What is AI regulation in Indonesia?
AI regulation: countries and regions
Indonesia does not yet have a single AI Act. Instead, it regulates AI through a governance-led mix of soft law and existing digital law. The main AI-specific instrument is Ministerial Circular No. 9 of 2023 on AI Ethics, while binding duties mainly come from the Personal Data Protection Law, electronic systems rules, and sector regulation. ASEAN guidance also matters as a voluntary regional reference, and stronger presidential regulations are being drafted.
What this means
AI regulation in Indonesia is currently better understood as a layered governance framework than as one standalone statute. The ethics circular tells organisations how AI should be designed, managed and used. Existing hard law does the heavier legal work on privacy, security, breach handling, cross-border transfers and the treatment of people affected by automated processing.
So this is not just "AI ethics", and it is not just data protection either. In practice, Indonesian AI regulation is the combined effect of AI ethics guidance, personal data law, electronic systems law, and sector supervision. If you build, buy or deploy AI in Indonesia, that wider stack is what matters today.
Indonesia is also operating inside a regional ASEAN framework. ASEAN guidance is voluntary, but it gives a practical benchmark for risk assessment, human oversight, testing, documentation and transparency. At the same time, Indonesia is moving towards stronger national instruments through draft presidential regulations on AI ethics and a national AI roadmap.
Why it matters
This matters because many organisations assume there are no real AI duties until Indonesia passes a dedicated AI law. That is the wrong reading. If your AI system uses personal data, profiles people, supports high-stakes decisions, or runs through an app or platform that qualifies as an electronic system, you may already face binding duties on lawful basis, security, access rights, deletion, impact assessment, breach response and international transfers.
It also matters commercially. Buyers, founders, public bodies and advisers need to know whether a use case can be defended if questioned by a regulator, a customer, a partner or a court. In Indonesia, the practical test is less about fitting an AI system into a formal statutory risk class and more about whether you can show responsible governance, lawful data handling, documented controls and meaningful human accountability.
For cross-border businesses, Indonesia's approach also affects regional interoperability. The ASEAN framework pushes organisations towards common governance habits, while Indonesia's PDP regime adds enforceable local duties. That means a regional AI product cannot simply be copied into Indonesia without checking data handling, notices, review processes and local institutional expectations.
How it works
Current model
Indonesia's present architecture is governance first. It uses AI ethics guidance and national strategy work to steer behaviour, while binding duties sit in horizontal data and digital law. Official Komdigi legal material describes the current AI ethics circular as soft law with limited normative force, used to fill a gap while stronger instruments are prepared. That is why Indonesia is more accurately described as having an AI governance regime than a single AI code.
This model also builds on earlier strategy work. Indonesia's national AI strategy work started with the Strategi Nasional Kecerdasan Artifisial 2020-2045, and current policy activity is aimed at updating that direction through a national roadmap and ethics instrument that can work across ministries and sectors.
The AI-specific instrument now in force
The main AI-specific text in force today is Surat Edaran Menteri Komunikasi dan Informatika Nomor 9 Tahun 2023 tentang Etika Kecerdasan Artifisial. It is addressed to business actors in AI programming activities and to public and private electronic system operators, usually referred to as PSEs. Its stated purpose is to guide internal policies on data and AI ethics and to give a shared ethical reference for consultation, analysis and programming based on AI.
The circular defines AI broadly and covers the full lifecycle, from research and product development to marketing and use. It sets nine headline values: inclusivity, humanity, security, accessibility, transparency, credibility and accountability, personal data protection, sustainable development and environment, and intellectual property. Those values are not just abstract. The circular expects organisations to build internal data and AI ethics policies, run education activity, guard privacy, manage risk and crisis, and disclose relevant information about AI development where needed to prevent harm.
One of the most important practical signals is its human-centred stance. The circular says AI should not be used as the sole policy maker or sole decision maker where human interests are at stake. For operators, that makes the Indonesian model quite clear even before a full AI statute exists: sensitive AI use should sit inside a human governance structure, not outside it.
