Volume 6.
Number 2, 2025 https://ijble.
com/index.
php/journal/index Reforming Criminal Procedure to Regulate Deferred Prosecution Agreements for Corporate Personal Data Breaches in Indonesia Jeffarel Hidayat1.
Setiawan Noerdajasakti2 Faculty of Law.
Brawijaya University.
Malang Indonesia.
jeffahidayat4@gmail.
com, setiawan.
sakti@ub.
ABSTRACT
This research explores the urgency and legal formulation of implementing Deferred Prosecution Agreements (DPA) for corporations involved in personal data breaches, and its relevance to the reform of IndonesiaAos Criminal Procedure Code (KUHAP).
The study is motivated by the increasing number of high-profile data breach cases in Indonesia such as those involving Tokopedia.
BPJS Kesehatan, and PLN which highlight the weaknesses in law enforcement mechanisms and inadequate victim protection.
The findings reveal that IndonesiaAos criminal justice system, which strictly adheres to the principle of legality, lacks procedural flexibility to handle corporate crime through restorative and preventive In contrast.
DPAs have been effectively implemented in various jurisdictions .
, the United States and the United Kingdo.
to promote corporate accountability, facilitate victim compensation, and support economic sustainability.
This study applies a normative juridical method combined with statutory, comparative, and conceptual approaches, and critically examines the Personal Data Protection Act (Law No.
27 of 2.
The research identifies a regulatory gap in KUHAP, which does not currently accommodate restorative mechanisms such as DPA within its prosecutorial As a result, the study proposes an ideal DPA model for Indonesia, which includes: limited prosecutorial discretion, mandatory corporate compliance conditions, victim participation, and judicial The study concludes that incorporating DPA into IndonesiaAos criminal procedure would enhance the countryAos legal response to digital corporate crimes while reinforcing victims' rights and promoting procedural efficiency.
Keywords:
Deferred Prosecution Agreement (DPA).
Corporate Crime.
Personal Data Protection.
INTRODUCTION
The rapid advancement of information and communication technologies in the era of the Fourth Industrial Revolution has fundamentally transformed human activities across economic, social, defense, and governance sectors.
While digitalization has brought numerous benefits, it has also introduced significant risks, particularly in the realm of personal data protection.
One of the most pressing threats is the increasing occurrence of personal data breaches, which have emerged as a central form of cybercrime in the digital age.
Indonesia has witnessed a sharp increase in personal data violations over recent years.
High-profile cases such as the Tokopedia data breach .
BPJS Kesehatan leak .
, and the PLN incident .
have exposed systemic vulnerabilities in data security frameworks and highlighted the inadequacy of law enforcement mechanisms in holding corporate data controllers accountable.
Despite Volume 6.
Number 2, 2025 https://ijble.
com/index.
php/journal/index the scale of these breaches, most cases have not resulted in criminal prosecution or administrative sanctions, underscoring a regulatory gap in protecting the right to privacy and in enforcing corporate responsibility in the digital environment.
Although corporate entities are recognized as legal subjects under Indonesian criminal law including through sectoral regulations and the 2022 Draft Criminal Code (RKUHP) the Indonesian Criminal Procedure Code (KUHAP) has yet to explicitly incorporate procedural mechanisms tailored to corporate crimes.
This limits the ability of prosecutors to pursue restorative and flexible legal responses, especially in cases involving widespread harm to consumers or data subjects.
In contrast, countries like the United States and United Kingdom have implemented Deferred Prosecution Agreements (DPA) as alternative instruments to address corporate criminal liability.
A DPA is a formal agreement between a prosecutor and a corporation to suspend prosecution in exchange for fulfilling specific obligations, such as acknowledging wrongdoing, compensating victims, instituting internal reforms, and cooperating with law enforcement.
The adoption of DPAs has proven effective in resolving complex corporate crimes while ensuring economic continuity and reinforcing corporate accountability.
Notable examples such as the Epsilon Data Management LLC and eBay Inc.
cases demonstrate how DPAs can facilitate victim redress and regulatory compliance without resorting to full-scale litigation.
