Muhammad Deckri Algamar
Noriswadi Ismail


The enactment of the Indonesian Personal Data Protection (PDP) Law is in line with the nation’s position as the most promising digital economy in Southeast Asia. The PDP Law, amongst others, introduces Data Subject Access Request (DSAR), a cornerstone mechanism to exercise data subject rights mirroring the European Union General Data Protection Regulation (GDPR). However, major causes of DSAR failure are predominantly triggered by resource constraint, lack of fundamental understanding, and technical gap when responding to such requests. In practice, DSAR management is time consuming and taxing since organisations shall manage numerous and complex requests within a tight timeline. By way of comparative analysis, we explore the concept of data subject rights, specifically the Rights to Access. Through observations and constructive responses by global data protection professionals, academics and non-lawyers, this paper alluded that similar failure scenario might occur in Indonesia when PDP Law grace period ended in 2024 – if the causes are not addressed and mitigated. Apropos, in safeguarding data subjects’ right, we assert that DSAR under the PDP law might bring disproportionate impracticality, hence there is demand for a robust consultation and holistic regulatory implementation. We also propose to consider a harmonized DSAR ASEAN framework for future proofing cross-border payment, in 2024 and beyond.

Keywords: Data Protection, Cybersecurity, Indonesia PDP Law, EU GDPR, DSAR



  1. Abubakar, Lastuti and Tri Handayani. “Financial Technology: Legal Challenges for Indonesia Financial Sector.” IOP Conf. Series: Earth and Environmental Science 175, (2018): 3.
  2. Algamar, Muhammad Deckri and Noriswadi Ismail. DSAR Awareness Question Survey Results. 2023.
  3. Agusta, Hendrawan. “Keamanan dan Akses Data Pribadi Penerima Pinjaman dalam Peer to Peer Lending di Indonesia,” KRTHA Bhayangkara, no. 1 (June 2021): 18-19.
  4. Agustini, Pratiwi. “UU PDP Akan Permudah Pertukaran Data dengan Negara Lain.” Direktorat Jenderal Aplikasi Informatika.” Accessed January 21, 2023.
  5. Ausloos, Jef, and Pierre Dewitte. “Shattering One-Way Mirrors. Data Subject Access Rights in Practice.” International Data Privacy Law 8, (2018): 30.
  6. Alekseenko, Aleksandr P. Global Perspectives in FinTech: Law, Finance and Technology. London: Palgrave Macmillan, 2022
  7. Asean Telecommunications and Information Technology Ministers Meeting. “Framework On Personal Data Protection.” Accessed on [DATE],
  8. Bambauer, Derek E. “Privacy Versus Security.” Journal of Criminal Law and Criminology vol. 103 (Summer 2013): 679.
  9. Banisar, David. “Privacy & Human Rights an International Survey of Privacy Laws and Developments.” The John Marshall Journal of Computer & Information Technology, vol. XVIII (January 1999): 6.
  10. Boot, Arnoud, Peter Hoffmann, Luc Laevenc, Lev Ratnovski. “Fintech: what’s old, what’s new?” Journal of Financial Stability 53, (2021). 10.1016/j.jfs.2020.100836
  11. Bradford, Anu. “The Brussels Effect.” Northwestern University Law Review, no. 1 (2015): 1–68.
  12. Brennan, Davinia. “The New Guidelines on Access Request – is the bar now too high?” Data Protection Ireland, vol. 15 (May 2022): 2.
  13. Buckle, Paul. “Data subject access requests and beneficiaries’ rights to information.” Trusts & Trustees, Vol. 25, No. 3, (April 2019): 336.
  14. Budhijanto, Danrivanto, “Cybersecurity dan Hukum Pelindungan Data Pribadi di Indonesia,” in Hukum Pelindungan Data Pribadi di Indonesia: Cyberlaw & Cybersecurity. Bandung: Refika Aditama, 2023.
  15. Chivot, Eline and Daniel Castro. “The EU Needs to Reform the GDPR to Remain Competitive in the Algorithmic Economy.” Centre for Data Innovation. May 13, 2019.
  16. Cluley, Graham. “1&1 Telecom GmbH hit by almost €10 million GDPR fine over poor security at call centre.” Security Boulevard, last modified December 11, 2019.
  17. Communication Department of Bank Indonesia. “Indonesia dan Thailand Meresmikan Implementasi Pembayaran Kode QR Lintas Negara.” Bank Indonesia, August 29, 2022.
