Institutional Dysfunction in Personal Data Protection: A Legal-Political Analysis Based on New Institutional Theory

Authors

  • Rengga Kusuma Putra Fakultas Hukum, Universitas Sains dan Teknologi Komputer Semarang, Jawa Tengah, Indonesia https://orcid.org/0000-0002-2485-7231
  • Yulia Agustin Fakultas Syari'ah dan Hukum, UIN Sunan Kalijaga, Yogyakarta, Indonesia
  • Latif Nurul Ihsan Fakultas Syari'ah dan Hukum, UIN Sunan Kalijaga, Yogyakarta, Indonesia
  • Zaki Ahmad Dafiqi Fakultas Syari'ah dan Hukum, UIN Sunan Kalijaga, Yogyakarta, Indonesia

DOI:

https://doi.org/10.51903/bkktey52

Keywords:

Personal Data, Institutional Dysfunction, Institutional Theory, Legal Politics, Data Breaches

Abstract

Indonesia is facing a personal data protection crisis, as cases of sensitive information leaks from various public institutions continue to increase. Although Law No. 27 of 2022 on Personal Data Protection has been enacted, recurring incidents, such as the hacking of eHAC, BPJS Kesehatan, PeduliLindungi, and ransomware attacks on the National Data Center, demonstrate a weak implementation at the institutional level. This research aims to identify and analyze the forms of institutional dysfunction in personal data protection in Indonesia. This research uses a qualitative approach with a descriptive-analytical design, relying on data from literature studies, documentation, online media news, and in-depth interviews with informants from government institutions, academics, and digital rights activists. The research findings indicate that there are three primary forms of institutional dysfunction: weak formal structures, a bureaucratic culture that is unresponsive, and limited technical capacity. The absence of independent oversight institutions, overlapping inter-agency authorities, and minimal public accountability exacerbate this situation. These findings are analyzed using the new institutional theory, which emphasizes the importance of internal norms and the logic of appropriateness in institutional behavior. This research contributes to filling the gap in digital law studies in Indonesia by highlighting the role of institutional culture and legal politics in explaining the failure of data protection. In conclusion, adequate personal data protection is not sufficient with formal regulations alone, but requires institutional reforms that address structural and cultural aspects, as well as the establishment of an independent supervisory authority that is adaptive to digital threats.

References

Alam, M. K., & Miah, M. S. (2024). Do Islamic Banks use Institutional Theory in the Light of Shariah Governance? Empirical Evidence from a Muslim Dominant Country. Heliyon, 10(2), 24252. https://doi.org/10.1016/j.heliyon.2024.e24252

Alberton, C. S. C. (2021). The Fundamental Right of Confidentiality and Integrity of IT systems in Germany: a call for “IT Privacy” right in Brazil? International Cybersecurity Law Review, 2(2), 253–269. https://doi.org/10.1365/s43439-021-00037-4

Arda, R., Christian, D., & Raga, W. J. (2025). Restorative Justice for Online Hate Speech: A Socio-Legal Framework. Hakim: Jurnal Ilmu Hukum Dan Sosial, 3(2), 1179–1193. https://doi.org/10.51903/zywfje63

Aurellia, A. (2025). Cara Hindari Penipuan Pinjol yang Makin Marak, Simak soal Data Pribadi! Detik.Com. https://www.detik.com/jatim/hukum-dan-kriminal/d-7908836/cara

Chan, H. Y., Toh, H. J., & Lysaght, T. (2024). Cross-jurisdictional Data Transfer in Health Research: Stakeholder Perceptions on the Role of Law. Asian Bioethics Review, 16(4), 663–682. https://doi.org/10.1007/s41649-024-00283-8

Coates, S. K., Trudgett, M., & Page, S. (2023). Indigenous Institutional Theory: a New Theoretical Framework and Methodological Tool. Australian Educational Researcher, 50(3), 903–920. https://doi.org/10.1007/s13384-022-00533-4

Custers, B., Dechesne, F., Sears, A. M., Tani, T., & van der Hof, S. (2018). A Comparison of Data Protection Legislation and Policies across the EU. Computer Law and Security Review, 34(2), 234–243. https://doi.org/10.1016/j.clsr.2017.09.001

Datu, A. K. K., Mharcelyn, M. K., Jul-Asri, A. H., & Merhana, T. (2024). Data Governance and Privacy in Sulu, Philippines: Building Trust and Ensuring Accountability in Digital Public Service Delivery. Open Access Indonesia Journal of Social Sciences, 8(1), 1952–1966. https://doi.org/10.37275/oaijss.v8i1.283

Dewi, R. I. (2024). Pusat Data Nasional Kena Ransomware, Guru Besar IT Angkat Bicara. Cnbcindonesia.Com. https://www.cnbcindonesia.com/tech/20240627081538-37-549695/pusat

Dwi, K. K., Hehanussa, D. J., Setiawan, R., Susilowati, I., & Helfisar, D. (2024). Criminal Sanctions and Personal Data Protection in Indonesia. Lex Publica, 11(2), 221–247. https://doi.org/10.58829/lp.11.2.2024.1-27

Hukom, S., Humi, N., & Lukman, I. (2025). The Urgency of Legal Regulation for Personal Data Protection in Indonesia in the Big Data Era. Hakim: Jurnal Ilmu Hukum Dan Sosial, 3(1), 974–992. https://doi.org/10.51903/hakim.v3i1.2291

