West Science Law and Human Rights Vol.
No.
October 2025, pp.
Analysis of Criminal Liability for Personal Data Violations: Case Studies of the General Elections Commission and E-Commerce from the Perspective of the ITE Law and the PDP Law 2023Ae2024 Ilmi Firdaus Aliyah1.
Novandi Dwi Putra2 Universitas Mayjen Sungkono.
Article Info
ABSTRACT
Article history:
This study examines criminal liability for personal data violations in Indonesia through a normative juridical analysis of case studies involving the General Elections Commission (KPU) and e-commerce platforms during the 2023Ae2024 period.
The research focuses on the intersection between the Electronic Information and Transactions Law (ITE La.
and the Personal Data Protection Law (PDP La.
to determine how these regulations govern the protection of personal data and the imposition of criminal sanctions.
Findings reveal that while the ITE Law provides a legal foundation for addressing electronic crimes, it lacks specificity in handling cases of institutional negligence and corporate responsibility.
In contrast, the PDP Law introduces comprehensive provisions, including criminal sanctions for both intentional and negligent violations, but faces enforcement challenges due to limited institutional capacity and overlapping Analysis of the KPU and e-commerce data breaches shows weak legal enforcement, lack of accountability, and insufficient public awareness.
The study concludes that effective personal data protection in Indonesia requires legal harmonization between the ITE and PDP Laws, establishment of a dedicated supervisory authority, and enhancement of institutional and public capacity to ensure compliance and accountability.
Received Oct, 2025 Revised Oct, 2025 Accepted Oct, 2025 Keywords:
Personal Data Protection Law.
ITE Law, criminal liability, data breach, normative juridical This is an open access article under the CC BY-SA license.
Corresponding Author:
Name: Ilmi Firdaus Aliyah Institution Universitas Mayjen Sungkono e-mail: ilmifirdausa@gmail.
INTRODUCTION
The reshaped the ways personal data is collected, transactions, e-government platforms, and social media interactions.
However, this rapid shift also increases the risks of data breaches and misuse, particularly when institutions fail to implement adequate security measures.
Indonesia, major data leak incidents involving the General Elections Commission (KPU) and ecommerce platforms such as Tokopedia and Bukalapak during 2023Ae2024 have exposed significant weaknesses in the national data protection framework.
These incidents raised widespread public concern regarding the Journal homepage: https://wsj.
westscience-press.
com/index.
php/wslhr West Science Law and Human Rights security and integrity of citizensAo personal Although IndonesiaAos regulatory regime has been strengthened through the Personal Data Protection Law (PDP La.
of 2022 and the Electronic Information and Transactions Law (ITE La.
, challenges persist in legal harmonization, regulatory dualism, institutional coordination, and enforcement capacity .
, .
, .
The situation is further complicated by low levels of public digital literacy and limited institutional readiness, which hinder effective monitoring and compliance with data protection obligations .
, .
The exposure of voter data from KPU and consumer information from Tokopedia and Bukalapak demonstrates the scale of potential harm caused by weak cybersecurity systems and insufficient legal enforcement, raising critical questions about the criminal liability of data controllers, processors, and responsible The implementation of both the PDP Law and ITE Law is constrained by unclear jurisdiction, regulatory inconsistencies, and the absence of a robust independent supervisory authority, making it difficult to ensure accountability and effective data governance .
, .
Accordingly, key recommendations include harmonizing the PDP and ITE Laws to eliminate regulatory overlaps, strengthening digital infrastructure, enhancing institutional capacity, providing education and training for business actors, and improving public awareness to safeguard digital rights more effectively .
, .
Strengthening these legal and institutional mechanisms is therefore essential to ensure comprehensive and resilient personal data protection The enactment of IndonesiaAos Personal Data Protection (PDP) Law represents a major step in strengthening digital governance, as it provides a dedicated legal framework for safeguarding personal data and introduces explicit criminal sanctions for violations.
contrast, the Electronic Information and Transactions (ITE) LawAiinitially intended to regulate electronic information and transactions A more broadlyAihas been widely used to prosecute cyber-related offenses such as unauthorized access and data manipulation, yet it lacks detailed mechanisms for personal data This regulatory gap has created ambiguities in how both laws interact, particularly regarding overlapping jurisdiction, the classification of offenses as administrative or criminal, and inconsistencies in enforcement.
