Indonesia’s largest AI experiment barely has safety net

"When the National Economic Council announces that artificial intelligence is now 'cleaning' the personal data of 270 million Indonesians across eight government ministries – and delivers that news as a triumph rather than a warning – something has gone badly wrong with how we communicate risk to the public," writes Hanif Abdul Halim.

Hanif Abdul Halim

Hanif Abdul Halim

The Jakarta Post

AFP__20260408__A73D9VK__v2__MidRes__IndonesiaTechnologyGoogle.jpg

This photo illustration shows a smartphone user opening the Google app download center in Jakarta on April 8, 2026. PHOTO: AFP

June 26, 2026

JAKARTA – National Economic Council (DEN) head Luhut Binsar Pandjaitan has confirmed that since June 1, Indonesia’s GovTech platform has achieved 80 percent connectivity across eight ministries and agencies, integrating their data into a single artificial intelligence-powered system for the first time in the country’s history.

He demonstrated facial recognition technology that reportedly resolved data disputes “in less than one minute”, spoke of reaching 64 million micro, small and medium enterprises (MSMEs) and promised a nationwide rollout across all 514 regencies and cities by October of this year.

It all sounded remarkably impressive, but he failed to mention who will bear responsibility if something goes wrong – because right now, the honest legal answer is no one.

Let us begin with the most basic question of democratic governance: Who is actually in charge? The GovTech initiative is championed by the DEN, an advisory body to the President that possesses no operational authority over ministries, no legal mandate over data systems and no formal accountability mechanism under the law.

The underlying data systems sit scattered across a labyrinth of separate entities – ranging from social insurance provider BPJS and the Population and Civil Registry Office (Dukcapil) to the Finance Ministry – each bound to its own independent chain of command. Meanwhile, the AI infrastructure presumably involves the National Cyber and Crypto Agency (BSSN), Communication and Digital Affairs Ministry and National Innovation and Research Agency (BRIN), though these relationships have never been publicly or legally clarified.

This accountability vacuum is not a mere bureaucratic technicality; it is a structural failure with dangerous precedents. When the Temporary National Data Center (PDNS) was devastated by the Brain Cipher ransomware attack in June 2024 – compromising data across more than 200 government institutions and paralyzing critical public services for days – not a single ministry or agency was held legally responsible. The Information Ministry blamed the tenant institutions, BSSN evaded accountability, while tenants argued they had no choice but to store data in a system they did not control.

Now, Indonesia is building an architecture 10 times larger, while the fundamental question of legal ownership remains unanswered.

The second structural failure is the total absence of a legal framework to classify and mitigate AI risk. The government is deploying AI to clean, verify and process highly sensitive citizen data, including using biometric facial recognition for social assistance verification. Yet, it is doing so with no binding taxonomy of what constitutes high-risk AI use, no mandatory pre-deployment safety standards and no independent audit mechanisms.

Consider the global gold standard: under the European Union’s AI Act, AI systems utilized for biometric identification by public authorities fall squarely into the “high-risk” category. This classification mandates strict conformity assessments, human-in-the-loop oversight and rigorous transparency obligations before a single line of code goes live. Under certain conditions, real-time public biometric tracking is categorized as an unacceptable risk altogether.

Indonesia has no equivalent safeguards. The closest domestic framework is a non-binding Ministerial Circular on AI Ethics – a set of gentle guidance documents that carry no enforceable obligations, impose no penalties and require no compliance reporting.

Consequently, systemic vulnerabilities like AI hallucinations (where a system generates confident but entirely fabricated outputs) and algorithmic bias against specific demographic groups, regions or economic profiles are left completely unmitigated. If an AI system erroneously flags a legitimate MSME owner as a tax evader or misidentifies a vulnerable citizen and denies them life-saving social assistance, there is no legal standard violated, no regulatory body to investigate and no clear path of remedy for the affected citizen.

Even if we look to the Personal Data Protection (PDP) Law regime, the GovTech rollout runs into two critical, unresolved gaps.

First, the PDP Law mandates the creation of an independent data protection supervisory body, which remains nonexistent two years after the law’s passage. Without it, there is no authority to mandate, review or approve a Data Protection Impact Assessment (DPIA) – the standard global prerequisite before any large-scale processing of citizen data occurs. Integrating the health records, tax files, social welfare histories and biometrics of tens of millions of citizens without a published DPIA is a severe violation of the very spirit of privacy the law was designed to protect.

Second, while the PDP Law does not outright ban automated decision-making (ADM), it explicitly grants citizens the right to object to decisions based entirely on automated processing and profiling, particularly when those decisions carry legal or significant personal consequences. The current triumphalist rhetoric surrounding GovTech – boasting of AI autonomously “cleaning” data and facial recognition “resolving” disputes in seconds – raises alarming questions. Has automated speed been optimized at the direct expense of constitutional rights? When a machine incorrectly revokes a citizen’s welfare eligibility, how do they exercise their legal right to object?

The consolidation of identity, financial, health and biometric data from eight separate ministries into a single AI platform creates, by definition, a mass surveillance infrastructure. The state’s current intentions – tax collection, targeted welfare distribution and MSME formalization – may be entirely legitimate. But infrastructure built for efficiency can easily be repurposed for control. “Function creep” in government databases is not a dystopian theory; it is a well-documented historical pattern across global autocracies.

Without independent oversight, legally enforced purpose limitations, absolute transparency regarding dataset integration and robust democratic checks, Indonesia is building the technical architecture of a surveillance state. The line between an efficient welfare state and a digital panopticon is not technical; it is legal, institutional and political. Right now, Indonesia has engineered the technology while completely ignoring the guardrails.

High-stakes, high-risk, low-information announcements as in the GovTech case do not build public trust; they breed deep speculation and invite misinformation. When something inevitably goes wrong, this information vacuum transforms instantly into a crisis of legitimacy. Transparency is not a democratic courtesy; it is the absolute precondition for informed public consent.

Before October’s nationwide rollout, all the aforementioned concerns must be answered. These are not obstructionist questions; they are the bare minimum requirements of democratic governance in the digital age.

Hanif Abdul Halim is chairperson of the Center for Artificial Intelligence and Technology for Democracy (PIKAT Demokrasi), an Indonesian research center on AI and democratic governance. The views expressed are personal.

scroll to top