Idris, M. F., Laksito, J., & Ariyani, W. (2024). Tanggung Jawab Hukum Perusahaan Teknologi Atas Penyalahgunaan Data Pengguna : Studi Kasus Di ASEAN. Jaksa : Jurnal Kajian Ilmu Hukum Dan Politik, 2(4), 45–56. https://doi.org/10.51903/jaksa.v2i4.2268

Integra, P. (2024). Institutional Theory dalam Tata Kelola Perusahaan: Perspektif Legitimasi dan Keberlanjutan. Pragmaintegra.Com. https://pragmaintegra.com/institutional

Kalsum, U. (2025). Data Nasional Bocor, Apa Dampaknya pada Data Pribadi Kita? Rri.Co.Id. https://rri.co.id/lain-lain/801191/data

Kennedy, A. (2025). Tantangan Implementasi dan Perkembangan Hukum Telematika di Indonesia. Ethics and Law Journal: Business and Notary, 3(2), 1–9. https://doi.org/10.61292/eljbn.262

Khan, M. N. I. (2025). Cross-Border Data Privacy and Legal Support: A Systematic Review of International Compliance Standards and Cyber Law Practices. American Journal of Scholarly Research and Innovation, 4(1), 138–174. https://doi.org/10.63125/a4gbeb22

Kossay, M., Putra, R. K., & Idris, M. F. (2025). Keberlanjutan Ekonomi dalam Perspektif Hukum: Analisis Regulasi Environmental, Social, and Governance di Indonesia. Perkara : Jurnal Ilmu Hukum Dan Politik, 3(1), 675–693. https://doi.org/10.51903/perkara.v3i1.2355

Lhotta, R. (2024). Dysfunctional Constitutionalism or Dysfunctional Politics: A Matter of Law, Politics, and Institutional Design. Politische Vierteljahresschrift, 65(2), 285–309. https://doi.org/10.1007/s11615-023-00505-y

Mahameru, D. E., Nurhalizah, A., Wildan, A., Haikal Badjeber, M., & Rahmadia, M. H. (2023). Implementasi UU Perlindungan Data Pribadi Terhadap Keamanan Informasi Identitas di Indonesia. Jurnal Esensi Hukum, 5(2), 115–131. https://doi.org/10.35586/jsh.v5i2.240

Maharani, T., & Meiliana, D. (2021). Dugaan Kebocoran Data 279 Juta WNI, BPJS Kesehatan Tempuh Langkah Hukum. Kompas.Com. https://nasional.kompas.com/read/2021/05/25/11140881/dugaan

MetroTv. (2023). Lagi, Data Pribadi WNI di Kemendgari Diduga Bocor dan Dijual di Dark Web. Metronews.Com. https://www.metrotvnews.com/play/nxgc5lq0

Nurcahyani, R. E. K., & Wiraguna, S. A. (2025). Tanggung Jawab Hukum Pelindungan Data ASN dalam Sistem Pemerintahan Berbasis Elektronik di Indonesia. Jurnal Kajian Hukum Dan Kebijakan Publik, 2(2), 1115–1120. https://doi.org/10.62379/wxf6a077

Perdana, P. A. (2022). Dugaan Kebocoran Data MyPertamina Menjadi Ujian UU Perlindungan Data Pribadi. Kompas.Id. https://www.kompas.id/artikel/masih-diinvestigasi-bocornya-data-juga-menjadi-ujian-uu-pdp

Ramiro, A. (2025). Democratic Oversight of Government Hacking by Intelligence Agencies A Critical Analysis of Brazil and Germany. Weizenbaum Journal of the Digital Society, 02. https://doi.org/10.34669/wi.wjds/5.2.3

Risi, D., Vigneau, L., Bohn, S., & Wickert, C. (2023). Institutional Theory-Based Research on Corporate Social Responsibility: Bringing Values Back in. International Journal of Management Reviews, 25(1), 3–23. https://doi.org/10.1111/ijmr.12299

Sagita, S. N. (2025). Penjelasan Kemenkes soal PeduliLindungi Berubah Jadi Laman Judi Online. Detik.Com. https://www.tempo.co/hukum/penjelasan-kemenkes-soal-dugaan-pedulilindungi-berubah-jadi-situs-judi-online-1493867

Wahyuni, W. (2023). Ancaman Data Pribadi Diperjualbelikan di Balik Judi Online. Hukumonline.Com. https://www.hukumonline.com/berita/a/ancaman-data-pribadi-diperjualbelikan-di-balik-judi-online-lt651ad5dc97c13/

Yonatan, A. (2023). Indonesia Peringkat 4, Ini Dia 7 Negara Pengguna Internet Terbesar di Dunia. Goodstats. https://data.goodstats.id/statistic/indonesia-peringkat-4-ini-dia-7-negara-pengguna-internet-terbesar-di-dunia-flw6v

Downloads

Published

2025-06-10

Issue

Vol. 3 No. 2 (2025): Juni 2025 : Perkara Jurnal Ilmu Hukum dan Politik

Section

Articles

License

Copyright (c) 2025 Rengga Kusuma Putra, Yulia Agustin, Latif Nurul Ihsan, Zaki Ahmad Dafiqi

Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

How to Cite

Institutional Dysfunction in Personal Data Protection: A Legal-Political Analysis Based on New Institutional Theory. (2025). Perkara : Jurnal Ilmu Hukum Dan Politik, 3(2), 938-949. https://doi.org/10.51903/bkktey52