Indonesia's House of Representatives (DPR) is done drafting. On July 15, 2026, the Legislative Body (Baleg) unanimously approved the RUU Satu Data Indonesia — the One Data Indonesia bill — sending it to a plenary session to be formalized as a DPR-initiated bill, according to DPR's own legislative tracking coverage and Kompas's report from the same day. Working Committee Chair Sturman Panjaitan confirmed the final text runs 17 chapters and 138 articles — up from a 130-article draft floated in April — covering data classification (including blockchain and AI-generated data), interoperability standards, metadata rules, and a new institutional hierarchy of stewards, custodians, and producers at the central and regional level.
What's actually happening is a promotion. Since 2019, Indonesia's government data policy has run on Presidential Regulation No. 39 of 2019, a lower-order instrument the official Satu Data Indonesia portal confirms as the current legal basis for standardizing and sharing data across ministries and regions. A presidential regulation cannot easily bind the DPR, cannot easily impose criminal or administrative sanctions, and is trivially reversed by the next administration. Turning it into a statute is a real upgrade in enforceability — which is exactly the point.
The case for it
The steelman here is strong. Indonesian ministries have spent years working from inconsistent registries — different agencies producing conflicting counts of who qualifies for subsidies, how many poor households exist in a given district, or what a regional dataset even means once cross-referenced against a national one. Baleg Chair Bob Hasan called the bill "sentral untuk perencanaan pembangunan nasional" — central to national development planning — and pushed for daily committee sessions to finish it within the current legislative term, per Antara's coverage of the drafting sessions. A statute with actual enforcement mechanisms — rather than a Perpres agencies can quietly ignore — is a defensible answer to a genuine coordination failure. Countries building digital public infrastructure at Indonesia's scale (270 million people, thousands of islands, a notoriously siloed bureaucracy) do need binding interoperability rules. That much of the bill is proportionate.
The problem is sequencing, not the concept
Where this gets harder to defend is timing. Indonesia already passed a comprehensive data law once before — the 2022 Personal Data Protection Law (UU PDP, Law No. 27/2022), enacted October 17, 2022, with a compliance transition that lapsed October 17, 2024. That law mandates an independent supervisory institution to enforce it, complete with breach-notification duties and fines up to 2% of annual revenue. As of 2026, that institution still doesn't operate — its founding presidential regulation remains stuck in inter-ministerial harmonization, a delay running since 2022, according to legal-sector reporting compiled by Pasal.id. Indonesia is now writing a second major data statute — one that explicitly centralizes and interconnects government-held data — before the watchdog for the first one has ever issued a ruling.
That sequencing gap matters because the underlying infrastructure is not hypothetically fragile. Indonesia's National Data Center was crippled by the Brain Cipher ransomware attack in June 2024, disrupting immigration and other public services for weeks. The Communications Ministry's own data center (PDSI) was breached in February 2025. In October 2025, a threat actor using the alias "Bjorka" claimed to leak 128 million SIM registration records — national ID numbers, phone numbers, registration dates — an incident detailed in a 2025 breach roundup, which also cites Surfshark figures showing Indonesian account breaches nearly doubling quarter-on-quarter through 2025. Centralizing more government data before those weaknesses are remediated raises the value of the target faster than it raises the cost of attacking it.
"Teknologi informasi bukan lagi instrumen netral, ia telah menjadi kekuatan yang memengaruhi cara negara menjalankan kekuasaan" — information technology is no longer a neutral instrument; it has become a force shaping how the state exercises power.
That warning, from PKB legislator Habib Syarief during committee deliberations, framed the risk as "Digital Leviathan" and "algokrasi" — algorithmic power without clear accountability — per his faction's published remarks. He pushed for a citizen "right to explanation" wherever algorithmic systems drive public-service decisions, and for accountability that applies equally to government and private data handlers — not one rulebook for the state and a looser one for everyone else.
What proportionate would look like
None of this argues against Satu Data Indonesia's core goal. It argues for conditioning it. The plenary and subsequent government negotiation should attach three things before enactment: an enforcement and audit function genuinely independent of the ministries whose data it oversees (not folded into the same steering committee that produces the data); breach-notification and liability standards that mirror UU PDP's rather than creating a parallel, looser regime for government-held data; and narrow, periodically reviewed scope for the bill's blockchain/AI data-classification powers so "data sovereignty" doesn't quietly become a data-localization mandate for cloud and AI infrastructure providers. Indonesia has correctly diagnosed that a presidential regulation was too weak to run a national data system. It should not repeat that mistake by writing a second superstructure before the first one has a functioning enforcer.