Keywords:
Cyber Law, Law No. 27 of 2022, Personal Data Misuse, Personal Data Protection, SanctionsAbstract
This article examines the effectiveness of sanctions under Law No. 27 of 2022 concerning Personal Data Protection in responding to personal data misuse in Indonesia. The discussion is situated within the growing urgency of cyber law and information security, particularly as digital platforms, public services, financial technology, and electronic transactions increasingly rely on large-scale personal data processing. Using a normative legal approach, this study analyzes statutory provisions, legal principles, scholarly literature, and selected reputable news reports as factual illustrations of personal data misuse. The findings show that Law No. 27 of 2022 provides a stronger legal foundation than the previous fragmented framework by regulating data subject rights, controller and processor obligations, and administrative and criminal sanctions. However, the effectiveness of these sanctions remains dependent on implementing regulations, institutional supervision, enforcement coordination, evidentiary capacity, corporate compliance, and accessible remedies for victims. The article concludes that the sanction framework is normatively important but requires further regulatory and institutional strengthening to ensure effective personal data protection.