While Indonesian legal instruments such as Article 132 of the 2023 Criminal Code and the Public Prosecutor Law (Law No.
11/2.
provide some foundations for alternative settlements .
, denda damai or peace fine.
, a coherent framework for DPA remains absent in KUHAP.
Given the growing complexity of corporate digital crimes, particularly those involving data misuse, the integration of DPA mechanisms into IndonesiaAos criminal procedure framework is both timely and necessary.
Such reforms would not only enhance the responsiveness and efficiency of the criminal justice system but also align with the broader shift toward restorative justice, which emphasizes victim recovery, rehabilitation, and systemic reform.
This study aims to contribute to the development of a responsive and progressive criminal procedure system in Indonesia, one that acknowledges the hybrid nature of corporate crimes often straddling civil and criminal domains and provides legal pathways that protect both public interest and fundamental human rights in the era of digital globalization.
In doing so, the research also seeks to promote greater prosecutorial discretion and encourage the institutionalization of alternative legal mechanisms that prioritize justice, efficiency, and corporate compliance in the digital age.
METHOD
This research adopts a normative juridical method, focusing on the study of law as a normative system by analyzing legal rules, principles, and doctrines relevant to corporate criminal liability in personal data breach cases.
The study applies three main First, the statutory approach is used to examine relevant legal frameworks, such as IndonesiaAos Criminal Procedure Code (KUHAP).
Law No.
27 of 2022 on Personal Data Protection, and other related regulations, in order to identify normative gaps particularly the absence of Deferred Prosecution Agreement (DPA) mechanisms in IndonesiaAos procedural law.
Second, the comparative approach analyzes legal systems in countries such as the United States and the United Kingdom Volume 6.
Number 2, 2025 https://ijble.
com/index.
php/journal/index that have implemented DPA frameworks.
This comparison helps identify best practices and assess their applicability within the Indonesian legal context.
Third, the conceptual approach explores key legal concepts such as restorative justice, corporate liability, and the right to privacy, to develop a theoretical foundation for reform proposals.
The research relies entirely on secondary legal data, including primary legal sources .
tatutory laws and official regulation.
, secondary sources .
egal journals, textbooks, and academic writing.
, and tertiary sources .
egal dictionaries and Data is collected through library research and analyzed using methods of legal interpretation, including systematic interpretation .
inking legal norms within the broader legal syste.
, teleological interpretation .
xamining the purpose and objectives of legal provision.
, and comparative interpretation .
ontrasting different legal systems to extract insight.
This methodological framework enables a comprehensive analysis of how IndonesiaAos criminal procedure system can be reformed to incorporate restorative legal mechanisms such as DPA in addressing corporate digital crimes.
RESULTS AND DISCUSSION
The Inadequacy of the Current System: A Framework Hostile to Victim Restitution The Indonesian criminal justice system, as structured by the KUHAP, is fundamentally ill-suited for addressing corporate crime and its victims.
Its core philosophy remains retributive, focusing on punishing the offender rather than restoring the victim.
This inadequacy manifests in several critical areas.
First, the KUHAP was designed with individual offenders .
atuurlijke persoo.
in mind, creating a significant procedural gap when dealing with corporations .
While substantive laws like the UU PDP now recognize corporate criminal liability, the KUHAP lacks specific procedures for investigating and prosecuting them.
This void was partially filled by PERMA No.
13 of 2016, which provides technical guidance on matters like corporate representation in court.
However, this PERMA is a temporary bridge, not a fundamental reform of the procedural code itself.
The system remains inherently offender-centric.
Second, and most critically, there is a systemic absence of an effective victim restitution scheme within the criminal prosecution process.
The primary mechanism available, the joinder of civil claims for compensation (Pasal 98 KUHAP), has proven largely ineffective.
This procedure places the burden of proof on the victim to substantiate their civil claim within a criminal trial, a process that is often complex, time-consuming, and impractical, especially in cases with numerous, diffuse victims, such as a mass data breach.
The mechanism is ill-equipped to quantify non-material damages .
, psychological distres.
or collective economic losses, which are common in corporate crime.
