CIVIL LIABILITY OF ELECTRONIC WALLET OPERATORS FOR THE LEAKAGE OF USERS' PERSONAL DATA BASED ON LAW NO. 27 OF 2022

One of the problems with using digital wallets is that data breaches and account breaches often occur which results in the loss of balances of digital wallet users. The Personal Data Protection Law itself was formed in order to protect people who use digital platforms, in this case digital wallets, from acts of breaching personal data and hacking accounts. The legal research method used in this research is normative juridical research which is research carried out or aimed only at written regulations with the nature of descriptive analysis research which is a method that functions to describe or provide an overview of the object being researched through data or samples and make conclusions that apply to the general public. The data sources used in this research are primary and secondary data and qualitative data analysis which is observations of phenomena obtained from data obtained in the form of written or oral descriptions. The results of this research are that the regulations for the use of electronic wallets that convert the use of cash into electronic money are Bank Indonesia Regulation Number 20/6/PBI/2018 concerning Electronic Money, Protection of personal data in the Personal Data Protection Law includes specific personal data protection. and is general in relation to the use of electronic wallets, so specific data such as financial data is data that is vulnerable to misuse and must be protected when using electronic wallets.

PurposeThe purpose of this paper is two-fold: to explore the legal issue of the importance of personal data protection in the digital economy sector and to propose a legal framework for personal data protection as a consumer protection strategy and accelerate the digital economy.Design/methodology/approachThis study is legal research. The research approach used was the comparative approach and statute approach. The legal materials used are all regulations regarding personal data protection that apply in Indonesia, Hong Kong and Malaysia. The technique of collecting legal materials is done by using library research techniques.FindingsThe value of Indonesia’s digital economy is the biggest in the Southeast Asia region, but data breach is still a big challenge to face. The Indonesian Consumers Foundation (Yayasan Lembaga Konsumen Indonesia) recorded 54 cases of a data breach in e-commerce, 27 cases in peer-to-peer lending and 5 cases in electronic money. Based on the results of a comparative study with Hong Kong and Malaysia, Indonesia has yet no specific Act that comprehensively regulates personal data protection. Indonesia also does not have a personal data protection commission. Criminal sanctions and civil claims related to data breaches have not yet been regulated.Research limitations/implicationsThis study examines the data breach problem in the Indonesian digital economy sector. However, the legal construction of personal data protection regulations is built on the results of a comparative study with Hong Kong and Malaysia.Practical implicationsThe results of this study can be useful for constructing the ideal regulation regarding the protection of personal data in the digital economy sector.Social implicationsThe results of the recommendations in this study are expected to develop and strengthen the protection of personal data in the Indonesian digital economy sector. Besides aiming to prevent the misuse of personal data, the regulation aims to protect consumers and accelerate the growth of the digital economy.Originality/valueIndonesia needs to create a personal data protection act. The act should at least cover such issues: personal data protection principles; types of personal data; management of personal data; mechanism of personal data protection and security; commission of personal data protection; transfers of personal data; resolution mechanism of personal data dispute and criminal sanctions and civil claims.

Purpose This paper aims to identify the reasons why cases of leakage of patient personal data often occur in the health sector. This paper also analyzes personal data protection regulations in the health sector from a comparative legal perspective between Indonesia, Singapore and the European Union (EU). Design/methodology/approach This type of research is legal research. The research approach used is the statute approach and conceptual approach. The focus of this study in this research is Indonesia with a comparative study in Singapore and the EU. Findings Cases of leakage of patient personal data in Indonesia often occur. In 2021, the data for 230,000 COVID-19 patients was leaked and sold on the Rapid Forums dark web forum. A patient’s personal data is a human right that must be protected. Compared to Singapore and the EU, Indonesia is a country that does not yet have a law on the protection of personal data. This condition causes cases of leakage of patients’ personal data to occur frequently. Research limitations/implications This study analyzes the regulation and protection of patients’ personal data in Indonesia, Singapore and the EU to construct a regulatory design for the protection of patients’ personal data. Practical implications The results of this study are useful for constructing regulations governing the protection of patients’ personal data. The regulation is to protect the patient’s personal data like a patient’s human right. Social implications The ideal regulatory design can prevent data breaches. Based on the results of comparative studies, in Singapore and the EU, cases of personal data leakage are rare because they have a regulatory framework regarding the protection of patients’ personal data. Originality/value Legal strategies that can be taken to prevent and overcome patient data breaches include the establishment of an Act on Personal Data Protection; the Personal Data Protection Commission; and management of patients’ personal data.