The binding legal layer
The strongest legal duties currently come from Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi, usually called the PDP Law. The law was enacted in October 2022 and gave controllers, processors and other relevant parties up to two years to adjust, which means the pressure to demonstrate operational compliance increased sharply from 17 October 2024.
For AI systems, the PDP Law matters whenever personal data is collected, analysed, stored, matched, scored, transferred, displayed, corrected or deleted. It grants data subjects rights to access, correction, erasure, withdrawal of consent, restriction of processing, data portability, compensation claims, and objection to decisions based solely on automated processing, including profiling, where those decisions have legal effects or other significant effects.
For controllers, the most important operational duties are to identify a lawful basis for processing, hold evidence of consent where consent is relied on, record processing activity, protect the data, supervise processors and stop or restrict processing when valid requests are made. Consent is important, but it is not the only lawful basis. Indonesian law also recognises bases linked to contracts, legal obligations, vital interests, public tasks and other legitimate interests defined in the statute.
The PDP Law also contains a data protection impact assessment style duty. A controller must perform a high-risk assessment when processing could create significant risk for a data subject. The statute names several triggers that are highly relevant to AI, including automated decision making with legal or significant effects, processing of specific personal data, large-scale processing, systematic evaluation or scoring, dataset matching or combining, use of new technologies, and processing that limits the exercise of data subject rights.
There is also a DPO-style requirement. Controllers and processors must appoint a personal data protection function where processing is for public services, involves large-scale regular and systematic monitoring, or involves large-scale processing of specific personal data or personal data linked to criminal matters. The designated function must be able to advise on compliance, monitor it, support impact assessment work and act as a contact point.
Breach handling is another concrete AI duty. If a personal data protection failure occurs, the controller must notify affected data subjects and the relevant institutional authority in writing within 3 x 24 hours. Cross-border transfers are allowed, but the controller must first check that the receiving country or recipient offers equivalent or higher protection. If not, the controller needs adequate and binding safeguards, or failing that, the data subject's consent.
Enforcement under the PDP Law is real. Administrative sanctions can include written warnings, temporary suspension of processing, deletion or destruction of data, and fines of up to 2 percent of annual revenue or annual receipts. The law also contains criminal offences for unlawful collection, disclosure, use and falsification of personal data, including corporate liability in serious cases.
Electronic systems rules still apply
Many AI services in Indonesia also fall inside the older electronic systems regime, especially if they are delivered through apps, platforms, cloud-based services or other digital interfaces. Under Government Regulation No. 71 of 2019, electronic system operators must have governance policies, operating procedures and periodic audit mechanisms. They must also follow personal data principles, provide privacy-related information to users and maintain mechanisms for erasure or delisting in the cases covered by the regime.
This matters because the AI ethics circular itself is addressed to public and private PSEs. So an organisation can face a three-layered set of expectations at once: ethics guidance for AI, binding personal data duties under the PDP Law, and system governance duties under the electronic systems rules. In practical terms, this means product governance, privacy governance and AI governance should be designed together rather than in separate silos.
Institutions and supervision
Komdigi is the lead ministry for digital policy and is driving current AI rulemaking through its digital ecosystem structure, including the Directorate of Artificial Intelligence and New Technology Ecosystem. On the data side, the PDP Law envisages a dedicated institution established by the President and accountable to the President. That institutional design is important because it shows the law was intended to mature into a more formal enforcement structure than the transitional model Indonesia has today.
The transitional model is still important in practice. Komdigi's strategic and performance documents say the draft implementing government regulation for the PDP Law was sent to the President in October 2025, while the draft presidential regulation establishing the dedicated PDP body remained in harmonisation with a 2026 completion target. Until the body is formed, Komdigi says it continues to perform PDP functions in the digital sphere, while sector agencies supervise their own fields.
