The Complete Guide to Using AI as a Legal Professional in Indonesia in 2025

Indonesia's AI landscape in 2025 is a live regulatory story that every lawyer needs to read closely: comprehensive chapters like SSEK's

Artificial Intelligence in Indonesia: Legal and Regulatory Insights

map out risks across data protection, IP, employment and liability, while practical analyses such as

Navigating Indonesia's Emerging AI Regulations

explain how the EIT Law, GR 71/2019 and the PDP Law (effective Oct 2024) already require DPIAs for automated decision‑making and carry penalties - including criminal exposure and fines up to Rp6,000,000,000 - for noncompliance; this guide pulls those threads together and turns them into actionable steps for counsel, compliance teams, and litigation lawyers who must translate national strategy (Stranas KA), sectoral ethics rules, and evolving ministerial rules into defensible contracts, vendor checks and courtroom arguments.

For lawyers ready to build practical AI skills for advising clients, see the AI Essentials for Work syllabus - practical AI skills for the workplace.

Program	Length	Early Bird Cost	Link
AI Essentials for Work	15 Weeks	$3,582	AI Essentials for Work syllabus (15 Weeks)
Solo AI Tech Entrepreneur	30 Weeks	$4,776	Solo AI Tech Entrepreneur syllabus (30 Weeks)
Cybersecurity Fundamentals	15 Weeks	$2,124	Cybersecurity Fundamentals syllabus (15 Weeks)

In Indonesia in 2025 AI is being used as a practical, time‑saving partner across core legal workflows: firms are applying it to legal research and regulatory monitoring, contract drafting and clause extraction, large‑scale due diligence (think thousands of pages analysed in a single pass), transcription/summarisation for hearings and meetings, and client‑facing Q&A or intake automation - less hype, more workflow.

Local and regional products show the range: Hukumonline's Ailex and lessons from the APIHI webinar on AI in legal research and implementation explain how tools can surface relevant statutes and precedents quickly, while platforms like Gani AI document processing platform for legal workflows and Genie AI drafting and contract review tools (Indonesia) speed routine drafting and risk flagging with templates and clause suggestions.

Global systems such as Harvey AI and Claude augment capacity for large‑scale review, and an expanding domestic ecosystem (Kata.ai, Libera, Konvergen AI, Quantŷc.ai and many more) is building Indonesia‑specific NLP, automation and legal‑service integrations - making AI invaluable for litigation prep, compliance checks and procurement review, provided lawyers keep human verification front and centre.

Use case	Example tools / providers
Legal research & regulatory monitoring	Hukumonline Ailex; APIHI webinar insights
Document processing & contract drafting	Gani; Genie AI; Harvey AI
Long‑context due diligence	Claude (long‑context review)
Local NLP & workflow automation	Kata.ai, Libera, Konvergen AI, Quantŷc.ai

“lawyers will shift their focus from routine activities to much more high value work involved in shaping strategies and navigating complex legal problems.” - Professor Gillian K. Hadfield, University of Southern California

Indonesia's AI rulebook in 2025 is anchored not by a single “AI law” but by a tight data‑protection scaffold lawyers must read first: Law No. 27 of 2022 (the PDP Law) is the overarching privacy statute (effective 17 October 2022, with the two‑year conformity window closing 17 October 2024) and sets GDPR‑style duties - lawful bases for processing, data‑subject rights, DPIAs for high‑risk processing and limits on automated decisions - while electronic‑system rules (EIT Law, GR 71/2019 and MOCD implementing regs) and sector rules layer extra obligations and sanctions on top.

Practically, this means ESP registration with KOMDIGI/MOCD, mandatory breach notifications within 72 hours to the regulator and affected subjects, and cross‑border transfers only on the sequence of adequacy → safeguards → consent; enforcement can include administrative suspension, deletion orders, heavy fines and even criminal exposure measured in billions of rupiah.

