Conventus Law

Conventus Law

by

The Indonesian government has taken a significant step toward strengthening child protection in the digital environment with the issuance of Government Regulation No. 17 of 2025, dated March 27, 2025, regarding the Governance of Electronic System Implementation in Child Protection (“GR 17/2025”). This regulation imposes binding obligations on Electronic System Providers (“ESPs”) – both public and private – to implement measures that protect children’s personal data and uphold their digital rights. 

These obligations apply not only to services and platforms specifically designed for users under the age of 18, but also to any digital system that, by its design, features, or target audience, is reasonably accessible to or likely to be used by children.

GR 17/2025 provides a two-year transitional period for ESPs to bring their systems, internal policies, and operational practices into compliance with the regulation. Key obligations and implementation considerations are outlined in the sections below.

Key Compliance Obligations

Under GR 17/2025, all ESPs, whether public or private, are required to take active measures to protect children who use or access their platforms. The regulation introduces the following key definitions:

  1. Child: Any person under the age of 18.
  2. Electronic System: A set of electronic devices and procedures used to prepare, collect, process, analyze, store, display, announce, transmit, and/or distribute electronic information.
  3. Electronic System Provider: Any individual, government body, business entity, or community that provides, manages, and/or operates an electronic system, either independently or in cooperation with others, for its own purposes or on behalf of others.

The regulation applies to the following types of products, services, and features:

  1. Those specifically designed to be used or accessed by children; or
  2. Those that can reasonably be expected to be used or accessed by children, based on factors such as marketing strategies, user demographics, or the design and functionality of the user interface.

General Obligations

ESPs are required to implement technical and operational safeguards to protect children, including:

  1. Provide clear information on minimum age requirements, categorized into the following age groups:
  1. 3–5 years
  2. 6–9 years
  3. 10–12 years
  4. 13–15 years
  5. 16–17 years
  1. Implement user age verification mechanisms; and
  2. Establish reporting mechanisms to address misuse of products, services, or features that violate or may violate children’s rights.

Risk Level Categorization

Digital products, services, and features must be assessed and categorized based on the level of risk they pose to children – either (i) high risk or (ii) low risk.

The risk assessment must consider a range of factors, including:

  1. The potential interaction with unknown individuals;
  2. Exposure to pornographic, violent, or otherwise inappropriate content;
  3. The risk of exploiting children as consumers;
  4. Threats to a child’s psychological well-being; and
  5. Potential for physiological harm.

Core Obligations of ESPs

In addition to the above, ESPs are required to:

  1. Obtain verifiable consent from a parent or legal guardian before granting access to children; 
  2. Conduct a personal data protection impact assessment (DPIA) specific to child users; 
  3. Configure default privacy settings at a high level for products or services used by or accessible to children;
  4. Provide complete, accurate, and non-misleading information to users in a child-friendly manner; 
  5. Implement digital education and empowerment initiatives for children;
  6. Provide notifications (e.g., signals or icons) when tracking or monitoring a child’s activity or location;
  7. Offer age-appropriate features and functionality;
  8. Clearly designate the party responsible for processing children’s personal data in internet-connected toys or devices;
  9. Ensure that all third parties working with the ESP comply with applicable child protection standards; and 
  10. Appoint a Data Protection Officer (DPO) to oversee and implement personal data protection measures related to children.

Consent Mechanism and Timing

Importantly, GR 17/2025 requires that consent be obtained before a child is allowed to use any product, service, or feature offered by an ESP. This consent must be actively acquired and transparently communicated, ensuring that parents or guardians are fully informed and involved in the process.

The regulation allows for an opt-out mechanism in certain cases, subject to the following specific conditions: 

  1. For children under the age of 17, ESPs must allow a 24-hour window for the child’s parent or legal guardian to provide explicit consent. During this window, the child must not be granted access. If no consent is received within this 24-hour timeframe, access must be denied; and
  2. For children aged 17, ESPs may provisionally allow access unless the parent or guardian objects within six hours. If no objection is raised during this period, access may proceed.

If a parent or legal guardian refuses to provide consent, the regulation is clear: any prior consent given by the child is rendered null and void (batal demi hukum) and the ESP is obligated to delete the child’s personal data from its systems.

Prohibited Activities

The regulation prohibits ESPs from engaging in the following activities:

  1. Using hidden or non-transparent techniques in the development or operation of products, services, or features;
  2. Collecting the precise geolocation data of children, except where strictly necessary and limited in duration; and
  3. Engaging in profiling of children, except under strict conditions where it is demonstrably in the best interests of the child or explicitly requested by the child.

