This article examines the development, structure, and remaining weaknesses of Indonesian cybercrime and personal data protection law in comparison with selected international regulatory standards. The urgency of the study arises from the rapid growth of digital services, cross-border electronic evidence, data breaches, online fraud, phishing, and AI-enabled cybercrime, while Indonesia's regulatory framework is still distributed across the Electronic Information and Transactions Law, the Personal Data Protection Law, electronic system regulations, and institutional cybersecurity mandates. Using a normative juridical method supported by systematic legal literature review and comparative legal analysis, the study evaluates Indonesian law against the GDPR, the Budapest Convention, the NIS 2 Directive, ASEAN cybersecurity cooperation instruments, and comparative models from Singapore and Australia. The findings show that Indonesia has moved beyond a legal vacuum, especially after Law Number 27 of 2022 and Law Number 1 of 2024, but still faces gaps in institutional independence, cyber incident reporting, cross-border cooperation, digital evidence procedures, risk-based obligations, and integrated supervision. The article argues that reform should prioritize harmonization among cybercrime, data protection, and cybersecurity governance instruments; establishment of a strong personal data protection authority; clearer incident-reporting duties; and structured international cooperation for electronic evidence and transnational enforcement. The novelty of the study lies in integrating cybercrime enforcement and data protection analysis into one regulatory-harmonization framework rather than treating them as separate legal regimes.
Copyrights © 2026