For AI specifically, MOCD's Circular Letter No. 9/2023 offers ethics guidance and OJK has a fintech Code of Ethics on responsible AI, so counsel must map PDP Law duties onto sectoral ethics and vendor agreements; legal advisers tracking the implementing regulation and the pending Data Protection Authority should monitor updates at sources such as Indonesia PDP Law No. 27 of 2022 (Data Protection) - DLA Piper briefing and MOCD Circular Letter No. 9/2023 on AI ethics and OJK fintech Code of Ethics - SSEK overview to translate those obligations into DPIAs, DPO policies and contract clauses before the regulator finalises rules.

Instrument	What lawyers must watch
Indonesia PDP Law No. 27 of 2022 (Data Protection) - DLA Piper briefing	Overarching privacy framework, DPIAs, data‑subject rights, extraterritorial scope, sanctions
EIT Law / GR 71 / MOCD regs	Electronic system operator (ESO/PSE) registration, system security, reporting rules
MOCD Circular Letter No. 9/2023 on AI ethics and OJK fintech Code of Ethics - SSEK overview	Ethics guidance for AI use; sectoral rules (finance) on transparency, accountability

Indonesia's AI governance is a layered, institution‑forward system where ethics guidance and sector codes sit atop the new PDP Law and a still‑maturing regulatory architecture: the Ministry of Communication and Digital Affairs has issued Circular Letter No.

9 of 2023 on AI ethics and the Financial Services Authority (OJK) has published a fintech Code of Ethics for responsible AI, while the PDP Law (and its Draft GR PDP) and GR 71/2019 require DPIAs and set cross‑border transfer rules - practical guardrails that lawyers must map into contracts, vendor checks and operational controls.

Because the national Data Protection Authority is not yet formed, the Directorate General of Digital Space Supervision within MOCD currently handles personal data supervision, and regulators are actively shaping standards as adoption grows; that means compliance work often happens while rules are still being finalised, so counsel should treat CL 9, OJK guidance and PDP Law duties as the operative playbook today (see an overview at Chambers' Indonesia data‑protection guide and a close look at ethical positions by MOCI and OJK at HBT Law).

Beyond domestic policy, Indonesia is pushing for inclusive global AI governance on the world stage - an important signal that national rules aim to balance innovation with fairness and accountability for all stakeholders.

"Our presence in this forum is not only to get a table in the global AI discussion, but to ensure that AI policies reflect the interests of developing countries," Hafid said.

Indonesia sits inside a regional surge: the global legal‑AI market leapt from roughly $2.3B in 2024 to about $2.77–2.79B in 2025, a near‑20% jump that market analysts say will nearly double again by the end of the decade, driven by cloud deployments, NLP and contract/ eDiscovery use cases - so firms and in‑house teams in Jakarta and beyond are moving from experiments to routine pilots for contract review, regulatory monitoring and long‑context due diligence.

Asia‑Pacific is flagged as the fastest‑growing region in the forecasts, and public sentiment in Indonesia is strongly pro‑AI (Stanford HAI found about 80% optimism), which helps explain why local practitioners are pairing global platforms with Indonesia‑focused tools and workflows; for market context see The Business Research Company legal AI market briefing and the Stanford 2025 AI Index report, and for a practical long‑context option many teams are already trialling Anthropic Claude long‑context model for massive document review.

Metric	Value / Note
Global market size (2024)	$2.3 billion
Global market size (2025)	$2.77–2.79 billion
Forecast CAGR (mid‑2020s)	~19.7%–19.9% (2025–2029/2034 forecasts)
Fastest‑growing region	Asia‑Pacific (report forecasts)
Indonesia public optimism (2025)	~80% see AI as more beneficial than harmful - Stanford HAI

Data protection is the legal backbone for any AI deployment in Indonesia: the PDP Law (Law No. 27/2022) is fully in force and - together with the EIT regime and sector rules - turns routine AI tasks into regulated processing that demands documented legal bases, security controls and risk assessment.

For AI that uses personal data this means mandatory Data Protection Impact Assessments where automated decision‑making or large‑scale/specific data processing is involved, appointed DPOs in qualifying scenarios, and prompt breach handling (controllers must notify regulators and affected subjects within 72 hours); cross‑border transfers must follow the staged test of adequacy → appropriate safeguards → consent; and supervisory responsibility remains with KOMDIGI until the national Data Protection Authority is established.

