Petitioners during the Decision Pronouncement Hearing of Case No. 151/PUU-XXII/2024 on the material judicial review of Law No. 27 of 2022 on the Personal Data Protection, Wednesday (30/7/2025). Photo by MKRI/Bay.

---

Jakarta (MKRI) – The Constitutional Court (MK) affirmed personal data as every citizen’s right, which must be protected maximally; hence, it cannot be used as an object that causes harm and contradicts principles of protection, prudence, and confidentiality to maintain the exclusivity of personal data privacy. This was conveyed in the legal considerations of Decision No. 151/PUU-XXII/2024 on the constitutional review of Article 53 paragraph (1) of Law No. 27 of 2022 on the Personal Data Protection (PDP Law) against the 1945 Constitution of the Republic of Indonesia.

“Personal data protection is an inseparable part of personal data protection rights as referred to in Article 28G paragraph (1) of the 1945 Constitution of the Republic of Indonesia,” Justice Arief Hidayat stated in the Decision Pronouncement Hearing on Wednesday, July 30, 2025.

Article 53 paragraph (1) of the PDP Law reads, “Personal Data Controller and Personal Data Processor shall appoint an official or officer who performs the function of Personal Data Protection in the case of (a) processing of Personal Data for the benefit of public services; (b) the core activities of the Personal Data Controller have the nature, scope, and/or purpose that require regular and systematic monitoring of large-scale Personal Data; and (c) the core activities of the Personal Data Controller consist of large-scale processing of Personal Data for specific Personal Data and/or Personal Data related to criminal offenses.”

The use of the word “and” as the conjunction in Article 53 paragraph (1) letter b of the PDP Law after the phrase “the core activities of the Personal Data Controller have the nature, scope, and/or purpose that require regular and systematic monitoring of large-scale Personal Data”, alarmed the Petitioners, who were afraid that personal data controller and processor in conducting personal data processing are only obliged to appoint personal data protection officers after they met all the criteria in letter a, b, and c, as they are considered as cummulative requirements.

Meanwhile, based on the legislator's intention in formulating the letters a, b, and c in the norms of Article 53 paragraph (1) of the PDP Law, they are intended as independent units. Hence, if one, two, or all criteria are met, the personal data controller and processor are obliged to appoint a special officer for data protection. Therefore, the Court holds that the correct formulation should be a cumulative alternative by using the phrase and/or, which is commonly used in formulating legislation as stipulated in point 90 in Annex II of Law No. 12 of 2011 on the Lawmaking Law.

This has addressed the concerns of data subjects due to the existence of high-risk personal data processing activities, ensuring that the protection and guarantees of the constitutional rights of data subjects are truly safeguarded. This is because personal data protection is an inseparable part of the right to personal data protection as referred to in Article 28G paragraph (1) of the 1945 Constitution of the Republic of Indonesia.

“Hence, the word ‘and’ in Article 53 paragraph (1) letter b of Law No. 27 of 2022 must be declared unconstitutional,” Justice Arief stated.

In the verdict, the Court grants the petitioners’ petition in its entirety by declaring that the word “and” in Article 53 paragraph (1) letter b of Law No. 27 of 2022 on the PDP Law is contrary to the 1945 Constitution of the Republic of Indonesia.

“And [it is] not legally binding conditionally as long as it is not interpreted as ‘and/or’,” Chief Justice Suhartoyo read out the verdict of Decision No. 151/PUU-XXII/2024.

Also read:

Personal Data Protection Law Challenged

Petitioners of Personal Data Protection Law Compare Regulations in Other Countries

Controller Must Protect Personal Data

President’s Expert Submits Written Testimony on Personal Data Protection Law Review

Petitioners of the case comprise Eric Cihanes (Petitioner I) and Garin Arian Reswara (Petitioner II). They question the phrase “and” at the end of the sentence of letter b in Article 53 paragraph (1) of the PDP Law related to the provision on the obligation of the personal data controller and processor in assigning an official or officer who performs the function of personal data protection (PPDP). They argued that the cumulative criteria for assigning PPDP have narrowed the scope of the data controller and data processor organization, which is obligated to assign PPDP. Hence, data controller and data processor organizations that only satisfy one or two criteria of the requirements provided in Article 53 paragraph (1) of the PDP Law are not obligated to assign PPDP. It is despite each criterion in each item in the article a quo being a criterion for personal data processing activities categorized as personal data processing that has a high potential risk to personal data subjects, which is also emphasized in Article 34 paragraph (2) of the PDP Law.

Penulis: Mimi Kartika
Editor: Lulu Anjarsari P.
Humas: Fauzan Febriyan

Translator: Rizky Kurnia Chaesario

Disclaimer: The original version of the news is in Indonesian. In case of any differences between the English and the Indonesian versions, the Indonesian version will prevail.

---