Rizky Fadilah and three other Petitioners delivering the revised petition of Case No. 133/PUU-XXIV/2026 on the personal data protection. Photo by MKRI/Fauzan.

---

Jakarta (MKRI) – The Constitutional Court held a material hearing of Article 62 paragraph (2) of Law No. 27 of 2022 on the Personal Data Protection (PDP Law) on Tuesday, May 5, 2026, to examine the revised petition of Case No. 133/PUU-XXIV/2026. The Petitioners submitted additional evidence regarding the loss caused by the data breach risk arising from the enactment of the article under review.

“Statement from the Bank Syariah Indonesia (BSI) when in 2023, the bank experienced a cyber attack, affecting all of its costumers,” Muhammad Rizky Fadillah stated, alongside Muhammad Fakhri Hadisyah Putra, Fairuz Najwa Sahara Tanjung, and Dela Puspita Ainnur Fadillah at the Courtroom, Jakarta.

Rizky, who has been a BSI customer since 2019, stated that the cyber attack had caused the banking service to be unavailable. Although the BSI ensured that its customers’ data were secure, there was no guarantee of transparency or protection for Petitioners’ personal data; this created uncertainty and vulnerability regarding personal data safety.

Petitioners also submitted evidence on the National Health Insurance (BPJS Kesehatan) data leak. They argued that this case demonstrates the vulnerability of personal data protection in healthcare.

“There is also additional evidence on the comparison in several countries,” Rizky added.

Petitioners stated that the petitum has also been revised. They request the Court to declare Article 62 paragraph (2) of the PDP Law contradicts the 1945 Constitution of the Republic of Indonesia and has no legally binding force, conditionally as long as it is not interpreted as “International cooperation in personal data protection is only carried out as long as it guarantees the equal or higher level of protection of the personal data protection standard in Indonesia, based on the consent of the subject of the personal data, and in particular cases, submit to the oversight mechanism based on the principle of human rights protection.”

Also read:

Reciprocal Trade Between Indonesia and the US Deemed to Risk Personal Data Abuse

During the preliminary hearing on Wednesday, April 22, 2026, the petitioners stated that the petition was submitted following the signing of the Reciprocal Trade Agreement between Indonesia and the United States. The agreement is considered to increase the risk of personal data abuse by foreign parties not subject to Indonesian law, given the lack of government oversight of personal data protection.

They challenge Article 62 paragraph (2) of the PDP Law, which reads “international cooperation in the implementation of this law shall be carried out in accordance with the provisions of statutory regulations and the principles of international law”. They believe that the article contradicts Article 28G paragraph (1) of the 1945 Constitution of the Republic of Indonesia, which reads “Every person has the right to protection of self, family, honor, dignity, and their property, and has the right to security and protection from threats of fear to exercise or not to exercise his human rights.”

Petitioners contended that norm uncertainties have led to reductionist interpretations of personal data transfers as merely administrative procedures within the framework of international cooperation, including in the context of international trade, such as the Regional Trade Agreement (RTA), which enables cross-jurisdictional transfers. They argued that, in essence, personal data is an integral part of human rights, entitled to every person and indispensable to the rights of protection of self, honor, and a sense of security.

Petitioners believe that treating personal data transfers as merely an administrative issue undermines the constitutional value of personal data protection, as it should be part of the human rights regime rather than an object of economic and trade activities. This argument is strengthened by the absence of the “human rights” term in the body of the norm, which has led to a tendency to treat personal data as an object that can be exchanged without adequate protection standards.

This condition directly harms the Petitioners because their personal data, which should be highly protected by the state, may be transferred outside Indonesian jurisdiction without adequate safeguards, due to the absence of restrictions in the formulation of the norm.

Case tracking: Petition No. 133/PUU-XXIV/2026 (in Indonesian)

Author: Mimi Kartika
Editor: Lulu Anjarsari P.
PR: Andhini S.F.

Translator: Rizky Kurnia Chaesario

Disclaimer: The original version of the news is in Indonesian. In case of any differences between the English and the Indonesian versions, the Indonesian version will prevail.

---