Scholars note that the general nature of the ITE Law contributes to regulatory dualism with the PDP Law .
, while the PDP Law, although inspired by international standards like the GDPR, still faces challenges in implementation due to institutional overlap and normative inconsistencies .
, .
Recent data breach cases from 2023Ae2024 further illustrate these issues, revealing the complexities of determining criminal liability within an evolving legal These overlapping frameworks also complicate the enforcement of liability for personal data violations, which may involve both individuals and institutions under provisions that prohibit misuse, including doxing .
Effective implementation requires harmonization between the PDP and ITE Laws as well as stronger institutional capacity to handle data protection issues .
, .
Case studies from recent breaches highlight mechanisms, emphasizing the need for clearer legal consequences and more accessible reparations for victims .
, .
, .
From a legal standpoint, addressing these challenges requires a deeper analysis of substantive and procedural elementsAisuch as determining who can be held responsible, the circumstances under which liability arises, and the scope of sanctionsAito ensure that IndonesiaAos data protection regime is able to effectively respond to incidents and safeguard citizensAo digital This study employs a normative juridical analysis to examine the legal foundations, statutory interpretations, and doctrinal perspectives surrounding personal Vol.
No.
October 2025: pp.
West Science Law and Human Rights data protection and criminal liability, using the KPU and major e-commerce breach cases as focal points to assess whether IndonesiaAos current legal framework effectively deters violations and ensures accountability while maintaining consistency between the ITE Law and PDP Law in regulating data security and imposing criminal sanctions.
Ultimately, this paper contributes to the broader discourse on digital governance and legal reform by arguing that effective personal data protection requires legal harmonization, stronger institutional coordination, and improved public awareness.
The findings aim to provide valuable insights for policymakers, law enforcers, and scholars in developing a more coherent, enforceable, and equitable approach to data protection that balances individual rights, responsibilities, and technological realities within IndonesiaAos rapidly evolving digital LITERATURE REVIEW 1 The Concept of Personal Data Protection The protection of personal data in Indonesia, as established under Law No.
27 of 2022 (PDP La.
, constitutes a crucial legal and ethical framework for safeguarding individual privacy and aligns with international standards such as the European UnionAos GDPR, incorporating principles of lawfulness, challenges due to limited procedural detail and institutional readiness compared with the GDPRAos more developed mechanisms, including mandatory Data Protection Impact Assessments (DPIA.
and independent supervisory authorities .
, .
While the GDPRAos extraterritorial scope and strong enforcement illustrate the importance of enhancing IndonesiaAos regulatory capacity .
, obstacles in A applying the PDP Law persist, particularly the absence of a dedicated supervisory institution, insufficient public and institutional awareness, complex data processing structures, and weak security systems, alongside external threats such as interception in government and .
, .
, .
Furthermore, although the PDP Law is grounded in human rights principlesAilinking protection to constitutional rights to privacy under the 1945 ConstitutionAi rapid technological advancements continue to generate new threats that require stronger statutory enforcement, improved institutional coordination, frameworks to ensure meaningful protection for citizens in the digital era .
, .
2 Overview of the Electronic Information and Transactions (ITE) Law The ITE Law, although not originally designed as a data protection law, contains provisions relevant to data breach casesAisuch as consent requirements for personal data use and prohibitions on unauthorized access or alteration of electronic informationAi yet its effectiveness remains limited due to its general nature, vague definitions, and lack of specific enforcement mechanisms, which have resulted in inconsistent court applications and scholarly criticism .
, .
These shortcomings have led to growing calls for harmonization with the more comprehensive PDP Law, which internationally aligned framework for data protection, including explicit criminal penalties for unauthorized data distribution that the ITE Law does not address unless accompanied by Vol.
No.
October 2025: pp.
West Science Law and Human Rights other offenses .
, .
Implementation challenges further hinder the ITE LawAos ambiguous article formulations, and limited cybercrime awareness among law enforcement officers create procedural uncertainty and weaken enforcement outcomes .
, .