Problem setting. In order to build an innovative society, it is necessary to develop legal norms and regulators aimed at protecting privacy and controlling personal data. In addition, the need to ensure effective and reliable protection of personal data in the conditions of rapid technological development, globalization and the growing threat of cybercrime is becoming more urgent. The need for the development of legal norms, the introduction of innovative technologies and the raising of public awareness become important tasks for ensuring privacy and protection of personal data. The study also aims to identify and analyze the main challenges facing the field of personal data protection, such as cybercrime, hacker attacks, globalization and cross borders. Legal norms and regulations aimed at protecting privacy are also analyzed, as well as the potential opportunities of new technologies that can increase the level of protection of personal data. Аnalysis of recent researches and publications. The problems of legal protection of personal data have recently become the subject of research by an increasing number of scientists, both lawyers and representatives of other fields of knowledge. In particular, such scientists as: S. Hlibko, T. Egorova-Lutchenko, K. Yefremova, O. Korvat, V. Kokhan, M. Haustova devote their attention to the study of these issues. etc. Purpose of the research is to develop possible ways of legal protection of personal data in view of today’s challenges related to this issue. The article aims to consider the development of technologies and the growth of the volume of personal data as the main factors affecting the need for effective protection of privacy and security of this data. The article is aimed at expanding the understanding of the problem and providing recommendations for improving the protection of privacy and security of personal data in the future. article’s main body. According to the preamble to the Agreement between Ukraine and the European Union on the participation of Ukraine in the European Union program “Digital Europe” (2021-2027), the important supporting role of digital infrastructure, including in the field of cyber security, is recognized to ensure inextricably linked transformation processes and digital leadership of the European Union. The purpose of concluding the Agreement is to establish mutually beneficial cooperation in order to strengthen and support the deployment of reliable and secure digital capabilities in the Union in the field, including cyber security. It is recognized that mutual participation in each other’s programs for the implementation of digital technologies should ensure mutual benefits for the Parties, while observing a high level of data protection, digital rights, etc. In accordance with paragraph 12 of Article 2 of Annex III to the Agreement, the exchange of information between the European Commission or OLAF and the competent state authorities of Ukraine must take place with due consideration of confidentiality requirements. Personal data included in the exchange of information must be transferred in accordance with the current legal norms on data protection of the Party making the transfer. According to paragraph 49 of the preamble of Regulation (EU) 2021/694 of the European Parliament and of the Council of April 29, 2021 on the establishment of the Digital Europe Program, digital transformation should allow citizens to access, use and securely manage their personal data across borders, regardless of their location or data location. According to point 60 of the preamble, by providing a single set of rules that are directly applicable in the legal systems of the Member States, Regulation (EU) 2016/679 guarantees the free flow of personal data between Member States and strengthens the trust and security of individuals, two indispensable elements of a true Digital Single Market . All actions taken within the framework of the Program, which involve the processing of personal data, must contribute to the smooth implementation of this Regulation, for example, in the field of artificial intelligence and distributed ledger technologies (for example, blockchain). These actions should support the development of digital technologies that meet data protection obligations both by design and by default. In addition, according to paragraph 69 of the preamble, this Regulation respects fundamental rights and adheres to the principles recognized in the Charter of Fundamental Rights of the European Union, in particular regarding the protection of personal data, etc. In the Charter of Fundamental Rights of the European Union (2016/C 202/02) dated June 7, 