Constitutional Justice Arsul Sani reading out the Court’s legal considerations at the ruling hearing for the judicial review of Law No. 27 of 2022 on Personal Data Protection, Monday (3/2/2026). Photo by MKRI/Ifa.

---

JAKARTA (MKRI) — The Constitutional Court dismissed a petition for the judicial review of Article 20 paragraph (2) letter a of Law No. 27 of 2022 on Personal Data Protection (PDP Law) filed by advocate Zico Leonard Djagardo Simanjuntak. The Court also reaffirmed that personal data processing may only be carried out based on valid consent from the personal data subject.

“The law a quo has in fact clearly stipulated that personal data processing may only be conducted upon obtaining valid consent from the personal data subject. This requirement constitutes one of the forms of personal data protection whose implementation must be ensured by the personal data controller under the law a quo,” said Constitutional Justice Arsul Sani while reading out the Court’s legal considerations in Decision No. 284/PUU-XXIII/2025 on Monday, March 2, 2026, in the plenary courtroom of the Constitutional Court in Jakarta.

Arsul explained that the valid consent referred to in Article 20 paragraph (2) letter a of the PDP Law cannot be obtained arbitrarily by a personal data controller from the data subject. The law sets strict conditions requiring controllers to first provide comprehensive information to the personal data subject regarding the legality and purpose of the data processing, the types and relevance of the data to be processed, the retention period for documents containing personal data, details of the information collected, the duration of the processing, as well as the rights of the personal data subject.

Furthermore, if there is any change to the information, the personal data controller must notify the data subject prior to implementing such changes. Valid consent as the legal basis for personal data processing must be given either in written or recorded form and may be conveyed electronically or through non-electronic means.

Therefore, any processing of personal data by a personal data controller must be conducted in a limited and specific manner in accordance with the purposes determined at the time the data were collected. Such processing must also be lawful and transparent by ensuring that the personal data subject is aware of what data are being processed and how the processing is carried out. Under the PDP Law, the use of personal data belonging to individuals has been explicitly restricted and may not be arbitrarily used by controllers, as every instance of processing must correspond to the purposes consented to by the data subject, the rightful owner of the personal data.

Consequently, the phrase “valid consent” in Article 20 paragraph (2) letter a of the PDP Law serves to guarantee legal certainty in the protection of personal data. As such, the provision does not contravene Article 28D paragraph (1) and Article 28G paragraph (1) of the 1945 Constitution. If a contractual clause requesting personal data processing fails to explicitly include valid consent from the personal data subject, the agreement is deemed null and void by operation of law.

The petition stemmed from an incident in which Zico’s personal data were allegedly used without his consent to apply for online loans that he had never submitted. The incident caused financial losses, compromised his sense of security, consumed considerable time and effort, and adversely affected his financial reputation through credit scoring records.

The petitioner suspected that the incident occurred after he had submitted personal data, including a photograph and a scanned copy of his identity card (KTP), as part of the requirements for processing a credit card application through credit agents.

Zico subsequently filed a lawsuit against the online loan provider, which eventually led to a settlement offer from the opposing party. During the legal proceedings, he discovered that the same company had previously been sued twice by other individuals who experienced similar misuse of their personal data.

“I have the privilege of having a legal background as an advocate. Yet even I, with knowledge of the law, had to go through a complicated legal process. What about people who do not have a legal background?” Zico said.

For this reason, the petitioner sought a judicial review of Article 20 paragraph (2) letter a of the PDP Law, which stipulates “explicit valid consent from the Personal Data Subject for one or several specific purposes communicated by the Personal Data Controller to the Personal Data Subject.” According to the petitioner, the provision fails to clearly define what constitutes valid consent, allowing broad interpretations, including the use of click boxes that could potentially be completed by anyone, even someone other than the legitimate data subject.

The petitioner further argued that the state has not yet provided adequate authentication infrastructure to protect citizens from personal data misuse. Therefore, the mandatory use of certified Electronic Signatures (TTE) is urgently needed to safeguard citizens’ constitutional rights. Certified electronic signatures would also provide a clearer accountability mechanism.

In cases of authentication failure or identity misuse, responsibility would no longer rest entirely on the customer, but could be apportioned proportionally among Electronic Certification Providers that guarantee identity validity through electronic certificates. In this way, legal protection would function not only as a repressive mechanism after losses occur but also as a preventive safeguard.

In his petition, the petitioner requested the Court to declare Article 20 paragraph (2) letter a of the PDP Law unconstitutional and conditionally not legally binding unless interpreted as requiring “explicit valid consent from the Personal Data Subject for one or several specific purposes communicated by the Personal Data Controller to the Personal Data Subject, and in the case of personal data processing with high potential risk conducted through electronic systems, such consent must be provided using an Electronic Signature secured with an Electronic Certificate in accordance with statutory regulations.”

Explore The Case: Case No. 284/PUU-XXIII/2025

The Complete Decision: Decision No. 284/PUU-XXIII/2025

Author: Mimi Kartika
Editor: N. Rosi
Translator: Yuanna Sisilia

Disclaimer: The original version of the news is in Indonesian. In case of any differences between the English and the Indonesian versions, the Indonesian version will prevail.

 

---