Indonesia’s Personal Data Protection Law (Law No. 27/2022) finished its two-year transition period in October 2024. Every organisation that processes personal data in Indonesia is now expected to comply. Yet the landscape remains unusually uncertain: the supervisory PDP Agency has not been established, the implementing regulation is still undergoing harmonisation, and a January 2026 omnibus law on criminal provisions (Law No. 1/2026) revised penalty clauses across multiple statutes, including the PDP Law. For social listening buyers, this creates a compliance environment where the obligations are clear but the enforcement infrastructure — and some of the finer regulatory detail — is still taking shape.
What the PDP law requires
The PDP Law establishes comprehensive data protection requirements modelled on GDPR principles but adapted for Indonesia’s context. Key provisions affecting social listening include purpose limitation (data can only be processed for stated purposes), storage limitation (data cannot be retained beyond the period necessary), data subject rights (including access, correction, and deletion), cross-border transfer requirements, and data breach notification.
The consent framework is thorough. Data controllers must provide clear information about the purpose of processing, the type of personal data collected, and the retention period before obtaining consent. For social listening, this means organisations cannot simply begin monitoring Indonesian social media without establishing a documented legal basis.
A notable feature of the PDP Law is that it does not appear to provide an explicit exemption for publicly available data — a distinction from Singapore’s PDPA, which does include such a carve-out. Many legal commentators have interpreted this to mean that even public posts on platforms like Facebook, TikTok, and X are considered personal data when they can be linked to identifiable individuals, bringing aggregation, analysis, and storage of such data under PDP Law obligations. However, the implementing regulation has not been finalised, and no supervisory authority exists yet to issue authoritative guidance on this point. Organisations should work with local legal counsel to assess how this provision applies to their specific social listening activities, as the regulatory position may become clearer once the PDP Agency is operational.
The absence of the supervisory agency creates practical uncertainty more broadly. Organisations are expected to comply with the law’s requirements, but there is no regulatory body to issue guidance, respond to queries, or enforce compliance. This vacuum has led many organisations to adopt a wait-and-see posture — a strategy that carries real risk when the agency becomes operational and begins reviewing existing data processing practices.
The enforcement horizon
The PDP Agency is expected to become operational in 2026–2027. The draft Presidential Regulation establishing the Agency has gone through multiple harmonisation rounds. Legal experts anticipate the Agency will prioritise establishing its organisational structure, issuing implementing guidelines, and building enforcement capacity before pursuing widespread enforcement actions.
When enforcement begins, the Agency will likely focus initially on high-profile cases involving large-scale data processing, cross-border transfers, and sector-specific complaints. Social listening — which involves processing volumes of personal data from public and semi-public sources — is the type of activity that could attract regulatory attention.
It is worth understanding the penalty structure clearly. The PDP Law sets criminal fines for individuals at up to IDR 4–6 billion depending on the offence, with corporate penalties multiplied by up to ten times the individual amount. The highest corporate criminal fine — IDR 60 billion (approximately USD 3.68 million) — applies specifically to the offence of creating false or fake personal data. Other violations carry lower but still substantial corporate maximums: up to IDR 50 billion for unlawful collection or use of personal data, and up to IDR 40 billion for unlawful disclosure. Administrative fines of up to 2% of annual revenue apply separately. Beyond monetary penalties, courts can order confiscation of profits, suspension of business operations, licence revocation, or even corporate dissolution.
Separately, Law No. 1/2026 — an omnibus law on criminal provisions dated 2 January 2026 — adjusted criminal sanction clauses across several Indonesian statutes, including the PDP Law. This is part of a broader legislative programme on criminal law reform rather than a targeted amendment to data protection specifically, but it reflects ongoing legislative attention to the penalties framework.
For social listening buyers, the compliance imperative is clear: build governance frameworks now, while there is time to implement them properly, rather than scrambling to comply once enforcement begins.
Practical compliance steps for social listening
The compliance approach should address four areas specific to social listening operations. The guidance below reflects Isentia’s interpretation of the current regulatory landscape and should not be treated as legal advice. We strongly recommend engaging qualified Indonesian legal counsel to develop a compliance strategy tailored to your organisation.
Document your lawful basis for processing: Given the apparent absence of a publicly available data exemption, many legal practitioners point to legitimate interest as a potentially viable basis — that the organisational benefit of social listening outweighs the potential adverse effect on data subjects. This would require a documented legitimate interest assessment for each monitoring programme. However, as the PDP Agency has not yet issued guidance on how lawful bases should be applied in practice, this approach should be validated with local counsel and revisited as regulatory guidance emerges.
Implement retention policies: Social listening platforms that store historical data indefinitely create compliance risk. Define retention periods based on actual analytical needs and configure your platform to enforce them.
Establish access controls: Restrict access to social listening data to personnel who have a documented need. Maintain audit trails for data access and use.
Prepare for cross-border transfers: If your social listening vendor stores or processes data outside Indonesia, document the transfer arrangements and ensure adequate protection in recipient jurisdictions.
How Isentia supports PDP law readiness
Pulsar Group — Isentia’s parent company — holds ISO/IEC 27001:2022 certification for information security management and ISO 9001 certification for quality management, covering its portfolio of brands including Isentia. These independently audited certifications provide a compliance foundation for buyers who need to demonstrate that their vendors meet recognised international standards for data security and operational quality.
The Pulsar platform offers configurable retention periods, role-based access controls, and audit trails that support the kind of documentation the PDP Law requires. While no platform can guarantee regulatory compliance on its own — compliance is ultimately an organisational responsibility — these capabilities give social listening buyers the technical controls needed to implement a defensible governance framework.
Frequently asked questions
Does Indonesia’s PDP Law exempt publicly available social media data?
The PDP Law does not contain an explicit exemption for publicly available data, unlike Singapore’s PDPA. Most legal commentators interpret this to mean that public social media posts linked to identifiable individuals are considered personal data. The implementing regulation and future PDP Agency guidance may provide further clarity.
When will the PDP Agency begin enforcement?
The PDP Agency is expected to become operational in 2026–2027. The implementing regulation is undergoing harmonisation, and the Agency will need to establish its structure and issue guidelines before widespread enforcement begins.
What are the maximum penalties under the PDP Law?
Corporate criminal fines range from IDR 40 billion to IDR 60 billion depending on the offence, with the highest figure applying to the creation of false personal data. Administrative fines of up to 2% of annual revenue apply separately. Additional sanctions can include asset confiscation, business suspension, and corporate dissolution.
*Disclaimer: This blog is for informational purposes only and does not constitute legal advice. Indonesia’s PDP Law regulatory environment is evolving, and organisations should consult qualified Indonesian legal counsel for guidance specific to their circumstances.
Learn more
Isentia Social Listening for Indonesia — Media intelligence and social listening platform for the Indonesian market.
Indonesia PDP Law Overview — Thales — Comprehensive regulatory summary from an independent source.
Isentia Media Monitoring Solutions — Enterprise data governance controls.
Get to Know Pulsar — Configurable retention and access controls.
About Isentia — Pulsar Group ISO certifications.
Book a Demo with Isentia — Discuss PDP Law compliance readiness for social listening.
If you’re interested in how Isentia can support your brand and strategy, simply fill out the form below and one of our specialists will contact you!
The post Indonesia’s PDP law and social listening: what buyers need to know in 2026 appeared first on Isentia.