Practically, counsel advising AI projects must treat CL 9 and OJK's fintech Code of Ethics as operative ethical guidance while mapping PDP duties into DPIAs, Records of Processing Activities and vendor contracts to avoid administrative measures (including suspension or deletion orders and fines such as percentage‑of‑revenue penalties) and criminal exposure (individual and corporate fines up to IDR 6 billion in the most serious cases).

For a clear, practice‑oriented walkthrough of these obligations see Chambers' Indonesia data‑protection briefing and DLA Piper's PDP overview, and for AI‑specific/regulatory context consult recent practical guidance on emerging AI rules in Indonesia.

Key obligation	Short note
PDP Law effective	In force (two‑year transition ended 17 Oct 2024)
DPIA / ADM	Required for high‑risk automated decision‑making and large‑scale processing
Breach notification	Notify regulator and data subjects within 72 hours
Cross‑border transfers	Adequacy → safeguards → consent (in sequence)
Enforcement	Administrative fines (incl. % of revenue), criminal fines and possible imprisonment; corporate exposure up to IDR 6 billion

Turn AI compliance from an afterthought into a repeatable checklist: map every AI use to a lawful basis and a Record of Processing Activities (ROPA); run a Data Protection Impact Assessment (DPIA) for any high‑risk or automated decision‑making system and keep it date‑stamped like an evidentiary exhibit; confirm whether a Data Protection Officer is required (large‑scale specific data, public services or systematic monitoring); register electronic systems/operators with KOMDIGI where applicable and keep TDPSE details current; bake breach response into project plans with a 72‑hour regulator/subject notification workflow and clear remediation steps; lock vendor contracts to require processor‑level safeguards, audit rights and sub‑processor controls; follow the cross‑border transfer sequence - adequacy → appropriate safeguards → consent - and document the transfer impact assessment; operationalise MOCD CL 9 and sector codes (OJK for fintech) into AI governance, explainability and transparency obligations; apply extra caution for children's or health data and retain proof of consent where used; and train teams plus maintain a compliance diary while watching Draft GR PDP and DPA developments.

For quick legal reference see DLA Piper's PDP Law briefing and SSEK's overview of MOCD Circular Letter No. 9/2023 on AI ethics to translate each item into contract clauses, DPIA checklists and courtroom‑ready records.

Checklist item	Practical action
Lawful basis & ROPA	Document basis for each processing purpose and maintain ROPA
DPIA / ADM	Perform DPIA for high‑risk AI and automated decisions; keep dated evidence
DPO & staffing	Appoint/nominate DPO if thresholds met; log responsibilities
ESO / PSE registration	Register with KOMDIGI (TDPSE) when providing electronic systems
Breach plan	72‑hour notification template + remediation playbook
Cross‑border transfers	Apply adequacy→safeguards→consent sequence; document assessments

Contracts, procurement and vendor management for AI in Indonesia must turn PDP Law duties into enforceable clauses: treat every AI supplier as either a processor or controller on paper, require Records of Processing Activities and DPIA support, and insist on 72‑hour breach notification and data‑subject request fulfilment as contract‑level obligations (the PDP Law and related regs make these non‑negotiable).

Build in explicit limits on vendors using Indonesian personal data to train models - require a

“no‑training” or explicit consent clause

and retain IP ownership and model‑use restrictions (see Genie's Indonesia third‑party processor agreement template for practical language).

Lock in technical safeguards (encryption, tokenization, HSM/key‑management expectations) and, where possible, local hosting or data isolation to avoid risky cross‑border transfers unless the adequacy→safeguards→consent sequence is satisfied; vendor risk tools and automated DSR/workflow features can help operationalise these obligations (Securiti's PDPL guidance maps vendor risk assessments and DSR automation to contract terms, while Skyflow highlights Jakarta‑based vaults to reduce transfer exposure).