Supervision and Sanctions

The Ministry of Communication and Digital Affairs (“MOCDA”) is granted the authority to supervise the implementation of electronic systems as they relate to child protection. This includes the power to monitor compliance, receive and investigate public reports or complaints, conduct both preliminary and follow-up examinations, and access relevant systems, data, and documentation from ESPs. The MOCDA may summon ESPs, request clarifications, inspect digital infrastructure, and coordinate with other government bodies or experts. If violations are found, the MOCDA may impose administrative sanctions.

Violations of GR 17/2025 may result in one or more administrative sanctions, including:

  1. Written warnings;
  2. Administrative fines;
  3. Temporary suspension of products, services, or features; and/or
  4. Blocking access to systems.

The MOCDA is authorized to publicly announce any administrative sanctions imposed on ESPs through its official channels. In addition, failure to protect children’s personal data may trigger administrative sanctions under Indonesia’s Personal Data Protection Law (Law No. 27 of 2022 regarding Personal Data). 

Recommendations

To prepare for full compliance with GR 17/2025, ESPs should begin internal audits of their digital offerings, categorizing which services are likely to be accessed by children and assessing their risk levels. Providers should establish or refine their parental consent workflows, age verification tools, privacy policies, and internal governance structures, including the appointment of a Data Protection Officer with a clear mandate for overseeing children’s data protection.

ESPs are also advised to closely monitor the issuance of implementing regulations, which are expected to provide further clarity on matters such as age group classifications, the extent of MOCDA’s supervisory powers, and the procedural steps for enforcement.

With the two-year transition period now underway, ESPs are encouraged to begin making the necessary adjustments now. Failure to prepare for the upcoming enforcement regime may expose providers to significant legal, reputational, and operational risks. GR 17/2025 marks a broader shift toward more ethical digital practices. ESPs that take the lead in aligning with these standards will not only fulfil their legal obligations but also build lasting trust with the next generation of digital users. (3 June 2025)

WRITTEN BY

For further information, please contact:

Winnie Yamashita Rolindrawan – SSEK,
winnierolindrawan@ssek.com

Winnie Yamashita Rolindrawan - SSEK. Winnie Yamashita Rolindrawan holds a Bachelor of Laws in economic law from the University of Indonesia and a Master of Science in communications management. She also earned an LL.M. and a Business Law Certificate from UC Berkeley.

Winnie Yamashita Rolindrawan received her Bachelor of Laws in economic law from the University of Indonesia in 2002. In 2007, she earned her Master of Science from the Faculty of Social and Political Sciences at the same university, majoring in communications management. In 2016, Winnie received her Master of Laws (LL.M.) from the University of California, Berkeley, School of Law, where she also earned a Business Law Certificate from the Berkeley Center for Law and Business.

Winnie joined SSEK in 2007 and has represented major domestic firms and multinational companies in a variety of transactions. She has worked on numerous projects involving M&A, financial services and fintech, data privacy, pharmaceuticals and healthcare, corporate and commercial matters, foreign investment, e-commerce, and real estate and property (particularly hotels).

Her projects in the fintech sector include acting as Indonesian counsel to Didi Chuxing in the acquisition of a substantial stake in Grab Inc., a transaction valued at over US$1 billion, and acting as lead Indonesian counsel to Mastercard as the lead investor in the series B funding round of Digiasia, an Indonesian fintech startup. Winnie advises clients on all aspects of fintech and payment systems (including e-money, remittances, payment gateways and switching), from obtaining the relevant licenses to cross-border fintech M&A transactions and navigating complex regulatory, legal and commercial challenges to ensure compliance with the relevant fintech and payment system regulations of Indonesia’s Financial Services Authority (OJK) and Central Bank (Bank Indonesia).

In the healthcare sector, Winnie has represented pharmaceutical companies, including manufacturers and distributors, in providing practical solutions for their day-to-day operations, corporate and commercial contracts, and specific regulatory issues.

Prior to joining SSEK, Winnie worked at another prominent corporate law firm in Jakarta, where she was involved in various capital market transactions including IPOs, bond issues and rights issues. She helped handle several debt restructuring projects involving the Indonesian Bank Restructuring Agency (IBRA), an independent government agency established in response to the Indonesian financial crisis.

Winnie was also an associate procurement expert for an Asian Development Bank-Indonesian Ministry of National Development Planning (Bappenas) project, where she developed and drafted model national procurement documents.

Winnie is a licensed attorney and a member of the Indonesian Advocates Association (Peradi). She participated in the 2014 Academy of American and International Law, sponsored by the Southwestern Institute for International and Comparative Law in Dallas, Texas.

Having spent her childhood in Hamburg, Germany, she speaks German in addition to English and her native Indonesian.

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

RELATED ARTICLES