That transitional supervision is not theoretical. Komdigi's 2025 performance report says it followed up 130 findings of potential PDP violations involving 112 websites and 18 mobile apps belonging to registered electronic system operators. In other words, Indonesia's interim enforcement architecture is already active enough to matter to AI deployers.
ASEAN and regional interoperability
Indonesia's domestic model sits inside ASEAN's voluntary AI governance framework. The ASEAN Guide on AI Governance and Ethics is not binding law, but it is expressly designed to encourage alignment across member states and help organisations assess risk and design responsible controls. It focuses on internal governance structures, human involvement in AI-assisted decisions, operations management, data accountability, transparency and stakeholder communication.
That regional framing matters because Indonesia's own approach is visibly compatible with it. The Indonesian ethics circular stresses transparency, accountability, privacy, human-centred use and risk management. The PDP Law adds binding duties on privacy, automated decisions, impact assessment and security. Together they create a domestic structure that can already absorb many of the governance practices described in the ASEAN guide.
The expanded ASEAN guide on generative AI adds another useful signal. It is also voluntary, but it highlights accountability, incident reporting, testing and assurance, security and content provenance as growing regional priorities. Indonesia has not yet enacted a general AI-specific transparency statute, but organisations operating in Indonesia should still treat provenance, user notice, testing and incident logging as live governance issues rather than future extras.
What may change next
Indonesia is clearly moving from guidance towards stronger national instruments. Official Komdigi material shows work on two presidential regulations, one on AI ethics and one on the national AI roadmap. Inter-ministerial discussion on the ethics draft was active in February 2026, and Komdigi announced in May 2026 that both draft presidential regulations had completed cross-government discussion and were ready to be submitted for presidential issuance.
The practical implication is straightforward. The ethics circular and the PDP Law are not placeholders you can ignore until a future AI statute appears. They are the present operating baseline. The next phase is likely to formalise and deepen that baseline, not replace it from scratch.
There is still some uncertainty at the implementation level, especially around detailed PDP rules and the final institutional structure for supervision. But the broad direction is already confirmed: Indonesia wants AI adoption to expand, and it wants that expansion to sit inside documented governance, personal data protection and regionally interoperable norms.
Examples
Komdigi's interim privacy supervision already shows how current enforcement can touch AI deployers. In its 2025 performance report, the ministry said it followed up 130 potential PDP violations involving registered websites and mobile apps. For any organisation deploying AI through a digital service, that is a concrete example of how existing data and platform supervision can matter even before a dedicated AI law is enacted.
The ASEAN Guide on AI Governance and Ethics uses Gojek as an Indonesian illustration of responsible AI operations. The guide explains that Gojek tests machine learning models against predefined offline benchmarks before deployment, checks repeatability, and then continuously monitors live model performance after launch. That is a practical example of testing, documentation and monitoring behaviour that fits well with Indonesia's governance-led approach.
The state's own rulemaking process is also a real workflow example. Komdigi moved from consultations and white-paper work in 2025 to inter-ministerial drafting in early 2026, then announced in May 2026 that the ethics and roadmap draft presidential regulations had completed cross-ministry discussion. For readers trying to understand direction of travel, that sequence shows Indonesia moving from soft guidance toward stronger cross-government instruments without abandoning the existing governance-first model.
Common misunderstandings
Indonesia already has an EU-style AI Act. It does not. Indonesia currently relies on ethics guidance plus existing data, digital and sector law, while stronger AI-specific presidential regulations are being prepared.
The AI ethics circular is the same thing as binding AI legislation. It is not. The circular is an important governance document, but the binding legal duties today mainly come from the PDP Law, electronic systems rules and sector regulation.
If an organisation gets valid consent, its AI use is compliant. Not necessarily. Consent is only one part of the picture. Organisations may still need security controls, impact assessment, a personal data protection officer or function, breach processes, transfer safeguards and human review for sensitive decisions.
Indonesia has no rules on automated decisions. It does. The PDP Law gives people the right to object to decisions based solely on automated processing where legal or significant effects arise, and the AI ethics circular also pushes against using AI as the sole decision maker in human-sensitive matters.
