Yes, there are four main regulations that govern data privacy in Indonesia: (i) Law No. 27 of 2022 on Personal Data Protection ("PDP Law"); (ii) Law No. 11 of 2008 as amended by Law No. 19 of 2016 on Electronic Information and Transactions; (iii) Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions; and (iv) Minister of Communication and Informatics Regulations No. 20 of 2016 on Personal Data Protection in Electronic Systems. While the PDP Law is effective as of the enactment date, the regulation provides a two-year transitional period for parties to adjust their data privacy practices to comply with the PDP Law. In addition, the two-year period will also be used by the government to prepare and issue implementing regulations that are mandated by the PDP Law and stipulate the data protection authority that will oversee and monitor the implementation of the PDP Law.

The PDP Law introduces some new concepts such as the categorization of general and specific personal data, the concept of data controller and data processing, the lawful basis to use personal data besides express consent from data subjects, the strict requirement to notify if there has been a data breach, and new requirements regarding the transfer of personal data outside of Indonesia.

Prior to the PDP Law, the enforcement of data protection regulation in Indonesia was more focused toward the platform operator that collects personal data from the users. There was no differentiation between data controller and data processor prior to the PDP Law. Currently, the PDP Law provides for the concept of data controller and data processor. A data controller is every person, public agency and international organization that acts individually or jointly in exercising control over the processing of personal data, while a data processor is every person, public agency and international organization that acts individually or jointly in personal data processing on behalf of a data controller.

Generally, these regulations require electronic system operators to maintain the confidentiality of personal data, by not sharing it with any third party unless the requisite consent is obtained.

Additionally, electronic system operators (such as a cloud service provider) must implement the following personal data protection principles when processing personal data:

• Personal data collection is carried out on a limited and specific basis, legally valid, fair and with the knowledge and consent from the personal data owner.
• Personal data processing is carried out in line with its intended purposes.
• Personal data processing is performed by guaranteeing the rights of the personal data owner.
• Personal data processing is carried out accurately, without creating misleading information up to date and by considering the purposes of the personal data processing.
• Personal data processing is carried out by protecting the security of the personal data from loss, unauthorized use, access, disclosure and alteration or damage to the personal data.
• Personal data processing is carried out by notifying the intended purposes and activities of the data processing and any failures to protect personal data.
• Personal data is deleted and/or destroyed, unless it is still within its retention period in line with the intended purposes.

The PDP Law has added a further requirement to the personal data protection principles that "personal data processing is carried out responsibly, and which can be clearly proven."