Subscribe to Our Newsletter

Success! Now Check Your Email

To complete Subscribe, click the confirmation link in your inbox. If it doesn’t arrive within 3 minutes, check your spam folder.

Ok, Thanks

Two Years Into the PDP Law, Your Credit File Is Still Pinned in a Telegram Channel

Indonesia's data protection law turned two in October. The Jakarta credit-profile brokers on Telegram are running the same price lists.

Carlo Cruz profile image
by Carlo Cruz
man and woman standing on road during night time
Photo: Yulia Agnis / Unsplash

Indonesia's Personal Data Protection Law passed in October 2022. Full enforcement was supposed to kick in by October 2024. We are now eight months past that deadline, and if you open Telegram and search the right Bahasa keywords, you can buy a Jakarta resident's KTP scan, NPWP, BPJS number, and Pinjol repayment history for the price of a Grab ride.

The price lists are not even hidden. Channels advertise bulk packages. Some throw in a free sample to prove the data is fresh.

The agency that was supposed to police this still does not fully exist

The PDP Law promised an independent data protection authority. What Indonesia got instead is a function parked inside Kominfo, now Komdigi, with a name change but the same staffing problem. The implementing regulation took almost two years to draft. The agency itself has been described as forthcoming for so long that the word has lost meaning.

Meanwhile, the leaks kept coming. BPJS Kesehatan, the tax directorate, the immigration office, the election commission's voter roll. Each breach got a press conference. None got a fine that mattered.

The brokers are not hackers in hoodies. They are former insiders.

Security researchers and digital rights groups in Jakarta have been saying the same thing for years. The data on Telegram does not look like the output of some sophisticated cyber operation. It looks like exports from bank back offices, Pinjol collections desks, telco CRMs, and government databases that anyone with a login can query.

The supply chain runs through people who already have access. A junior staffer at a multifinance company can download a slice of the customer file and resell it before the workday ends. The PDP Law theoretically criminalizes this. The conviction count is close to zero.

For young workers in Jakarta, the consequences are concrete

If you took out a Pinjol loan in college to cover a kos payment, that file follows you. Recruiters running informal background checks buy from the same channels. Landlords in Kelapa Gading ask for a credit screen that the building manager runs through a contact, not a regulated bureau.

Scam calls already know your full name, your employer, and the last four digits of your account. The harassment from debt collectors arrives at your sister's WhatsApp because her number was bundled in the same leak as yours.

Komdigi keeps blocking Telegram channels. The channels reopen by lunch.

The enforcement playbook so far has been takedown requests aimed at the platform, not the brokers. Telegram complies slowly, partially, and only on specific URLs. New channels spin up with slight name variations. The buyers find them through the same Google searches that worked in 2023.

Civil society groups, SAFEnet among them, have pushed for the data protection agency to be stood up as a real independent body with subpoena power and a budget that can hire forensic staff. The draft presidential regulation has been circulating for months. The version that finally lands will tell you whether the next two years look any different from the last two.

For now, the law exists on paper, the agency exists in a press release, and your KTP scan is sitting in a pinned message somewhere, waiting for the next buyer to message the admin.

Carlo Cruz profile image
by Carlo Cruz

Subscribe to New Posts

Fresh Philippine stories straight to your inbox, free, no spam, unsubscribe anytime.

Success! Now Check Your Email

To complete Subscribe, click the confirmation link in your inbox. If it doesn’t arrive within 3 minutes, check your spam folder.

Ok, Thanks

Read More