On March 28, 2025, President Prabowo Subianto signed Government Regulation No. 17 of 2025 on Child Protection in the Implementation of Electronic Systems — known by its Indonesian acronym PP Tunas. Issued under the umbrella of the 2008 Electronic Information and Transactions Law (UU ITE) and the 2022 Personal Data Protection Law (UU PDP), the regulation introduces some of the most prescriptive child-safety obligations yet seen in Southeast Asia, and significantly expands what foreign platforms registered as Electronic System Operators (Penyelenggara Sistem Elektronik, or PSE) must do to operate legally in Indonesia.
For a market of roughly 280 million people — with one of the world's largest cohorts of young internet users — the rules are consequential. They also arrive on top of an already heavy regulatory stack: the MR5/2020 PSE registration framework, the PDP Law, content take-down obligations under Ministerial Regulation 5/2020, and the licensing powers held by the renamed Ministry of Communication and Digital Affairs (KOMDIGI, formerly KOMINFO).
What PP Tunas Actually Requires
PP Tunas applies to all Electronic System Operators — domestic and foreign — whose services are accessed by users under 18 in Indonesia. The core obligations include:
- Age verification and assurance for users at sign-up, with stricter measures for services deemed "high risk" to children.
- Parental or guardian consent for the processing of children's personal data and for access to services unsuitable for their age group.
- Child-rights risk assessments — a formal documentation requirement modelled in part on the UK's Age Appropriate Design Code and the EU Digital Services Act's risk-assessment regime.
- Default privacy and safety settings for accounts identified as belonging to minors, including limits on profiling and behavioural advertising.
- Reporting and grievance mechanisms tied to KOMDIGI, with penalties ranging from administrative warnings and access blocking to fines.
The regulation gives operators a transition window — reported by Indonesian legal commentators to be two years from promulgation — to implement the technical and organisational measures required. That places full enforcement around the first half of 2027.
Why This Matters for Foreign Platforms
Indonesia's PSE regime has been controversial since 2022, when KOMINFO briefly blocked PayPal, Yahoo Search and several gaming services for missing registration deadlines — a move that drew criticism from civil society and trading partners but signalled that Jakarta was prepared to use access-blocking as an enforcement lever. PP Tunas now layers child-safety obligations onto that same on/off switch.
For platforms with mixed-age audiences — social media, gaming, streaming, education-technology, e-commerce — the practical compliance lift is significant. Age verification at scale remains an unsolved problem globally: methods that work technically (document upload, biometric estimation, payment-card checks) often impose costs and privacy trade-offs that fall heaviest on smaller operators and on users with fewer formal identity documents — a meaningful share of Indonesia's population, particularly outside major urban centres.
There is also a real interaction with Indonesia's PDP Law (Law No. 27 of 2022), which itself imposes strict consent and data-minimisation rules. Operators must therefore design age-assurance systems that collect less data, not more, while still satisfying KOMDIGI that minors are reliably identified — a circle that has proven hard to square in jurisdictions with far more mature regulators.
The Proportionality Question
The goal of protecting children online is unimpeachable, and Indonesia is well within its sovereign rights to set rules for services offered in its market. But the design of those rules matters. International experience over the last three years offers a clear pattern: prescriptive, one-size-fits-all child-safety mandates tend to push platforms toward either over-collection of identity data (raising new privacy risks) or geo-blocking smaller services entirely (reducing user choice).
The UK's Online Safety Act experience — where smaller community sites and forums have warned about exit costs — is instructive. So is the ongoing legal pushback in the United States against state-level age verification laws, several of which have been preliminarily enjoined by federal courts on First Amendment grounds. The Electronic Frontier Foundation has consistently argued that mandatory age verification creates serious risks to anonymous speech and to the privacy of all users, not just minors.
For PP Tunas to succeed on its own terms, KOMDIGI's implementing guidance — still being finalised — will need to:
- Recognise privacy-preserving age-assurance methods (zero-knowledge proofs, on-device estimation, attribute-based credentials) rather than defaulting to document scanning.
- Scale obligations to actual risk and platform size, sparing low-risk and small operators from the most burdensome requirements.
- Avoid access-blocking as a first-line enforcement tool, which historically has done more reputational damage to Indonesia's digital-economy ambitions than to the targeted platforms.
- Provide clear safe harbours for operators that act diligently on identified risks — mirroring the approach taken by mature intermediary-liability regimes.
The Wider Stakes
Indonesia is the largest digital economy in ASEAN and a bellwether for the region. The choices KOMDIGI makes in implementing PP Tunas will be watched closely by Vietnam, the Philippines, Thailand and Malaysia, all of which have child-safety bills in various stages of drafting. A proportionate, technologically neutral, risk-based approach would set a positive regional precedent. A heavy-handed one — combined with the existing PSE access-blocking powers — risks chilling investment in the very digital services Indonesian children, parents and small businesses rely on.
Child safety online is a legitimate and urgent policy goal. The hard work, in Jakarta as elsewhere, lies in achieving it without breaking the open internet that makes the rest of the policy agenda possible.