3 The Personal Data Protection (PDP) Law: Legal Innovations and Challenges The Personal Data Protection Law (PDP La.
, enacted as Law No.
of 2022, marks a major development in IndonesiaAos legal framework by providing a comprehensive system for managing personal data, defining the roles of data controllers and processors, and imposing administrative as well as criminal sanctions for violations.
its key provisions include the requirement for explicit consent before data processing (Articles 20Ae.
, the rights of data subjects to access, correct, and delete their data (Articles 9Ae.
, and the obligation for data controllers to ensure data security (Article .
, alongside imprisonment and fines for intentional or negligent misuse of personal data (Articles 67Ae.
, .
Despite these advancements, the law faces significant implementation challenges, including the absence of an independent supervisory authority to enforce compliance, potential overlaps and jurisdictional ambiguities with existing regulations like the ITE Law, and structural weaknesses when compared with international standards such as the GDPR, mechanisms like data portability and privacy by design .
, .
, .
Research further shows that institutional and enforcement gaps remain substantial, with Putri & Nugroho .
A emphasizing the uncertainty created by regulatory overlaps and the need for clearer integration of the PDP Law within IndonesiaAos broader digital governance ecosystem.
4 Criminal Liability in Data Breach Cases Criminal liability in Indonesian law regarding personal data violations requires assessing the intent or negligence of data controllers and processors, with the Personal Data Protection (PDP) Law providing a framework to hold both individuals and corporations accountable for breaches, particularly as incidents of data misuse increase and digital evidence becomes more complex.
law emphasizes clear delineation of responsibilities and allows sanctions against corporations for systematic negligence or inadequate security measures, consistent with Article 45 paragraph .
of the PDP Law.
Corporate liability is reinforced through strict liability provisions that hold corporations responsible for misuse committed by individuals within the organization, with possible sanctions including fines of up to 2% of annual revenue, business license revocation, and criminal penalties for corporate officers .
At the individual level, mens rea plays a intentional from negligent acts, shaping the severity of penalties, although proving criminal intent remains challenging in cybercrime cases due to the diffuse and complex nature of digital evidence .
Enforcement further faces obstacles such as weak supervisory mechanisms, low public legal literacy, and inadequate digital infrastructure, with cases like the Bjorka hacking incident illustrating the need Vol.
No.
October 2025: pp.
West Science Law and Human Rights for both penal and non-penal strategies, including enhanced digital literacy and strengthened cybersecurity systems to ensure effective implementation of data protection norms .
, .
Theoretical Framework This study is grounded in two core legal theories: the Theory of Legal Protection (Teori Perlindungan Huku.
Satjipto Rahardjo, which asserts that law must function to safeguard human dignity and rightsAiemphasizing the state's obligation to protect individualsAo privacy and security in the context of personal dataAiand the Theory of Criminal Liability (Teori Pertanggungjawaban Pidan.
, which attributed to individuals or institutions based on intentional or negligent acts that violate criminal norms.
applying these theoretical foundations, the study assesses how Indonesian law assigns criminal responsibility for data breaches and evaluates whether existing legal frameworks effectively protect citizensAo personal data from misuse or unauthorized exposure.
RESEARCH METHODS
1 Research Approach This study employs a normative juridical .
research approach that focuses on examining legal norms, statutory provisions, doctrines, and principles governing personal data protection and criminal liability, emphasizing legal reasoning rather than empirical data collection.
as stated by Soerjono Soekanto .
, normative legal research aims to identify in concreto the application and consistency of laws in resolving legal issues, and in this study it is used to analyze the legal relationship between the ITE Law and the PDP Law in addressing personal data breaches, interpret relevant provisions on criminal A responsibility, and evaluate the implementation and enforcement of these laws in the 2023Ae2024 data breach cases involving public and private entities, thereby enabling an assessment of how effectively IndonesiaAos legal system ensures justice, deterrence, and protection for citizens whose personal data has been compromised.
2 Type of Research This research adopts a descriptiveanalytical approach, aiming to present the enforcement while analyzing them through legal reasoning.
the descriptive component outlines how data breaches occurred in the KPU and various e-commerce platforms, including institutional responses and public reactions, whereas the analytical component evaluates these events within the framework of relevant legal provisions to determine whether they fulfill the legal elements of criminal liability as stipulated under the ITE and PDP Laws, thereby providing a comprehensive understanding of both the practical realities and the legal implications of personal data breaches in Indonesia.
