<![CDATA[This article examines Indonesia’s public policy on personal data protection in light of Law No. 27/2022, which mandates the establishment of an independent Personal Data Protection Authority (PDP Authority). Despite this legal requirement (Article 58 UU PDP), no such institution has been formed. As a result, there is currently no supervisory authority with the mandate to audit compliance, impose administrative sanctions, or resolve data protection disputes. Enforcement of the law has thus remained reactive rather than preventive, with violations prosecuted only after harm occurs. Experts warn that without a strong implementing agency, deterrence is weak: administrative sanctions cannot be effectively applied and punished violations continue unchecked. Cybersecurity analysts even describe this gap as a national digital protection crisis, as personal data leaks (e.g. millions of citizens’ records exposed in recent breaches) continue unabated. Using a normative legal research approach and literature review, this study analyzes how the lack of the mandated PDP Authority undermines the effectiveness of data protection in Indonesia. The article reviews relevant legal theory on regulatory independence and deterrence, and compares with international best practices (e.g. EU/GDPR). We find that the absence of the agency creates serious implementation gaps, and we urge the government to immediately form the PDP Authority and clarify its powers.]]>
Copyrights © 2026
