A Compliance Milestone Worth Noting
On June 26, 2026, Indonesia's Ministry of Communication and Digital (Komdigi) announced that approximately 200 digital platforms — including Netflix, TikTok, Shopee, Tokopedia, Lazada, and ChatGPT — had submitted child safety self-assessment risk reports under Government Regulation No. 17/2025, better known as PP TUNAS (Tata Kelola Penyelenggaraan Sistem Elektronik dalam Pelindungan Anak). The scale of voluntary submission — spanning e-commerce, gaming, streaming, and AI services — is a genuine policy achievement for a regulation that only became effective April 1, 2025.
The headline numbers confirm that implementation has begun in earnest. TikTok deactivated 4.1 million child accounts in Indonesia as of June 2026. YouTube removed roughly 600,000 child accounts by May 2026. Minister Meutya Hafid has stated that Komdigi is now reviewing all submissions to classify platforms as either high-risk or low-risk, with public disclosure of risk profiles to follow. She framed the ambition clearly: "We are not just restricting children's access; we want to see changes in platform behavior."
That framing matters. PP TUNAS is not Australia-style prohibition. It is a structural attempt to build child protection into platform architecture — and that distinction deserves serious analysis.
What PP TUNAS Actually Requires
The regulation, signed by President Prabowo Subianto on March 28, 2025, imposes four layers of obligation on Electronic System Operators (ESPs): age verification and parental control systems; active content moderation to filter violence, sexual exploitation, and gambling material; accessible reporting tools for harmful content; and stringent restrictions on collecting or processing children's data for commercial purposes — including targeted advertising and behavioural profiling.
The age framework is tiered. Children under 13 cannot hold social media accounts at all. Those aged 13 to 15 may access certain platforms only with verified parental approval. Teenagers aged 16 to 17 face stricter age verification and parental sign-off for high-risk platforms. PP TUNAS builds directly on Law No. 27/2022 on Personal Data Protection, which categorises children's data as a special category requiring heightened handling — extending Indonesia's broader data protection architecture into the domain of minors.
The self-assessment process maps each platform's features against risk criteria: whether the service enables interaction with unknown parties; whether it exposes users to potentially harmful content; the degree of economic exploitation risk; the platform's data practices; addiction potential; and psychological impact. Platforms classified as high-risk face heavier compliance obligations. Komdigi's current review of the 200 submissions will determine where each platform sits on that spectrum.
The Strongest Case For This Approach
The protective case for PP TUNAS is not weak, and critics of the regulation would do it a disservice by pretending otherwise. Indonesia has approximately 278 million people; roughly 48 percent of internet users are under 18, according to Komdigi's own data. The combination of rapid smartphone penetration, widespread social media use among adolescents, and documented harms — grooming, data exploitation, harmful algorithmic exposure — creates a genuine policy problem that doing nothing does not solve. The self-assessment process gives platforms agency to identify and remediate their own risk profiles, which is more likely to produce durable behavioural change than a top-down account ban.
The TikTok and YouTube deactivation numbers also demonstrate that the regulation has already moved markets. A combined 4.7 million child account removals across two platforms, before enforcement formally begins, is not nothing. For a regulation still within its grace period — full enforcement does not begin until March 27, 2027 — that level of pre-emptive compliance reflects credible platform incentives.
A risk-based framework, properly designed, is also more likely to survive legal challenge and avoid collateral damage to legitimate youth access than blunt age bans. Indonesia's constitution protects the right to information; a proportionate, evidence-anchored regulatory architecture is more defensible than categorical exclusion.
Where the Framework Falls Short
The problem is enforcement architecture. Multiple legal analysts have noted that PP TUNAS's sanction regime — formal warnings, compliance orders, potential access restriction — is "relatively mild and more administrative in nature," standing in sharp contrast to Australia's Online Safety Act, which carries fines of up to AUD 50 million for systemic violations. When the ceiling for persistent non-compliance is temporary access suspension rather than material financial penalty, the incentive to invest heavily in compliance infrastructure is weakened.
The grace period until March 2027, while sensible for smaller domestic operators, creates a two-year window in which large platforms with the resources to comply immediately face no differentiated consequence for delay. A risk-tiered sanction regime — where verified high-risk platforms face accelerated timelines and steeper penalties than low-risk operators — would sharpen incentives without burdening the full ecosystem equally.
There is also the question of who is not in the 200. Indonesia has millions of active digital services, many of them smaller domestic platforms. The compliance burden of self-assessment, parental consent infrastructure, and tiered age verification is disproportionately costly for sub-scale operators. Without targeted guidance and lighter-touch compliance pathways for genuinely low-risk services, PP TUNAS risks concentrating compliance among well-resourced multinationals while leaving domestic apps structurally out of reach.
What the Next Phase Must Get Right
Komdigi's immediate task — completing the risk classification review and publishing platform profiles — is more consequential than it might appear. A credible, transparent high/low-risk taxonomy will determine whether PP TUNAS becomes a model for child data protection in Southeast Asia or a framework that large platforms can navigate by self-reporting minimum thresholds.
Indonesia has an opportunity here. It has framed PP TUNAS explicitly as a potential global standard, having presented it at multilateral forums. A well-executed classification process, backed by meaningful enforcement gradients when the grace period expires, would give that ambition substance. Voluntary compliance at 200 platforms is a real start. Whether the architecture behind it can hold non-compliant actors to account is the unresolved question.