3 Source of Legal Materials This study relies on secondary data consisting of primary, secondary, and tertiary legal materials, including primary materials such as the ITE Law (Undang-Undang No.
Tahun 2008 as amended by Undang-Undang No.
19 Tahun 2.
, the Personal Data Protection Law (Undang-Undang No.
27 Tahun 2.
, the 1945 Constitution, relevant government regulations, ministerial decrees, official guidelines on data protection and cybercrime, as well as court decisions and jurisprudence related to personal data breaches.
secondary materials comprising legal textbooks, journal articles, policy briefs, academic papers on data protection, cyber law, and criminal liability, publications from institutions such as Kominfo and BSSN, and comparative studies referencing the GDPR and ASEAN data Vol.
No.
October 2025: pp.
West Science Law and Human Rights protection frameworks.
and tertiary materials in the form of legal dictionaries, encyclopedias, news archives, and credible online sources that provide factual context and support the analysis of the data breach cases examined in this 4 Data Collection Techniques Data collection in this study was carried out through documentary research and literature review by systematically identifying, collecting, classifying, and analyzing legal documents and academic sources, including relevant statutes and regulations, scholarly interpretations, journal publications, and policy commentaries, as well as factual information on the KPU and e-commerce data breaches compiled from official press releases, digital forensic reports, and verified media coverage from 2023 to 2024.
all materials were then organized thematically to support the legal analysis of criminal responsibility, institutional negligence, and the mechanisms of personal data protection in Indonesia.
5 Data Analysis Techniques This research employs qualitative juridical analysis, focusing on a logical, systematic, and interpretative evaluation of legal norms and principles, using statutory interpretation to examine the provisions, objectives, and constitutional alignment of the ITE and PDP Laws, comparative analysis to identify overlaps and differences between both benchmarks such as the GDPR for best-practice assessment, and case study analysis to evaluate how the legal framework has been applied in the KPU and e-commerce data breach cases and whether responsible parties can be held criminally liable.
the insights generated from these analytical techniques are then synthesized to determine the adequacy of IndonesiaAos legal response to personal data privacy violations and to assess whether existing regulations effectively ensure accountability and protection for citizens.
RESULTS AND DISCUSSION
1 Overview of Personal Data Violation Cases in 2023Ae2024 In 2023.
IndonesiaAos General Elections Commission (KPU) experienced a massive data breach that exposed more than 200 million voter identification numbers (NIK), addresses, and polling information.
The leaked data appeared on online forums and was allegedly sold on the dark web, raising major public concern and prompting investigations by the Ministry of Communication and Informatics (Kominf.
and the National Cyber and Crypto Agency (BSSN).
Although the KPU claimed that the breach originated from older databases or external sources rather than its main election system, digital forensic assessments suggested critical vulnerabilities such as weak encryption and limited access controls.
Despite the gravity of the incident, no clear criminal accountability was established, as authorities focused primarily on mitigation efforts and data recovery rather than pursuing prosecution, revealing a significant gap in the application of the PDP LawAos criminal sanctions.
The KPUAos assertion that the breach did not come from its main system but from legacy databases reflects a broader and recurring pattern also seen in e-commerce platforms:
inadequate cybersecurity architecture.
Digital vulnerabilities such as poor encryption, weak authentication protocols, and insufficient access control measures are systemic issues across both election infrastructure and corporate digital Comparative cases illustrate this similarity: failures in election systems, as seen in the Antrim County error caused by operator mistakes and inadequate procedures .
, the rapid compromise of the Washington.
Internet voting trial server .
, and the severe vulnerabilities in New South WalesAo iVote system due to insecure external servers .
, mirror the weaknesses that have caused major e-commerce breaches.
TokopediaAos leak of 91 Vol.
No.
October 2025: pp.
West Science Law and Human Rights million user records due to failures in preventive and post-incident handling .
and T-MobileAos repeated breaches in 2021 and 2023, which underscored the necessity of zero-trust architectures and granular access control .
, highlight the urgent need for robust cybersecurity protocols across both the public and private sectors.