  18. Data Protection Commission. “Irish Data Protection Commission’s Annual Report 2021.” An Coimisiun Chosaint Sonrai, February 24, 2022, 30.
  19. Degerli, Kazim. “Regulatory Challenges and Solutions for Fintech in Turkey.” Procedia Computer Science 158 (2019): 935.
  20. Dewi, Sinta. “Balancing Privacy Rights and Legal Enforcement: Indonesia Practices.”
  21. Esteves, Beatriz, Vıctor Rodriguez-Doncel, and Ricardo Longares. “Automating the Response to GDPR’s Right of Access.” Legal Knowledge and Information Systems (2022): 171.
  22. Fintech Indonesia. “Masukan dan Pandangan Industri Fintech atas Rancangan Undang-Undang Perlindungan Data Pribadi.” Accessed on 12 January 2023
  23. Fintech Indonesia. “Rancangan Undang-Undang Data Pribadi.” Accessed on 12 January 2023,
  24. Fortuna, Gabriella Zanfir. The EU General Data Protection Regulation (GDPR): A Commentary: 4553.
  25. Gai, Keke, Meikang Qui, Xiaotong Sun. “A survey on FinTech.” Journal of Network and Computer Applications, vol. 103 (2018): 262–273.
  26. Galetta, Antonella, Paul de Hart, Xavier L’Hoiry, Clive Norris. “Mapping the Legal and Administrative Frameworks of Access Rights in Europe: A Cross-European Comparative Analysis.” Work Package 5 for the IRISS Project (2014).
  27. Greenleaf, Graham. “Data Privacy Laws in Asia: Context and History.” In Asian Data Privacy Laws: Trade and Human Rights Perspectives, 9–10. United Kingdom: Oxford University Press, 2017.
  28. Hernández, Elena, Mehmet Öztürk, Inés Sittón & Sara Rodríguez. “Data Protection on Fintech Platforms.” International Conference on Practical Applications of Agents and Multi-Agent Systems, vol. 1047 (June 2019): 223–233.
  29. International Association of Privacy Professionals and Ernst & Young. “IAPP-EY Annual Privacy Governance Report 2018.” Accessed January 21, 2023.
  30. International Journal of Liability and Scientific Enquiry 5, (February 2012): 233.
  31. Kameo, Jeferson. “Panama Papers dan Diskursus tentang Perlindungan Data di Indonesia: Suatu Perspektif Teori Keadilan Bermartabat.” Jurnal Refleksi Hukum, no. 1, (2016): 92.
  32. Kuchler, Hannah. “Max Schrems: the man who took on Facebook - and won.” The Irish Times, April 5, 2018.
  33. Lauradoux, Cedric. Privacy Technologies and Policy 10th Annual Privacy Forum, APF 2022 Warsaw, Poland, June 23–24, 2022, Proceedings. Warsaw: APF 2022, 2022.
  34. Lewis, Paul and Paul Hilder, “Leaked: Cambridge Analytica's blueprint for Trump victory,” The Guardian, March 23, 2018.
  35. Linden, Thomas, Rishabh Khandelwal, Hamza Harkous. “The Privacy Policy Landscape After the GDPR.” Proceedings on Privacy Enhancing Technologies, no. 1 (2020): 48-49.
  36. Lloyd, Ian J. Information Technology Law. United Kingdom: Oxford University Press, 2014.
  37. Makarim, Edmon. Pengantar Hukum Telematika. Depok: PT Raja Grafindo Persada, 2005.
  38. Martino, Mariano Di, Pieter Robyns, Winnie Weyts , Peter Quax. “Personal Information Leakage by Abusing the GDPR “Right of Access.” Fifteenth Symposium on Usable Privacy and Security, (August 2019): 374.
  39. Moore, Jina. “Cambridge Analytica Had a Role in Kenya Election, too.” The New York Times, March 20, 2018.
  40. Nissenbaum, Helen. Privacy In Context: Technology, Policy, And the Integrity of Social Life. California: Stanford University Press, 2010.
  41. Olavia, Lona. “Industri Minta Kepastian Hukum Perlindungan Data Pribadi.”, March 30, 2021.
  42. Pavur, James and Casey Knerr. “GDPArrrrr: Using Privacy Laws to Steal Identities.” Blackhat USA 2019 Whitepaper (December 2019): 4.
