On June 2, 2026, Indonesia's Communication and Digital Minister Meutya Hafid issued a blunt reminder to the technology industry: every Electronic System Operator (PSE) doing business in the country — local or foreign — must file a child-protection self-assessment by June 6. The instruction operationalizes PP Tunas (Government Regulation 17/2025) and its implementing rule, Permen Komdigi 9/2026, which require platforms to grade their own risk to children against seven aspects broken into dozens of compliance indicators. Failure to file can trigger administrative warnings, temporary access suspension, or full termination of service in Indonesia.
The ambition is real, and so is the political will behind it. As Hafid put it, the government wants to ensure parents "no longer have to fight alone against the algorithm giants." That is a defensible goal — and before critiquing the design, it deserves a fair hearing.
What PP Tunas actually requires
Signed in 2025 and enforced from March 28, 2026, PP 17/2025 is broader than a social-media age law. It reaches "all electronic system providers, including social media, online gaming and e-commerce platforms," per The Jakarta Post. It sets graduated age tiers, bars children under 16 from high-risk services, and requires parental consent for users under 18. Permen Komdigi 9/2026 then asks each platform to classify itself as low-, medium-, or high-risk by self-assessing against seven aspects: contact with strangers, exposure to harmful content, consumer exploitation, personal-data security, addiction, psychological harm, and physical harm. Those aspects are reported to expand into 58 granular indicators.
Enforcement has already produced visible results. By April 28, 2026, seven major platforms — X, TikTok, Facebook, Instagram, Threads, YouTube and Bigo Live — had committed to compliance, and TikTok alone reported closing roughly 1.7 million accounts belonging to users under 16, according to Indonesia's state news agency ANTARA.
The strongest case for the rule
The case for PP Tunas is straightforward and serious. Indonesia has one of the world's largest and youngest online populations, and the documented harms — grooming, exposure to pornography and self-harm content, gambling-adjacent monetization, and engagement-maximizing designs that exploit developing impulse control — are not hypothetical. A self-assessment regime, in principle, forces platforms to do something they too often avoid: write down, in a structured way, how their product can hurt a child and what they have done about it. Komdigi has stressed that a high-risk profile "does not automatically indicate a violation," framing the exercise as risk-mapping rather than a presumption of guilt. That is the better version of this policy, and it is closer to the "safety by design" logic regulators worldwide are converging on.
Where the design works against the goal
The problem is not the objective but the architecture. Three features make PP Tunas heavier than the harm it targets.
Scope is indiscriminate. Applying an identical 58-indicator self-assessment to every PSE — from TikTok to a two-person Indonesian SaaS tool or a niche e-commerce store with no child users — converts a child-safety rule into a universal paperwork mandate. The risk that matters is concentrated in a handful of high-reach, algorithmically curated platforms. A proportionate regime would scale obligations to reach and actual exposure to minors, not impose the same documentation burden on a logistics API as on a video network used by tens of millions of teenagers.
Age verification is a privacy liability. Hard age-gating at 16 and 18 requires platforms to know users' ages, which in practice pushes toward identity checks or document uploads. That creates exactly the kind of sensitive-data honeypot that endangers children and adults alike — a tension underscored in the same period by the ShinyHunters breach of the Canvas education platform, which exposed data tied to a reported 275 million people. A child-protection rule that incentivizes mass collection of birthdates and ID scans can trade one harm for another.
The compliance signal can crowd out the substance. A self-graded checklist due on a fixed date rewards platforms that can marshal lawyers and fill 58 boxes — not necessarily those that build the safest products. Komdigi's own officials have acknowledged the framework is dense, saying they are working to make the language "more tone down" and more understandable. When a regulator concedes its own indicators are hard to parse weeks before the deadline, the honest reading is that the timeline is rushed.
A more proportionate path
None of this argues for inaction. It argues for calibration. Indonesia could tier obligations by user reach and verified minor-exposure, accept privacy-preserving age-assurance (on-device estimation, tokenized attestations) instead of document collection, and treat the self-assessment as the start of an iterative dialogue rather than a pass/fail gate enforced by access termination. The threat to cut off a foreign platform's access is a powerful lever; used against a firm that filed late but is demonstrably investing in safety, it punishes process over outcome — and chills the open, globally connected internet that Indonesian users and businesses depend on.
PP Tunas is one of Asia's most assertive child-safety experiments, and on intent it is hard to fault. The June 6 deadline will reveal whether Indonesia has built a system that measures real protection — or merely the ability to complete a form on time.