In parallel with the election-related breach, multiple e-commerce platformsAi including Tokopedia.
Bukalapak, and ShopeeAi experienced recurring data leaks between 2023 These breaches compromised user account data, passwords, transaction histories, and in certain cases, financial information, with most companies attributing the incidents to third-party vulnerabilities or external hacking Although such breaches clearly violate the rights to data protection guaranteed under the PDP Law, the legal responses largely consisted of administrative warnings and public apologies rather than criminal prosecution.
This pattern indicates a persistent enforcement gap in applying the PDP LawAos criminal provisions to private-sector actors, demonstrating that IndonesiaAos current legal and institutional frameworks remain insufficient to ensure accountability and deter future data privacy 2 Legal Analysis Based on the ITE Law The ITE Law is IndonesiaAos earliest legal instrument governing electronic information and transactions, containing provisions that address unauthorized access and illegal manipulation of electronic data.
Article 30 stipulates that Auany person who intentionally and without authority accesses another personAos electronic systemAy may be subject to imprisonment or fines, while Article 32 paragraph .
criminalizes altering, deleting, or disseminating electronic information without In the KPU and e-commerce data unauthorized access and dissemination clearly fulfill these legal elements, making hackers or other unauthorized actors liable under the ITE Law.
However, when breaches stem from negligenceAisuch encryption, or poor access controlAithe effectiveness of the ITE Law diminishes, as it does not explicitly criminalize negligence or systemic failures on the part of institutions.
This limitation reflects a broader structural issue noted by legal experts such as Sinta Dewi .
, who argue that the ITE Law is primarily oriented toward prosecuting individual cybercrime offenders rather than Consequently, perpetrators who directly infiltrate systems can be prosecuted, organizations that fail to implement adequate safeguards often evade criminal sanctions despite contributing to the conditions that enable breaches.
This gap exposes a critical flaw in IndonesiaAos digital governance framework, demonstrating the need for complementary regulationAisuch as the PDP LawAito address institutional comprehensive approach to personal data 3 Legal Analysis Based on the PDP Law The Personal Data Protection Law (PDP La.
, enacted in 2022, establishes a governing data controllers and processors, introducing criminal sanctions for both intentional and negligent acts that result in personal data misuse or unlawful disclosure.
Article 67 paragraph .
stipulates that individuals or institutions who intentionally obtain or disclose personal data illegally may face up to five years of imprisonment and/or fines of up to IDR 5 billion, while Article 70 paragraph .
extends liability to corporations when violations occur due to inadequate security measures or non-compliance.
The law obligations, requiring robust security systems and transparent data management practice .
, with Articles 67 and 70 emphasizing the Vol.
No.
October 2025: pp.
West Science Law and Human Rights criminal and corporate liabilities associated with data breaches .
Despite its strong legal structure, the PDP LawAos enforcement remains limited, particularly in the absence of clear implementation guidelines and institutional Enforcement challenges are further compounded by the absence of a dedicated supervisory authority, a gap that significantly mechanisms, as evidenced in the KPU breach case .
Overlapping authority among regulatory bodiesAisuch as Bawaslu and law enforcementAicreates procedural uncertainty and erodes public trust .
In the KPU incident, the institution, acting as a data controller, had a legal obligation under Article 35 to ensure the confidentiality and security of voter data.
however, inadequate organizational and technical measures indicated potential Yet, due to the non-operational status of the supervisory authority at the time, sanctions could not be pursued.
A similar pattern emerged in the e-commerce sector, where companies acknowledged breaches but criminal liability was not pursued because of difficulties in proving intent .
ens re.
and causation .
ausa proxim.
, especially when corporate responsibility assessments.
To strengthen the PDP LawAos effectiveness, scholars recommend establishing an independent supervisory authority capable investigations, and issuing sanctions .
Clearer regulations and improved coordination among regulatory bodies are also necessary to reduce jurisdictional overlap and enhance public trust .
Despite being more advanced than previous regulatory frameworks, the PDP Law still encounters institutional and procedural limitations that hinder full Putri & Nugroho .
emphasize that Indonesia requires a dedicated Data Protection Authority (DPA) to ensure A comprehensive, consistent, and enforceable protection of personal data across both public and private sectors.
