluates the implementation of personal data protection obligations under the Personal Data Protection Law (PDP Law). Using a normative legal research method with statutory, conceptual, and case-based approaches, the study finds that the Directorate General of Taxes (DGT) has not fully met its duties as a Personal Data Controller. The large-scale breach, involving more than six million records, reveals weaknesses in access control, Data Protection Impact Assessments (DPIAs), privacy-by-design practices, and breach notification procedures. The PDP Law provides administrative, civil, and criminal liability mechanisms for negligent actors, all of which may be applied cumulatively. The findings indicate a significant gap between legal norms and administrative practice, undermining public trust and limiting the effectiveness of the PDP Law in safeguarding personal data.]]>
Copyrights © 2026
