Data Privacy And Cybersecurity Arbitration Issues Under Indonesia’S Pdp Law

31 Dec 2025 --
0 Comments

1. Legal Framework: PDP Law & Dispute Resolution

a. Personal Data Protection Law (Law No. 27/2022)

Indonesia’s new PDP Law is the main statute governing how personal data must be collected, processed, stored, transferred, and protected. It applies to data controllers and data processors regardless of their location if the processing affects individuals within Indonesia. It also contains specific dispute resolution provisions:

Article 64 PDP Law expressly allows the settlement of personal data protection disputes through arbitration, courts, or other alternative dispute resolution mechanisms as mutually agreed by parties.

The PDP Law also includes civil, administrative, and criminal sanctions for violations. This includes penalties for unlawful disclosure, misuse, or failing to protect personal data.

2. Arbitration in Data Privacy & Cybersecurity Disputes

a. Arbitration vs. Judicial Processes

Under the PDP Law, parties may choose arbitration for commercial or contractual disputes involving personal data breaches and cybersecurity issues.

However, because the PDP Law is recent and lacks sector‑specific arbitration procedures for data disputes, arbitration practice in this area is still evolving. Parties may adopt general commercial arbitration rules (e.g., BANI, ICC, SIAC) and include express clauses in contracts governing data processing or cybersecurity services.

b. Key Arbitration Issues

Jurisdictional thresholds: Determining when a dispute qualifies for arbitration versus mandatory regulatory enforcement (e.g., administrative actions or criminal proceedings).

Mass claims: Data breaches often involve large numbers of affected individuals; arbitration’s suitability for mass claims is contentious due to cost and representation complexity.

Public policy/public interest: Courts may consider privacy rights as part of ordre public, especially in cases involving fundamental rights, potentially affecting enforcement of arbitration outcomes.

Confidentiality: Arbitration’s confidentiality advantage is attractive in privacy disputes but may conflict with legal requirements for public disclosure and notification under PDP Law and other cybersecurity rules.

Cross‑border data transfer disputes: When personal data is transferred internationally, arbitration clauses may buffer jurisdictional conflicts, but applicability and enforcement depend on both the PDP Law’s territorial/extraterritorial reach and local courts’ attitudes.

3. Case Examples Involving Data Privacy, Cybersecurity & Dispute Resolution

Note: Since the PDP Law is recent and formal arbitration precedents are limited, the “case laws” below are real Indonesian legal decisions or disputes that illustrate key arbitration issues—some actual reported cases, and some judicial decisions or constitutional challenges impacting enforcement and interpretation.

Case 1 – Constitutional Review on PDP Law DPO Requirement (Decision No. 151/PUU‑XXII/2024)

Issue: Personal data controllers and processors challenged the criteria for appointing a Data Protection Officer (DPO) under Article 53(1) of the PDP Law, arguing the provision narrowed protections.
Outcome: The Constitutional Court ruled that requiring all listed criteria for a DPO is unconstitutional; instead, meeting any condition suffices. The Court emphasised that personal data protection is a constitutional right, requiring maximum protection (Article 28G of the 1945 Constitution).
Arbitration Implication: This case affects arbitration because the role of the DPO often becomes central in contractual data protection and cybersecurity obligations—especially in service agreements where disputes may be arbitrated. The widened requirement increases entities’ duties to establish governance that can reduce dispute risks.

Case 2 – Early Enforcement / Prosecution under PDP Law

Issue: Several prosecutors and courts have adjudicated criminal cases under the PDP Law, such as violations of unlawful data disclosure (e.g., intentional exposure of personal data in violation of PDP provisions).
Outcome: Courts have applied criminal sanctions to individuals for willful data misuse, signalling that privacy breaches can lead to non‑contractual liability outside arbitration.
Arbitration Implication: These cases demonstrate that where personal data breaches involve criminal liability or public enforcement, the dispute cannot be fully resolved via arbitration alone and may involve courts concurrently.

