The protection of personal data has become a fundamental concern in both legal theory and governance due to the exponential growth of digital ecosys- tems. With an emphasis on the right to compensation for impacted parties this study critically evaluated Indonesiaʼs institutional and legal framework for handling breaches of personal data. The analysis, which employed doctrinal legal research methods, focused on the General Data Protection Regulation of the European Union, Government Regulation No. 71 of 2019, and the Personal Data Protection Law, specifically Article 82, which provides compensation for both material and non-material harm. The findings pointed to serious institutional shortcomings in Indonesiaʼs legal system. The 2020 Tokopedia data breach, which affected over 91 million users, serves as an example of the absence of institutional oversight and procedural clarity. Citing the applicability of administra- tive jurisdiction under the Law on Public Administration, the Central Jakarta District Court dismissed the case on jurisdictional grounds. On June 15, 2022, the Supreme Court subsequently affirmed this decision. Although compensation was prescribed in Article 58 of the Personal Data Protection Law, the mechanisms for implementing this provision have not yet been developed. On the other hand, the General Data Protection Regulation ensures that data subjects have effective remedies by requiring both administrative oversight through independent supervisory bodies and judicial access. The study concluded that Indonesia must harmonise public-private liability structures, codify explicit procedural remedies, and establish an empowered data protection authority. Comparative observations from the General Data Protection Regulation highlight how crucial dual-track enforcement, enforceable rights, and institutional autonomy are to protecting personal information and rebuilding public confidence
administrative dispute resolution; compensatory justice systems; institutional accountability; procedural legal mechanisms; misuse of personal data; remedies for privacy violations
[1] Algamar, M.D., & Ismail, N. (2023). Data subject access request: What Indonesia can learn and operationalise in 2024? Journal of Central Banking Law and Institutions, 2(3), 481-512. doi: 10.21098/jcli.v2i3.171.
[2] Attidhira, S.W., & Permana, Y.S. (2022). Review of personal data protection legal regulation in Indonesia. Awang Long Law Review, 5(1), 280-294. doi: 10.56301/awl.v5i1.562.
[3] Budiman, R. (2023). The development of Personal Data Protection Law in Indonesia: Challenges and prospects for the implementation of Law No. 27 of 2022. Jurnal Smart Hukum (JSH), 2(1), 24- 36. doi: 10.55299/jsh.v2i1.1352.
[4] Charter of Fundamental Rights of the European Union. (2000, December). Retrieved from https://www.europarl.europa.eu/charter/pdf/text_en.pdf.
[5] Cholil, A., & Rahmi. (2024). Law requirements on personal data protection and its impact in records management. ANUVA, 8(4), 523-536.
[6] Constitution of Indonesia. (1945, August). Retrieved from https://natlex.ilo.org/dyn/natlex2/r/natlex/fe/details?p3_isn=50148.
[7] Convention for the Protection of Individuals about Automatic Processing of Personal Data. (1981, January). Retrieved from https://rm.coe.int/1680078b37.
[8] Draft Government Regulation of the Republic of Indonesia “Implementing Regulations of Law Number 27 of 2022 Concerning Personal Data Protection”. (2023, August). Retrieved from https://surl.li/pvauul.
[9] European Union Data Protection Directive. (1995, October). Retrieved from https://eur-lex.europa.eu/eli/dir/1995/46/oj/eng.
[10] General Data Protection Regulation. (2016, April). Retrieved from https://gdpr-info.eu/.
[11] Government Regulation of the Republic of Indonesia No. 71 “On the Operation of Electronic Systems and Transactions”. (2019, October). Retrieved from https://peraturan.bpk.go.id/Details/122030/pp-no-71-tahun-2019.
[12] Government Regulation of the Republic of Indonesia No. 80 “On Trade through Electronic Systems”. (2019, November). Retrieved from https://peraturan.bpk.go.id/Details/126143/pp-no-80-tahun-2019.
[13] Gracy, S.S. (2024). A global analysis of data breaches from 2004 to 2024. arXiv. doi: 10.48550/arXiv.2502.05205.
[14] Hasan, F. (2024). Liability of business actors for the protection of consumer personal data.
Mulawarman Law Review, 9(1), 12-28. doi: 10.30872/mulrev.v9i1.1305.
[15] Heriani, F.N. (2020). The Tokopedia consumer data leak case ends up in court. Retrieved from https://surl.lu/teyknr.
