Regulating Data in India & Indonesia


The policy report covers how India and Indonesia have sought to regulate data. Booming digital economies in both countries have created demands to develop legislative frameworks to regulate data – how data is collected, processed, stored, and shared. Rules governing data will significantly influence the development course and growth of India and Indonesia’s digital economies.

Politics around data regulations, however, have remained fitful in both countries. India has been hurtling toward creating a new policy framework and law to manage data, with differences around what data is, how organisations should handle it, and how the government should regulate this divide. So far, Indonesia has governed data through a patchwork of different sectoral regulations issued by separate agencies. This fragmented landscape could soon give way to a new, comprehensive law on personal data protection. Once operational, the remit and writ of legislations in both countries will likely be deep and so will the impact it will have on privacy and citizen’s rights, the state’s role in governing data, and digital innovation trends in India and Indonesia.

In both countries, draft legislations have been influenced by the European Union’s General Data Protection Regulation (GDPR) framework, a user-centred data protection approach imbued with notions of consent and accountability. These user-centric data governance ideas are balanced by a preference for a statist approach toward data regulation in both countries that underscores sovereignty at the expense of privacy. The critical challenge will be to see how new data laws in both countries will balance these two irreconcilable objectives.

Another key challenge concerns the implementation and enforcement of these data laws once enacted. Provisions call for a new regulator(s) to manage and oversee issues under the burgeoning data remit. But questions remain on the independence of the future data regulators and whether they will be able to exercise judgment and mediate conflicts, keeping in mind various public and private interests. There are also questions concerning coordination and capacity – will firms and public organisations have the necessary staff to manage queries concerning data and be responsible for compliance? Both countries will have to manage and overcome expected institutional deficits once their data legislations are enacted, and regulators created. Finally, the politics around data in both countries will complicate effective regulation and enforcement – privacy activists and related civil society organisations will likely pressure governments to enact strong laws that balance both privacy and accountability without sacrificing these priorities at the altar of state control.


Aishwarya Natarajan

Aishwarya Natarajan bild

Programm-Managerin (TechLaw Policy)

aishwarya.natarajan@kas.de +65 6603 6171