4 Comparative Analysis: ITE Law vs.
PDP Law A comparison between the ITE Law (Law No.
11/2.
and the PDP Law (Law No.
27/2.
shows that the ITE Law broadly cybercrimes with a focus on intentional acts imprisonment and fines but lacking a designated supervisory authority, while the PDP Law specifically governs personal data protection, covers both individuals and institutions as data controllers or processors, extends liability to include intentional and negligent acts, and introduces administrative, civil, and criminal sanctions supported by the mandate to establish a Data Protection Authority.
in practice, the ITE Law is applied mainly to hackers and direct cybercrime actors, whereas the PDP Law is designed to regulate corporate and institutional responsibility.
This comparison demonstrates that although the ITE Law provides a foundational framework for addressing electronic crimes, it lacks the specificity required for robust personal data governance, while the PDP Law offers more detailed obligations and broader liability yet continues to suffer from weak enforcement and limited institutional readiness.
Together, the two laws create a dual-layered regulatory system, but without proper harmonization their uncertainty, causing law enforcement agencies to hesitate in determining which statute should apply and resulting in frequent underprosecution of data breach cases.
5 Discussion The findings reveal a significant disconnect between IndonesiaAos legal norms and actual enforcement practices, showing that PDP Law comprehensive protection mechanisms, its Vol.
No.
October 2025: pp.
West Science Law and Human Rights effectiveness ultimately depends on the readiness of implementing institutions and the political will to enforce its provisions.
highlights the urgent need for harmonization between the ITE and PDP Laws to eliminate overlapping regulations and ensure consistent application across public and private sectors, alongside the strengthening of institutional capacity through the establishment of an independent Data Protection Authority (DPA) with clear investigative and sanctioning Furthermore, stronger corporate compliance is necessary, requiring e-commerce platforms and digital service providers to adopt higher cybersecurity standards, conduct regular audits, and maintain transparent data management practices in accordance with Article 35 of the PDP Law, while public empowerment initiativesAisuch as citizen education on data protection rights and reporting mechanismsAimust be prioritized to enhance participation in digital governance.
Judicial development is equally essential, as courts and prosecutors need specialized training in cyber law and digital forensics to adjudicate data protection cases effectively and uphold fairness in the enforcement of personal data rights.
CONCLUSION
The analysis of criminal liability for personal data violations based on the KPU and e-commerce case studies during 2023Ae2024 reveals substantial legal and institutional weaknesses in IndonesiaAos data protection Although both the ITE Law and the PDP Law offer mechanisms for responding to data breaches, the lack of harmonization enforcement, scope, and jurisdiction.
The ITE Law continues to focus on intentional cybercrimes committed by individuals, offering A limited tools for addressing institutional or corporate negligence, whereas the PDP Law introduces a more comprehensive regulatory structure governing data controllers and processors and establishes civil, administrative, and criminal sanctions for violations.
Despite its stronger framework, the effectiveness of the PDP Law remains constrained by the absence of a fully operational Data Protection Authority (DPA) and weak coordination among enforcement bodies.
The KPU case exposes systemic vulnerabilities in public-sector cybersecurity and accountability, while recurring breaches in the e-commerce sector reveal persistent compliance gaps and insufficient consumer protection.
Both cases highlight how current enforcement remains largely reactive and mitigation-oriented, providing minimal remedies for victims and failing to establish deterrence.
Therefore, this study concludes that Indonesia must urgently harmonize the ITE and PDP Laws, strengthen institutional capacity, and establish a dedicated supervisory authority capable of overseeing compliance, conducting investigations, and imposing sanctions.
Public empowerment through improved digital literacy is equally essential to ensure that citizens understand and can exercise their data protection rights.
Effective enforcement of data protection laws also requires technological expertise, enhanced judicial competence in cyber law and digital forensics, and robust interagency collaboration to build a trustworthy and resilient digital governance ecosystem.
summary, the future of personal data protection in Indonesia depends not merely on the existence of comprehensive legal frameworks but on the clarity of legal responsibilities, the commitment of both state and private actors, and the consistent and competent enforcement needed to uphold privacy and accountability in the digital era.
REFERENCE