[16] Hilary, G., Buttrick, J.D., & McGowan, R.J. (2016). The skeleton of a data breach: The ethical and legal concerns. Richmond Journal of Law & Technology, 23(1), article number 2.
[17] International Covenant on Civil and Political Rights. (1966, December). Retrieved from https://surl.li/qgkssk.
[18] Judgement of the Central Jakarta District Court in Case No. 235/PDT.G/2020/PN.JKT.PST. (2022, June). Retrieved from https://jdih.komdigi.go.id/perkara/view/21.
[19] Judgment of the Court of Justice (Eighth Chamber) in Case No. C507/23. (2024, October). Retrieved from https://surl.li/eohdql.
[20] Judgment of the Court of Justice in Case No. C-300/21. (2023, May). Retrieved from https://surl.li/muoxgk.
[21] Judijanto, L., Solapari, N., & Putra, I. (2024). An analysis of the gap between data protection regulations and privacy rights implementation in Indonesia. The Easta Journal Law and Human Rights, 3(1), 20-29. doi: 10.58812/eslhr.v3i01.351.
[22] Lomas, N. (2023). Europeʼs top court clarifies GDPR compensation and data access rights. Retrieved from https://techcrunch.com/2023/05/04/cjeu-gdpr-damages-access-rights/.
[23] Lynskey, O. (2023). Complete and effective data protection. Current Legal Problems, 76(1), 297- 344. doi: 10.1093/clp/cuad009.
[24] Maleno, M., & Kusumawati, A. (2024). Comparative analysis of Indonesiaʼs Personal Data Protection Law with the European Union and California regulations to identify best practices in protecting public privacy rights. Indonesia Law Collage Association Law Journal (ILCA Law Journal), 181(2), 91-98.
[25] Marelli, M. (2023). The law and practice of international organisationsʼ interactions with personal data protection domestic regulation: At the crossroads between the international and domestic legal orders. Computer Law & Security Review, 50, article number 105849. doi: 10.1016/j.clsr.2023.105849.
[26] OECD. (2002). Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. Paris: OECD Publications Service.
[27] Perkasa, J., & Saly, J.N. (2022). Legal liability of marketplace companies against leaking of user data due to third party breaking according to Law Number 8 of 1999 Concerning Consumer Protection (Case Example: Tokopedia User Data Leaking in 2020). In Proceedings of the 2021 international conference on education, language and art (ICELA 2021) (pp. 771-776). Paris: Atlantis Press SARL. doi: 10.2991/assehr.k.220404.096.
[28] Rahman, A.A., & Greenleaf, G. (2023). Indonesia enacts Personal Data Protection Act, with a DPA. SSRN Electronic Journal. doi: 10.2139/ssrn.4343593.
[29] Rohendi, A., & Kharisma, D.B. (2024). Personal data protection in fintech: A case study from Indonesia. Journal of Infrastructure, Policy and Development, 8(7), article number 4158. doi: 10.24294/jipd.v8i7.4158.
[30] Saputra, A. (2020). Consumer personal data breached, Tokopedia sued for IDR 100 billion. Retrieved from https://surl.li/zkzjzv.
[31] SOCRadar Your Eyes Beyond. (n.d.). Indonesia Threat Landscape Report. Retrieved from https://surl.li/vojmpz.
[32] Syrlybayeva, F., Kassymova, X., Omarova, E., Zhussipova, B., & Nurgalieva, E. (2024). Protection of information about employeeʼs personal data in the Republic of Kazakhstan. Social and Legal Studios, 7(4), 90-102. doi: 10.32518/sals4.2024.90.
[33] Wibowo,A.,Alawiyah,W.,&Azriadi. (2024).TheimportanceofpersonaldataprotectioninIndonesiaʼs economic development. Cogent Social Sciences, 10(1). doi: 10.1080/23311886.2024.2306751.
[34] Widiatedja, P., & Mishra, N. (2022). Establishing an independent data protection authority in Indonesia: A future-forward perspective. International Review of Law, Computer & Technology, 50, article number 105849.
[35] Yaros, O., & Bruder, A.H. (2023). Compensation under Art. 82 GDPR: A mere violation is not enough. Retrieved from https://surl.lt/nrierx.
[36] Yustina, E.W. (2022). Legal aspect of health data and information protection after the promulgation of Law No. 27 of 2022 about protection of personal data. In Digital healthcare transformation: Electronic medical record and personal data protection (pp. 312-323). Semarang: UNIKA Soegijapranata.