TikTok recently faced a significant setback in Europe when the Irish Data Protection Commission (DPC) imposed a substantial fine of €530 million (approximately Rp9 trillion) for violating the European Union’s General Data Protection Regulation (GDPR). The violations included transferring user data from the European Economic Area (EEA) to China without adequate safeguards and lacking transparency regarding data storage locations. Initially, TikTok denied storing data in China but later admitted that some EEA data was stored on Chinese servers accessible by employees there.
This isn’t TikTok’s first legal issue. In 2023, the company was fined €345 million for failing to protect children’s privacy, including default public account settings and weak parental control verifications.
Indonesia: A Major Market with Significant Risks
Indonesia stands as TikTok’s largest market globally, boasting 157.6 million active users—surpassing the United States’ 120 million users. This dominance implies that one in two Indonesians uses TikTok. Given this vast user base, Indonesia should prioritize user data protection, as the potential risks of privacy violations are substantial. The Indonesian government must proactively audit how TikTok manages Indonesian user data.
From a business perspective, Indonesia is not only a significant user base but also a major revenue contributor for TikTok. Reports indicate that in 2023, TikTok generated over US$1.2 billion from the Indonesian market alone through advertising, shopping features, and content promotions. This means Indonesia contributes more than 10% of TikTok’s global revenue—a figure that cannot be overlooked. However, this economic strength must be matched with robust regulations.
Potential Dangers of Data Breaches
Data misuse cases have shown that leaked personal information—including viewing habits, location, device usage, and even user faces—can be exploited for political profiling, influencing public opinion, algorithm manipulation, and covert user tracking.
Globally, data transfers to China are particularly sensitive. China’s national security laws allow its government to request access to any company’s data based there. Therefore, if Indonesian user data is stored or processed in China, it raises concerns not just about privacy but also about digital sovereignty.
TikTok’s Global Track Record of Violations
TikTok has faced significant violations in various countries:
- United States (2020–2024): Accused of illegally collecting children’s data, leading to bans on government devices in several states.
- United Kingdom (2023): Fined £12.7 million for failing to protect data of children under 13.
- Italy (2021): Temporarily banned following a child’s death linked to a “viral challenge.”
- Australia (2023): Investigated for using biometric data without explicit consent.
Urgent Need for Indonesian Government Investigation
The Association of Information Technology & Open Source (ATIOS) recommends that the Indonesian government:
- Conduct Compliance Audits: Assess whether TikTok adheres to Indonesia’s Personal Data Protection Law and related regulations.
- Evaluate Data Transfers: Determine if Indonesian user data is transferred abroad, especially to China, without adequate protection.
- Protect Children’s Privacy: Review privacy settings for underage users and ensure effective age verification mechanisms.
- Enhance Transparency: Require TikTok to provide clear information about the collection, use, and storage of Indonesian user data.
- Engage Civil Society: Involve individuals, groups, and independent experts in monitoring and recommending policies.
TikTok’s violations in the European Union highlight weaknesses in user data protection. Given Indonesia’s large user base, similar risks are plausible. Therefore, the Indonesian government must take proactive steps to safeguard its citizens’ personal data, including thorough investigations into TikTok’s data management practices and those of other applications handling Indonesian user data.
By: Irvannanda, Chairman of the Association of Information Technology & Open Source (ATIOS) – May 9, 2025