2016, Chapter II “Freedoms” contains Article 8, which is entitled “Protection of personal data”, according to which it is assumed that everyone has the right to the protection of personal data data concerning him. Such data must be processed fairly for specific purposes and on the basis of the consent of the person concerned or on another legal basis established by law. Everyone has the right to access the data that has been collected about him and the right to correct it. Compliance with these rules is subject to control by an independent body. In addition, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data establishes rules relating to the protection of natural persons with regard to the processing of personal data, as well as rules, relating to the free movement of personal data, and protects the fundamental rights and freedoms of natural persons and, in particular, their right to protection of personal data. Today in Ukraine, the main legislative act in this area is the Law of June 1, 2010 No. 2997-VI “On the Protection of Personal Data”. Article 11 of the Law of Ukraine “On Information” specifies what information about a natural person (personal data) is. In turn, the legal and organizational bases for ensuring the protection of the vital interests of a person and citizen, society and the state, national interests of Ukraine in cyberspace, the main goals, directions and principles of state policy in the field of cyber security, the powers of state bodies, enterprises, institutions, organizations, individuals and citizens in this area, the basic principles of coordination of their cyber security activities are defined in the Law of Ukraine “On Basic Principles of Cyber Security of Ukraine”. In addition, relations in the field of information protection in information, electronic communication and information and communication systems are regulated by the Law of Ukraine “On the Protection of Information in Information and Communication Systems”. In turn, the Concept of the development of e-governance in Ukraine, as well as the Law of Ukraine “On the National Informatization Program” defines e-governance. In addition, in 2021, the Law of Ukraine “On Public Electronic Registers” was adopted, which defines the State electronic platform for maintaining public electronic registers. On April 18, 2023, by a resolution of the Cabinet of Ministers of Ukraine, the Regulation on the information system “Software platform for the deployment and support of state electronic registers” was approved, as well as the Procedure for using the software “Software platform for the deployment and support of state electronic registers”. conclusions and prospects for the development. The protection of digital personal data requires the development of appropriate technical and regulatory tools, as well as judicial practice of prosecution for violations of the order of their use. It is possible to create a database or registry for private electronic/digital platforms, with the help of which or which would control their activities, including regarding the protection of personal data. At the same time, at the regulatory and legal level, it is necessary to provide that a mandatory condition for the creation and functioning of an Internet platform is its registration in such a database / such a register, and a mandatory condition for registration is confirmation of technical capabilities to ensure the protection of personal data of platform users. It is necessary to define at the regulatory level the list and mechanisms of acquisition of digital rights, their implementation, protection, compensation and responsibility for their violation. The protection of personal data should be considered one of the digital rights of a person and a citizen. The development of digitalization in a legal state must inevitably be accompanied by the development of the legal framework, in particular, the emergence, consolidation, definition and protection of digital rights of individuals and legal entities. Digital rights are a multifaceted category, they become connected and interwoven with other rights defined and established in the norms of different branches of law. The multifaceted nature of the “digital rights” category implies the separation and delimitation of various categories of digital rights, their distribution into appropriate types, for example, “personal digital rights”, “financial digital rights”, etc. It should be quite natural to form a separate element in the general system of law, such as digital law, as a set of legal norms regulating social relations related to the circulation of (including personal) data in digital networks.

