Law Number 27 of 2022 on Personal Data Protection introduces the mandatory appointment of a Data Protection Officer (DPO) as a key mechanism for accountability and compliance. This study critically examines whether Articles 53–54 of the PDP Law sufficiently guarantee the functional autonomy of the DPO in the context of Indonesia’s expanding digital economy and growing risk of data capitalism, where personal data is commodified for economic value. Using a normative-comparative legal method with the GDPR, the analysis demonstrates that although the PDP Law requires professionalism in DPO appointments, it lacks structural safeguards such as protection from interference, conflict-of-interest rules, and guaranteed access to resources—elements expressly regulated under GDPR Article 38. These gaps risk positioning the DPO as a symbolic compliance actor rather than an independent oversight mechanism. The contribution of this research lies in proposing the concept of an institutional firewall as an evaluative framework to assess and strengthen DPO autonomy in Indonesia. The findings imply the need for implementing regulations that institutionalize independence guarantees, reporting hierarchy, and enforcement mechanisms. Strengthening DPO autonomy is essential to ensuring effective privacy governance and realizing the constitutional right to personal data protection.

ABSTRAK

Undang-Undang Nomor 27 Tahun 2022 tentang Perlindungan Data Pribadi memperkenalkan penunjukan wajib seorang Petugas Perlindungan Data (DPO) sebagai mekanisme kunci untuk akuntabilitas dan kepatuhan. Studi ini secara kritis mengkaji apakah Pasal 53–54 Undang-Undang PDP cukup menjamin otonomi fungsional DPO dalam konteks perekonomian digital Indonesia yang terus berkembang dan risiko meningkatnya kapitalisme data, di mana data pribadi dikomersialkan untuk nilai ekonomi. Menggunakan metode hukum normatif-komparatif dengan GDPR, analisis menunjukkan bahwa meskipun Undang-Undang PDP mensyaratkan profesionalisme dalam penunjukan DPO, undang-undang tersebut kekurangan jaminan struktural seperti perlindungan dari campur tangan, aturan konflik kepentingan, dan akses terjamin terhadap sumber daya elemen-elemen yang secara eksplisit diatur dalam Pasal 38 GDPR. Kekurangan ini berisiko menjadikan DPO sebagai aktor kepatuhan simbolis rather than mekanisme pengawasan independen. Kontribusi penelitian ini terletak pada usulan konsep “firewall institusional” sebagai kerangka kerja evaluatif untuk menilai dan memperkuat otonomi DPO di Indonesia. Temuan ini menyiratkan perlunya menerapkan regulasi yang menginstitusionalkan jaminan kemandirian, hierarki pelaporan, dan mekanisme penegakan. Memperkuat otonomi DPO esensial untuk memastikan tata kelola privasi yang efektif dan mewujudkan hak konstitusional atas perlindungan data pribadi.

Bauer, D. (2018). 6 steps to GDPR implementation. Risk and Insurance Management Society, Inc., 65(3).

Ciclosi, F., & Massacci, F. (2023). The data protection officer: A ubiquitous role that no one really knows. IEEE Security and Privacy, 21(1). https://doi.org/10.1109/MSEC.2022.3222115

CIPL. (2016). Ensuring the effectiveness and strategic role of the data protection officer under the General Data Protection Regulation (Issue November). Centre for Information Policy Leadership.

CSA Teddy Lesmana, Elis, E., & Hamimah, S. (2022). Urgensi Undang-Undang Perlindungan Data Pribadi dalam menjamin keamanan data pribadi sebagai pemenuhan hak atas privasi masyarakat Indonesia. Jurnal Rechten: Riset Hukum dan Hak Asasi Manusia, 3(2). https://doi.org/10.52005/rechten.v3i2.78

EU-GDPR. (2018). EU General Data Protection Regulation (EU-GDPR). Official Journal of the European Union.

Fitri, O. R. (2022). Hak atas pelindungan data pribadi pada proses penegakan hukum pidana. Jurnal Hak Asasi Manusia, 15(1). https://doi.org/10.58823/jham.v15i1.118

Freitas, M. B., Araújo, V. M., & Magalhães, J. P. (2023). Process SDLC-GDPR: Towards the development of secure and compliant applications. ICAISC 2023 – Proceedings. https://doi.org/10.1109/ICAISC56366.2023.10085308

Harianja, D. (2015). Politik hukum dalam perlindungan data pribadi di Indonesia. Yogyakarta: Universitas Atmajaya.

