Decentralized Autonomous Organizations (DAOs), which operate through smart contracts without a legal entity, pose a fundamental challenge to cross-border data protection regimes. Following the enactment of Government Regulation in Lieu of Law No. 1 of 2024 amending the Personal Data Protection Act, enforcement mechanisms in Indonesia still rely on identifying “Personal Data Controllers” in the form of corporate or natural persons. When the flow of Indonesian citizens’ data becomes the subject of criminal acts by a DAO into a non-equivalent jurisdiction, an absolute liability gap arises because there is no legal entity that can be sanctioned. This normative legal research employs a legislative, conceptual (cyber jurisdiction), and comparative approach, drawing on the legal frameworks of the European Union (GDPR) and Wyoming (DUNA). The study finds that conventional mechanisms suffer from structural failures. To address this issue, the study proposes a hybrid law enforcement mechanism: first, the application of proxy liability to key actors (core developers) as de facto data controllers; second, a regulatory mandate for a “legal wrapper” under the implementing regulations of the Personal Data Protection Act, requiring DAOs to have a legal representative in Indonesia as a prerequisite for cross-border data transfers, with on-chain access blocking via ISPs serving as a last resort.
Copyrights © 2026