Clause	Why it matters
Processor vs Controller & ROPA	Allocates liability and ensures Records of Processing Activities for regulator review
Breach notification (72 hrs) & DSR support	Meets PDP Law timing and automates subject rights and notifications
Data use / no‑training & IP ownership	Prevents vendor model‑training on client data and protects IP
Security, encryption & key management	Data‑centric controls (tokenization/HSM) reduce breach risk and simplify scope
Cross‑border transfer clause	Requires adequacy→safeguards→consent sequence and transfer impact assessments
Audit, sub‑processor visibility & deletion certification	Enables compliance verification and proof of lawful disposition

Don't forget audit rights, sub‑processor transparency, deletion/certification obligations and indemnities tied to regulatory fines (including administrative fines up to a % of revenue under PDP Law): in practice, it's wise to require vendors to

“hand back the keys”

- certified deletion or token return - so a single contractual breach can't leave your client's data scattered across unseen systems.

Using AI in Indonesian litigation, arbitration and dispute resolution can speed document review and uncover patterns across large evidence sets, but it also sits inside a distinct local procedural landscape that counsel must respect: Indonesia's Arbitration Law and the 2025 BANI Rules modernise procedure (including emergency arbitration and a two‑business‑day challenge window for appointed emergency arbitrators), so any AI‑driven submission or tribunal process must be mapped to those timelines and language rules (see Chambers' Indonesia arbitration guide).

International soft‑law is filling procedural gaps: the CIArb Guideline on the Use of AI in Arbitration recommends early disclosure, procedural orders or an AI agreement, and warns that tribunals may regulate AI use, require transparency about models and data, and even draw adverse inferences or cost consequences for non‑compliance - because risks such as confidentiality breaches, algorithmic bias, cybersecurity gaps and even model “hallucinations” can threaten due process and the enforceability of an award.

Practically, teams using long‑context models for massive review (for example, Claude‑style long‑context workflows) should thread a human‑verification rule through every stage: flag AI outputs, document tool settings and data inputs, and agree procedural safeguards with the tribunal up front so efficiency gains don't become grounds for later challenges; courts and tribunals in Indonesia increasingly expect parties to be able to explain how AI affected evidence, analysis and decision‑making, and to preserve the integrity of the record if an enforceable award is the end goal.

“give guidance on the use of AI in a manner that allows dispute resolvers, parties, their representatives, and other participants to take advantage of the benefits of AI, while supporting practical efforts to mitigate some of the risk to the integrity of the process, any party's procedural rights, and the enforceability of any ensuing award or settlement agreement.”

Next steps for legal professionals working with AI in Indonesia in 2025 are practical, immediate and strategic: map every AI use to a lawful basis and a live Record of Processing Activities (ROPA), run and date‑stamp a Data Protection Impact Assessment for high‑risk or automated decision‑making (treat DPIAs like an evidentiary exhibit), and lock vendor contracts to require processor‑level safeguards,

no‑training model clauses

72‑hour breach notification and audit/sub‑processor rights so a single contractual gap can't scatter client data across unseen systems; remember the PDP Law is in force, the national Data Protection Authority is not yet formed, and the MOCD/OJK ethics guidance already expects explainability and accountability, so track implementing rules closely at reliable briefings such as Chambers' Indonesia data‑protection guide and DLA Piper's PDP overview, adopt a risk‑based approach to children's and health data, and operationalise incident response (the 72‑hour clock is real - the inbox will show it).

For practical upskilling, consider short, work‑focused training like the Nucamp AI Essentials for Work syllabus to build prompt skills, governance routines and vendor assessment checklists that counsel can use the same day they advise clients.

Immediate next step	Why it matters / resource
Perform DPIA & maintain ROPA	Required for high‑risk AI under PDP Law; helps demonstrate accountability
ESO/PSE registration & vendor contracts	Register with KOMDIGI where applicable; contract clauses allocate liability and require 72‑hour breach notification
Cross‑border transfers plan	Follow adequacy → appropriate safeguards → consent sequence and document assessments
Train teams on practical AI governance	Build explainability, prompt and vendor assessment skills - see the Nucamp AI Essentials for Work syllabus