  43. Peers, Steve, Tamara Harvey, Jeff Kenner, Angela Ward. The EU Charter of Fundamental Rights: A Commentary. Oxford: Hart Publishing, 2014.
  44. Petrova, Anastasia. “The Impact of the GDPR Outside the EU.”, September 17, 2019.
  45. Peukert, Christian, Stefan Bechtold, Tobias Kretschmer, and Michail Batikas. “Regulatory export and spillovers: How GDPR affects global markets for data.” Centre for Economic Policy Research. September 30, 2020.
  46. Power, Ed . “The Great Hack: The story of Cambridge Analytica, Trump and Brexit.” The Irish Times, July 24, 2019.
  47. Pratomo, Yudha. “Google Sebut UU Perlindungan Data Pribadi Bisa Menyusahkan Startup.”, August 28, 2019.
  48. Presthus, Wanda and Kaja Felix Sønslien. “An analysis of violations and sanctions following the GDPR.” International Journal of Information Systems and Project Management, no. 1 (2021): 45-46.
  49. Rahman, Praditya Fauzi. “Pemilik Rp 320 Juta yang Dibobol Tukang Becak Pertanyakan Tanggung Jawab Bank.” DetikJatim, January 23, 2023.
  50. Rosadi, Sinta Dewi, Siti Yuniarti, and Rizki Fauzi. “Protection of Data Privacy in the Era of Artificial Intelligence in the Financial Sector of Indonesia.” Journal of Central Banking Law and Institutions, no. 2, (2022): 353-366.
  51. Shafira, Dini Ima. “DPR Resmi Sahkan RUU Perlindungan Data Pribadi.”, September 20, 2022.
  52. Smedinghoff, Thomas J. “The Duty to Verify Identity: A Critical Component of Privacy and Security Compliance.” PLI 22nd Annual Institute on Privacy & Cybersecurity (April 2021): 10.
  53. Soelistyo, Andre. “UU PDP & Kepatuhan Industri.”, October 6, 2022.
  54. Solove, Daniel J. The Digital Person, Technology, and Privacy in the Information Age. New York: New York University Press, 2004.
  55. Sugiyanti, Umi and Agung Pambudi. “Perlindungan Data Privasi dan Kebebasan Informasi dalam Platform WhatsApp.” Jurnal Ikatan Pustakawan Indonesia, no. 2 (2022): 67.
  56. Tang, Alan. “Data Subject Rights, Inquiries, and Complaints” in Privacy in Practice: Establish and Operationalize a Holistic Data Privacy Programme, 398. Abingdon: CRC Press, 2023.
  57. Toewoeh, Titah Arum M. R. “Kominfo dan Kadin Sosialisasi UU PDP ke Pelaku Usaha.” Kominfo, October 29, 2022.
  58. Tsaqofi, Izzat Ats. “Kebocoran Data PeduliLindungi Valid? Begini Jawaban Pakar.”, November 17, 2022.
  59. Vrabec, Helena. Data Subject Rights under the GDPR with a Commentary Through the Lens of Data-Driven Economy. New York: Oxford University Press, 2021.
  60. Warren, Samuel and Louis Brandeis. “The Right to Privacy.” Harvard Law Review, no. 5 (December 1890): 193-220.
  61. Agencia Espanola Proteccion Datos, E/00739/2021.
  62. European Union, Regulation 2016/679 General Data Protection Regulation
  63. European Commission, Directive 95/46/EC Data Protection Directive
  64. European Data Protection Board. Guidelines 01/2022 on data subject rights - Right of access.
  65. Indonesia. Law No. 23 of 2006 on Citizen Administration, Article 79 (Amended by Law No. 24 Year 2003).
  66. Indonesia. Law No. 27 of 2022 on Personal Data Protection.
  67. Indonesia. Bank Indonesia Regulation No. 19/12/PBI/2017 on Financial Technology Implementation.
  68. Indonesia. Bank Indonesia Regulation No. 23/15/PBI/2021 on Central Bank Services
  69. Indonesia. Bank Indonesia Board Member Regulation No. 21/18/PADG/2019 on QRIS Standard Implementation for Payment
  70. Indonesia. Financial Service Authority Regulation No. No. 23/POJK,01/2019 on AML & Money Laundering Prevention
  71. Singapore. Personal Data Protection Commission Singapore.
  72. United States. The California Consumer Privacy Act of 2018.