The ASEAN guide is binding in Indonesia. It is not. ASEAN's AI guides are voluntary, but they are still important because they shape regional expectations and help explain the direction Indonesia is taking.
Risks and boundaries
The biggest boundary is legal force. Indonesia's current AI ethics circular has limited normative force and no standalone sanction regime of its own. It is important because it signals how government expects organisations to behave, but it does not replace statutory duties or sector rules. If you stop at the circular and ignore data protection, platform governance, contracts or sector supervision, your compliance picture will be incomplete.
A second boundary is implementation uncertainty. The PDP Law plainly leaves several important details to government regulation, and the dedicated PDP body envisaged by the statute is still being set up through presidential regulation. Official ministry documents published in 2026 show that both the implementing PDP regulation and the institutional regulation were still part of an active transition. That means the broad architecture is clear, but some operational detail can still shift.
A third boundary is scope. Indonesia does not yet run a single cross-sector AI risk classification system with universal licensing, conformity assessment or one national transparency label for all AI systems. Sector-specific supervision still matters, and different use cases can pick up extra duties through finance, health, public administration, telecoms, consumer or child-protection rules. This article explains the general framework, not bespoke legal advice for a specific deployment.
What to do next
Map every AI system you build, buy or deploy in Indonesia, including training, fine-tuning, monitoring and user-facing features.
Classify where personal data enters the lifecycle, who acts as controller or processor, whether the service falls inside the PSE framework, and whether any cross-border transfer takes place.
Flag any use case involving profiling, scoring, large-scale monitoring, sensitive data, new technology or decisions that can significantly affect people. Those are the use cases most likely to require stronger review under the PDP Law and closer human governance under the AI ethics circular.
Confirm whether you need a personal data protection officer or function, and make sure that role can advise on impact assessment, review processors and coordinate incident response.
Adopt or refresh an internal AI policy that reflects Indonesia's ethics values, especially transparency, accountability, privacy, security, inclusivity and human-centred decision making. Support it with records that can actually be shown, such as lawful basis analysis, testing logs, review notes, escalation paths and breach playbooks.
Track the draft presidential regulations on AI ethics and the national AI roadmap, along with the still-important implementing rules for the PDP Law. Indonesia's system is evolving, but the safest position is to build governance that already works under the current stack.
FAQs
Does Indonesia have a dedicated AI law?
Not yet. Indonesia currently relies on a governance-led mix of AI ethics guidance, the PDP Law, electronic systems rules and sector regulation.
Is the AI ethics circular legally binding like a statute?
No. It is a ministerial circular with limited normative force, but it is still an important statement of expected governance and sits alongside binding law.
Which law matters most today if my AI system uses personal data?
The PDP Law is the key binding layer, especially for lawful basis, data subject rights, high-risk processing, security, breach notice, transfers and sanctions. Electronic systems rules can also apply.
Can AI make important decisions about people without human review in Indonesia?
That is risky. The PDP Law gives people the right to object to certain solely automated decisions, and the ethics circular says AI should not be the sole decision maker where human interests are at stake.
Are cross-border AI data transfers allowed?
Yes, but they are conditional. The sender must first assess whether the recipient offers equivalent protection, then use adequate and binding safeguards if needed, or obtain the data subject's consent if the earlier routes are unavailable.
Who supervises AI and data issues right now?
Komdigi is the main digital policy lead and currently performs key PDP functions in the digital sphere during the transition to a dedicated PDP body. Sector regulators still matter in their own fields.
Does ASEAN create binding AI obligations for Indonesian companies?
Not directly. ASEAN's AI guides are voluntary, but they are influential and useful for regional governance design, especially for organisations operating across Southeast Asia.
Should organisations wait for the draft presidential regulations before acting?
No. The current framework already creates practical duties and governance expectations. Waiting would leave obvious gaps in privacy, security, testing and accountability.