• Instgram
  • LinkeIn
  • Lexologoy
One Asia Lawyers > NEWSLETTER > Indonesia > Indonesia: Safeguarding Children’s Data in the Digital Age: Highlights of Government Regulation No. 17 of 2025

Indonesia: Safeguarding Children’s Data in the Digital Age: Highlights of Government Regulation No. 17 of 2025

2025年06月16日(月)

We published a newsletter regarding Safeguarding Children’s Data in the Digital Age in Indonesia. To view PDF version, please click the following link.

Safeguarding Children’s Data in the Digital Age: Highlights of Government Regulation No. 17 of 2025

 

Safeguarding Children’s Data in the Digital Age:
Highlights of Government Regulation No. 17 of 2025

June 2025
One Asia Lawyers Indonesia Office
Koji Umai, Lawyer (Japan)
Prisilia Sitompul, Lawyer (Indonesia)

1. Introduction

The Indonesian government has recently issued a long-awaited regulation that addresses two critical aspects of society: children and technology. Government Regulation No. 17 of 2025 on the Governance of Electronic Systems in Child Protection (“GR17/2025“) came into force on March 27, 2025.

GR 17/2025 complements existing regulations and marks a significant step in protecting children’s personal data in an era where digital platforms, especially in education and entertainment, play a growing role in children’s daily lives. From learning apps to online games, children’s data is now a key part of a vast and complex digital ecosystem.

2. Why GR 17/2025 Matters

Children’s constant engagement with technology makes them especially vulnerable to digital risks. GR 17/2025 is designed to help reduce the following dangers:

  • Misuse of personal data
  • Cyberbullying
  • Other harmful effects of online interactions


By addressing these risks, the regulation promotes a safer digital environment for children.

3. General Requirements

GR17/2025 requires Electronic System Operators (“ESOs”), both public and private, to protect children, defined as anyone under 18 years old, when they use or access electronic systems. To meet this obligation, ESOs must:

  • Provide clear information about the minimum age required to use their products and services, based on the following age groups:

(i) 3–5 years
(ii) 6–9 years
(iii) 10–12 years
(iv) 13–15 years
(v) 16–under 18 years

  • Implement a verification system to confirm the age of child users
  • Provide a reporting mechanism for any misuse of products, services, or features that violates or could potentially violate children’s rights
    (Art.2 paragraph (4))

4. Obligations of ESOs

Under Article 7, Paragraph (1), ESOs must:

  1. Obtain consent from the child’s parent or guardian;
  2. Conduct a personal data protection impact assessment;
  3. Configure product, service, and feature settings, especially those designed for or potentially accessible by children to have high default privacy settings;
  4. Provide complete, accurate, and clear information to help users understand the product, service, and features;
  5. Educate and support the digital ecosystem;
  6. Provide notifications or signals when monitoring a child’s activity or location through the product, service, or features;
  7. Offer functions that match the child’s age and abilities;
  8. Clearly assign who is responsible for processing children’s personal data when providing internet-connected toys or devices;
  9. Ensure that any third party appointed or working with the ESO complies with child protection rules; and
  10. Appoint an officer responsible for personal data protection functions.

5. Prohibited Activities

According to Article 7, Paragraph (2), ESOs must not:

  • Employ concealed or non-transparent methods, techniques, or practices in the design or operation of their products, services, or features.
  • Collect detailed geolocation data of children.
  • Create profiles of children based on their personal data or online activities.

6. Risk Classification and Notification Requirement for Child-Related Online Content

Online products, services, and features will be classified as either low risk or high risk for children, depending on their potential impact. (Art.5 paragraph (1) and (2))

Risk Assessment Criteria

The risk level is determined based on the following criteria: (Art.5 paragraph (3))

  • Interaction with unknown individuals
  • Exposure to pornographic, violent, harmful, or otherwise inappropriate content
  • Risk of exploitation of children as consumers
  • Potential harm to children’s psychological well-being
  • Potential to cause physical or health-related issues

Assessment and Notification Process

  • The risk assessment must be conducted by the relevant ESO through a self-assessment
  • The ESO is required to submit the results of the self-assessment to the Ministry of Communication and Digital (Komdigi).
  • The Ministry will then review and validate the submitted assessment and formally determine the product’s risk classification.
    (Art.5 paragraph (6), (7), (8))

Regulatory Framework

The implementation of this process depends on the issuance of a ministerial regulation, as mandated by Article 6. Until such regulation is issued, the risk classification and notification obligations may not yet be enforced.

7. Sanctions

If an ESO violates child protection provisions, administrative sanctions may be imposed in accordance with Article 38, paragraph (2), which include the following:

  1. Written warning;
  2. Administrative fine;
  3. Temporary suspension; and/or
  4. Termination of access.

8. Alignment with the Personal Data Protection Law (PDP Law)

GR 17/2025 serves as a technical implementing regulation of Indonesia’s Personal Data Protection Law (“PDP Law”). While the PDP Law provides general principles and rights concerning personal data, GR 17/2025 offers more specific and practical guidelines for protecting children’s data. These two regulations work together to provide comprehensive protection for personal data, including in the following key areas:

(i)   Parental Consent

  • The PDP Law requires electronic system providers to obtain parental consent before collecting children’s personal data.
  • GR17/2025 further emphasizes that this consent must be clear, explicit, and accountable.

(ii) Protection of Children’s Personal Data

  • The PDP Law mandates stricter safeguards for children’s data.
  • GR17/2025 specifies how systems involving children must implement high standards of data protection.

(iii) Responsibilities of Digital Platform Providers

  • Both regulations hold platform providers accountable for protecting children’s data.
  • They are required to ensure that their platforms are free from threats such as data misuse or harmful content.

9. Conclusion

GR 17/2025 is a major milestone in safeguarding children in Indonesia’s digital ecosystem. By setting clear standards and obligations for ESOs, the regulation bridges the gap between legal principles and practical enforcement in the digital space.

Together with the PDP Law, GR 17/2025 strengthens the legal and operational foundation for ensuring children’s safety, privacy, and well-being online. As digital engagement continues to grow among young users, these regulations will play a vital role in shaping a safer and more responsible digital environment.


  |