On 18 November 2022, President Joko Widodo ratified Law Number 27/2022 regarding Personal Data Protection ("PDP Law"). While this law serves as an umbrella regulation for personal data protection, PDP Law does not instantly invalidate the previous relevant regulations. Nonetheless, PDP Law prevails in case of contradiction with the previous relevant regulations.
Under PDP Law, the personal data controller must prevent leakage of personal data by protecting the security of personal data from access, disclosure, unauthorized alteration, misuse, destruction and loss of personal data in processing personal data.
While Indonesia has introduced the concept of blockchain in the financial services industry regulations, there is currently no comprehensive regulatory framework regarding it. NFT platforms are not specifically regulated either, but they are subject to the provisions on ESP. Furthermore, although Indonesia is yet to establish a data privacy law, MOCI has regulated personal data protection in electronic system. As ESP, NFT platforms are obliged to be registered with MOCI, where one of the requirements during registration is that the ESP must ensure its users' information security and personal data protection. The ways to do this are by ensuring that every time personal data is gathered, processed, stored, distributed, or banished, it is based on the consent of the user. As such, NFT platforms also must establish their own privacy policy.
Additionally, a topical problem that may arise is on the verification of identity and source of funds, as corruption is still at large in Indonesia. There is a concern that the funds used to make the cryptocurrency purchase may be criminal proceeds as there is very minimum personal data and verification needed to start trading.