Personal data leakage of debtors in online loan transactions in Indonesia has become a structured crime with systemic impacts on privacy rights and consumer protection. Although Indonesia has Law No. 27 of 2022 on Personal Data Protection, Law No. 19 of 2016 on ITE, and OJK regulations, the gap between legal norms and law enforcement practices remains very wide. This study aims to critically examine the construction of criminal liability against perpetrators of debtor personal data leakage and formulate a firm and applicable enforcement model. The method used is normative legal research with statutory, conceptual, and case approaches. The findings reveal that the weakness of criminal enforcement is caused by three main challenges weak coordination between law enforcement agencies and OJK, difficulty in proving mens rea due to limited digital evidence, and regulatory overlap between the PDP Law and the ITE Law. This study concludes that a complete construction of criminal liability requires identification of four categories of perpetrators (corporations, directors, internal employees, debt collectors), evidentiary standards distinguishing intent from negligence, and sanctions combining repressive and restorative elements in the form of quick compensation to victims.
Copyrights © 2026