Case 3 – Pre‑PDP Data Breach Enforcement (Bank Syariah Indonesia / Data Breach Incident)

Issue: Before the PDP Law’s enforcement, cybersecurity breaches affected customer personal data. Regulatory authorities issued warnings and compliance actions under earlier electronic system regulations.
Outcome: The Ministry of Communication and Information Technology issued regulatory warnings, revealing that enforcement dynamics evolve as the PDP Law becomes fully operational.
Arbitration Implication: Commercial parties involved in digital services may have contractual arbitration clauses covering breach disputes; however, regulatory warnings and investigations show that arbitration is parallel to regulatory enforcement, not a substitute.

Case 4 – Contractual Dispute over Data Processing & Cybersecurity Obligations

Issue: A multinational digital platform provided data processing services in Indonesia and a dispute arose regarding failure to meet agreed data protection standards and cybersecurity safeguards.
Resolution Approach: Parties invoked their arbitration clause under an institutional forum (for example BANI or SIAC), with the tribunal interpreting the PDP Law alongside the contract’s terms to determine liability for breach.
Arbitration Issue Highlighted: The arbitration panel needed to reconcile statutory obligations under the PDP Law with contractual allocation of risk, especially where statutory penalties apply extraneously to the contract dispute. (Hypothetical composite reflecting real commercial scenarios under the new law.)

Case 5 – Cross‑Border Data Transfer Dispute

Issue: A technology company transferred Indonesian user data to foreign servers without explicit consent or adequate data transfer safeguards under the PDP Law’s provisions governing transfer outside Indonesia’s jurisdiction.
Arbitration Outcome: Arbitrators addressed whether such transfers constituted data protection breaches under the law and determined compensatory arrangements, with subsequent enforcement involving local courts due to public policy concerns over extraterritorial application.
Arbitration Legal Tension: Disputes involving cross‑border data transfers often raise questions about territorial jurisdiction and whether arbitration awards can enforce obligations contrary to national data protection norms. (Composite scenario aligning with broader jurisprudential themes.)

Case 6 – Mass‑Claim & Consumer Personal Data Breach Arbitration Issue

Issue: A major e‑commerce platform suffered a large‑scale data breach affecting millions of users. Multiple individual users sought remedies contractually agreed to arbitration in a standard user agreement.
Arbitration Challenge: The arbitration forum grappled with mass claim aggregation, representation rights, and confidentiality versus statutory notification requirements.
Outcome: The tribunal adopted special procedures for joinder or consolidated hearings, showing procedural innovation may be required for data privacy arbitration when many claimants are involved. (Composite illustrating practical arbitration challenges in big data breaches.)

4. Practical Arbitration Issues Under the PDP Law

a. Jurisdiction & Competence

Arbitration clauses must be clearly drafted to include data privacy and cybersecurity disputes; otherwise, courts may assume jurisdiction.

Jurisdictional scope becomes contested when statutory rights (e.g., data subject’s rights) are invoked alongside contractual claims.

b. Confidentiality vs. Transparency

Arbitration’s confidentiality can be desirable for commercial parties, but Indonesia’s PDP Law and related regulations mandate breach notifications and may require certain disclosures to authorities or data subjects.

c. Public Policy & Enforcement

Courts may refuse arbitration award enforcement if it conflicts with public policy, especially fundamental rights under the Constitution (privacy) or statutory obligations under the PDP Law.

d. Remedies

Arbitration remedies are contractual (damages, specific performance), while statutory remedies may include administrative fines, corrective orders, or criminal sanctions, which cannot be awarded in arbitration and must be pursued through courts or regulators.

5. Conclusion

Arbitration under Indonesia’s PDP Law presents both opportunities and challenges:

The PDP Law explicitly permits arbitration for personal data protection disputes, creating a basis for contractual dispute resolution outside courts.

Due to the law’s novelty, there are few published arbitration precedents, and practice continues to develop.

Constitutional decisions like Decision No. 151/PUU‑XXII/2024 demonstrate how the judiciary influences substantive rights that may affect arbitration outcomes.

Arbitration must be carefully integrated with statutory requirements, especially where regulatory or criminal dimensions intersect with contractual claims.

For parties drafting arbitration clauses in technology, data, and cybersecurity agreements in Indonesia, it is crucial to include clear language on applicable law, jurisdiction, scope of claims, and interaction with statutory enforcement mechanisms under the PDP Law.