Jakobi, T., von Grafenstein, M., Legner, C., Labadie, C., Mertens, P., Öksüz, A., & Stevens, G. (2020). The role of IS in the conflicting interests regarding GDPR. Business and Information Systems Engineering, 62(3). https://doi.org/10.1007/s12599-020-00633-4

Jonandi Effendi, J. I. (2018). Metode penelitian hukum: Normatif dan empiris. Depok: Prenandamedia Group.

Kupny, W. (2019). The role of the data protection officer in the organization’s structure. Roczniki Administracji i Prawa, 1(XIX). https://doi.org/10.5604/01.3001.0013.3602

Layton, R. (2017). How the GDPR stacks up to best practices for privacy, accountability and trust. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.2944358

Marotta, A., & Madnick, S. (2021). A framework for investigating GDPR compliance through the lens of security. Lecture Notes in Computer Science, 12814. https://doi.org/10.1007/978-3-030-83164-6_2

Mladini?, A., Puljak, L., & Koporc, Z. (2021). Post-GDPR survey of data protection officers in research and non-research institutions in Croatia: A cross-sectional study. Biochemia Medica, 31(3). https://doi.org/10.11613/BM.2021.030703

Nurhayati, Y., Ifrani, & Said, M. Y. (2023). Jurnal Penegakan Hukum Indonesia (JPHI). Jurnal Penegakan Hukum Indonesia, 4(2).

Parinduri, R. Y., & Lubis, R. H. (2023). Sinkronisasi data pribadi dan jaminan perlindungannya. All Fields of Science Journal: Liaison Academia and Society, 3(2). https://doi.org/10.58939/afosj-las.v3i2.573

Lambert, P. (2016). The data protection officer: Profession, rules, and role (Vol. 1).

Šidlauskas, A. (2021). The role and significance of the data protection officer in the organization. Socialiniai Tyrimai, 44(1). https://doi.org/10.15388/soctyr.44.1.1

Sonata, D. L. (2015). Metode penelitian hukum normatif dan empiris: Karakteristik khas dari metode meneliti hukum. FIAT JUSTISIA: Jurnal Ilmu Hukum, 8(1). https://doi.org/10.25041/fiatjustisia.v8no1.283

Steinhoff, J. (2024a). Toward a political economy of synthetic data: A data-intensive capitalism that is not a surveillance capitalism? New Media and Society, 26(6). https://doi.org/10.1177/14614448221099217

Steinhoff, J. (2024b). Toward a political economy of synthetic data: A data-intensive capitalism that is not a surveillance capitalism? New Media and Society, 26(6). https://doi.org/10.1177/14614448221099217

Stevani, W., & Sudirman, L. (2021). Urgensi perlindungan data pengguna financial technology terhadap aksi kejahatan online di Indonesia. Journal of Judicial Review, 23(2). https://doi.org/10.37253/jjr.v23i2.5028

Sukhorolskyi, P., & Hutsaliuk, V. (2020). Processing of genetic data under GDPR: Unresolved conflict of interests. Masaryk University Journal of Law and Technology, 14(2). https://doi.org/10.5817/MUJLT2020-2-1

Voigt, P., & Von dem Bussche, A. (2017). The EU General Data Protection Regulation (GDPR): A practical guide. https://doi.org/10.1007/978-3-319-57959-7

Wodi, A. (2023). The EU General Data Protection Regulation (GDPR): Five years after and the future of data privacy protection in review. SSRN Electronic Journal. https://doi.org/10.2139/ssrn.4601142

Yuniarti, S. (2022). Protection of Indonesia’s personal data after the ratification of the Draft Personal Data Protection Law. Progressive in Law, 4(2).

Zuboff, S. (2015). Big other: Surveillance capitalism and the prospects of an information civilization. Journal of Information Technology, 30(1). https://doi.org/10.1057/jit.2015.5