Even with the introduction of the UU PDP, which grants victims the right to compensation (Pasal .
, the law fails to connect this right operationally to the criminal prosecution process.
It remains a declarative right that victims must pursue separately, perpetuating the problem of secondary victimization.
The law provides the "what" .
he right to compensatio.
but not the "how" .
n integrated procedural mechanism for Volume 6.
Number 2, 2025 https://ijble.
com/index.
php/journal/index obtaining it through criminal prosecutio.
This reflects a system that, as Barda Nawawi Arief argues, is still too focused on the offender, not the victim.
This punitive focus leads to a lose-lose situation.
For victims, justice is delayed and often denied.
For society, the prosecution of corporations carries immense collateral risks.
The threat of a "corporate death penalty"Aiwhere a criminal conviction leads to bankruptcyAican destroy a viable business, eliminate thousands of jobs, and destabilize the economy.
Sutan Remy Sjahdeini has warned that an overly punitive sanction becomes ineffective if it financially cripples the corporation, leaving no assets to compensate victims.
This forces prosecutors into a difficult choice: pursue a potentially destructive prosecution or drop the case, leaving victims with no remedy.
is this systemic failure that creates the urgent need for a new approach.
Deferred Prosecution Agreement (DPA) as a Restorative and Pragmatic Solution The DPA emerges as a powerful alternative to the flawed conventional system.
It is a negotiated agreement wherein the prosecutor suspends formal charges against a corporation in exchange for the corporation's adherence to a strict set of conditions over a specified period.
Its core components typically include:
Admission of Facts: The corporation must publicly acknowledge the wrongdoing.
Monetary Penalty: A substantial fine is paid to the state.
Full Victim Compensation: This is a non-negotiable cornerstone, ensuring victims are made whole.
Corporate Reform and Compliance: The corporation must implement or enhance its compliance programs, often under the supervision of an independent monitor, to prevent future misconduct.
Cooperation: The corporation must fully cooperate with ongoing investigations, including those against individual wrongdoers.
The DPA model offers a paradigm shift from retributive to restorative justice.
championed by Eva Achjani Zulfa, restorative justice prioritizes repairing the harm caused by crime.
By placing victim compensation at the heart of the agreement.
DPA directly addresses the primary failure of the current system.
It transforms restitution from a secondary "additional penalty" into a primary condition for resolving the case.
Furthermore.
DPA is a pragmatic solution that aligns with the principles of Progressive Law Theory, which advocates for a legal system that is responsive to social needs and achieves substantive justice.
It circumvents the "corporate death penalty" dilemma by aiming to reform rather than kill the company.
This ensures the corporation remains a viable economic entity capable of fulfilling its obligations to victims, employees, and the economy.
International examples demonstrate its In the U.
, cases like that of Epsilon Data Management, which agreed to pay $127.
5 million in compensation to victims of fraud schemes, show how DPA can secure massive recoveries for victims that would be unlikely in a conventional trial.
Similarly, the case of eBay Inc.
, which paid a $3 million penalty and agreed to independent compliance monitoring for a cyberstalking campaign, illustrates DPA's dual function of punishment and reform.
In the Indonesian context, implementing a DPA would not only fill the existing legal void but would also reflect the unique socio-economic environment of the nation.
For example, in data breach cases involving national institutions or large-scale service providers such as BPJS Kesehatan or PLN, a DPA mechanism would provide the Volume 6.
Number 2, 2025 https://ijble.
com/index.
php/journal/index means to avoid service disruptions while ensuring victims are compensated and systems are strengthened.
Such outcomes are critical in safeguarding public trust.
Moreover.
DPAs allow law enforcement and corporations to prioritize long-term institutional changes rather than focusing solely on punitive actions.
This is crucial in cases where the data breach stems from systemic failures rather than malicious intent.
Through an effective DPA, corporations are incentivized to identify internal weaknesses, invest in cybersecurity, and engage third-party audits.
This approach promotes a compliance culture rather than a fear-driven, reactive legal strategy.
A Framework for Integrating DPA into the KUHAP Integrating DPA into Indonesia's civil law system requires a carefully designed legal framework to ensure it is both effective and accountable.
A mere copy-paste of foreign models will not suffice.
The formulation must be tailored to Indonesia's legal traditions and include robust safeguards.
First, the legal basis for DPA must be explicitly established within a revised KUHAP.
This is crucial to overcome the challenge posed by the principle of legality .
sas legalita.
The DPA should not be seen as a violation of this principle, but rather as a structured and transparent extension of the principle of opportunity .
sas Just as the Attorney General holds the power of deponering .
etting aside a case for the public interes.
, the DPA can be constructed as a prosecutorial tool exercised in the greater public interest, which includes victim restitution and economic stability.
As Barda Nawawi Arief has argued, criminal law policy must be dynamic and adaptable to societal needs.
Second, to prevent abuse of power and the perception of "justice for sale," the DPA mechanism must be embedded with strong safeguards:
Judicial Oversight: Every DPA must be submitted to and approved by a court.
judge's role would be to ensure the agreement is in the public interest, the terms are fair and proportionate, and the compensation plan for victims is adequate.
This judicial check provides crucial legitimacy and prevents backroom deals.
Full Transparency: The final DPA, including the statement of facts and the corporation's obligations, must be made public.
Transparency is the best disinfectant against corruption and ensures public accountability.
Clear Prosecutorial Guidelines: The Attorney General's Office must issue detailed and binding guidelines on when and how a DPA can be offered.
These guidelines should specify the types of offenses eligible and the factors to be considered .
self-reporting, level of cooperation, severity of har.
Independent Monitoring: The agreement should mandate the appointment of an independent monitor, paid for by the corporation but accountable to the prosecutor and the court.
The monitor's role is to oversee the implementation of the reforms and, crucially, verify that compensation reaches the intended victims.
Consequences for Breach: The law must clearly state that if the corporation fails to meet its obligations under the DPA, the prosecutor has the authority to unilaterally terminate the agreement and proceed with the original criminal charges, using the corporation's prior admission of facts as evidence.
This recommended formulation transforms the DPA from a mere prosecutorial tool into a comprehensive, victim-centric justice mechanism.
It directly addresses the weaknesses of the current system by making victim restitution a precondition, not an It avoids the collateral damage of a corporate death penalty, thereby Volume 6.
Number 2, 2025 https://ijble.
com/index.
php/journal/index preserving the corporation's ability to pay compensation.
Finally, by integrating judicial oversight and transparency, it builds a system that is not only effective but also This reform would represent a significant leap forward, aligning Indonesia's criminal justice system with modern principles of restorative and progressive law.
CONCLUSION
The current framework for corporate prosecution in Indonesia, anchored in a KUHAP designed for a different era, is fundamentally inadequate for addressing modern corporate crime, particularly mass data breaches.
The systemAos punitive and offender-centric paradigm systematically marginalizes victims, leaving them without effective remedies, while the blunt instrument of conventional prosecution creates unacceptable collateral damage to the economy and innocent stakeholders.
Although the UU PDP has laid the substantive groundwork for corporate criminal liability, it lacks the procedural vehicle to deliver victim-oriented justice.
This research concludes that there is a compelling and urgent need to reformulate Indonesia's criminal procedure law by integrating a well-regulated Deferred Prosecution Agreement (DPA) mechanism.
The DPA is not a lenient option but a smart, pragmatic, and restorative alternative that balances multiple justice It holds corporations accountable for their misconduct, compels them to undertake meaningful internal reforms, and, most importantly, places the swift and full restitution of victim losses at the center of the process.
By adopting a DPA framework with robust safeguards including mandatory judicial oversight, full transparency, and independent monitoring Indonesia can move beyond the flawed, all-or-nothing approach of the past.
This reform is a tangible application of Progressive Law theory, ensuring that the law serves human needs and achieves substantive justice.
It is a critical step towards building a criminal justice system that not only punishes wrongdoing but also heals the harm it causes, thereby fulfilling the ultimate purpose of law in a just and modern society.
Reference