The Consumer Protection Law does not expressively verbis state the protection of consumer personal data as part of consumer rights that must be protected by business actors. The existence of cybercrime and the negligence of business actors can cause leakage of consumer personal data to be something that needs to be anticipated. This paper aims to discuss the application of the PDP Law to consumer protection of personal data and how the form of liability of business actors in the perspective of the PDP Law in ensuring consumer protection. This paper uses normative research with a conceptual approach, a statutory approach, and a case approach. This paper also concluded that The handling of consumer disputes related to personal data breaches should be handled in parallel by applying the PDP Law and the Consumer Protection Law. Business actors should protect consumers' personal data based on the provisions prohibiting disclosing personal data unlawfully. The application of the principle of absolute accountability or strict liability is intended so that business actors can be fully responsible for the interests of consumers. In the event that there is negligence on the part of the business actor, resulting in a violation of the protection of consumers' personal data. Business actors cannot escape responsibility for any reason because they have neglected to protect consumers' personal data.

The issue of personal data protection has been one of the focal points of attention in recent decades. This is because the protection of personal data is a form of realizing the right to privacy as a fundamental human right. Personal data refers to information about a specific individual’s characteristics that serves as a means of their identification. Personal data protection in Bosnia and Herzegovina is regulated by the Law on Personal Data Protection. This law governs the principles of personal data processing, the obligations of data controllers and processors, the rights of data subjects, as well as sanctions for violations of the law. Since 2016, the protection of personal data in the European Union has been regulated by the General Data Protection Regulation (GDPR), which has significantly improved the system for protecting personal data. A particularly significant category of personal data is personal health data, which includes identification and identifying information about an individual’s health and medical condition, their medical diagnosis, prognosis, and treatment, as well as information about substances that can identify that individual. Data related to an individual’s health is a crucial and potentially vulnerable aspect of their life. These are the most intimate data about an individual, the unauthorized and unjustified disclosure of which can subject them to shame, ridicule, and stigmatization, causing them significant, primarily non-material, harm. Misuse of patient information not only violates their privacy but also undermines their dignity. Therefore, personal health data can only be processed for health-related purposes, i.e., for the benefit of the individual and society as a whole. Laws regulating patients’ rights in the Federation of Bosnia and Herzegovina (the Law on Healthcare and the Law on the Rights, Obligations, and Responsibilities of Patients) guarantee patients the right to confidentiality of information and privacy, the right to data secrecy, and the right to access their medical records. The provisions of these laws significantly meet the standards for the protection of personal health data. However, in order to improve the situation in this area, there is a need to harmonize the provisions of the general data protection law, which is subsidiarily applied in the protection of personal health data, with the provisions of the General Data Protection Regulation.

The digital revolution has transformed industries, but privacy protection challenges persist. Countries like the UAE have established legal frameworks for civil liability that balance the benefits of technology with individual rights. However, classification raises issues like contractual breaches, tort liability, and jurisdictional conflicts. Research on civil liability is crucial for ensuring legal certainty and trust. The Protection of Electronic Personal Data is deemed one of the fundamental pillars of digital security in the modern era. It plays an essential role in protecting individuals’ privacy and preventing the misuse of their information for illegal activities, such as fraud and identity theft. Besides, it strengthens the users’ trust in the electronic transactions and supports compliance with local and international laws and regulations related to information security. In fact, its significance extends to protecting community and national security, as data leaks might threaten stability or be used to manipulate public opinion. Therefore, securing data is a basic requirement for achieving safe digital transformation and ensuring that individuals and communities can benefit from electronic services efficiently and with confidence. The current research aims to provide a comprehensive understanding of “Civil Protection of Electronic Personal Data” by examining the national and international legal frameworks that regulate this field, in addition to analyzing the forms of civil liability that would result from violating such data, whether contractual or tortious, along with the resulting legal consequences. Moreover, it seeks to highlight the essential role of this protection in safeguarding the right to privacy, which is fundamental to human dignity, and to evaluate the effectiveness of the available judicial mechanisms that enable individuals to claim compensation for damages resulting from electronic attacks. Finally, this research aims to formulate legislative and practical solutions and proposals to strengthen the civil protection system and enhance individuals' and institutions' awareness of the importance of safeguarding personal data in the digital environment. The legal protection of electronic personal data under UAE Law is considered a pioneering step toward enhancing national security and preserving individual privacy. Federal Law No. 34 of 2021 reflects the state's commitment to keeping pace with technological developments and to addressing risks to personal data. In this study, we have concluded the following key findings and recommendations. Personal Data Protection Law No. (45) of 2021 is an essential step on the right path towards the economic development of the United Arab Emirates in general, and the digital economy and e-commerce in particular. Personal data refers to any information related to identified individuals or those who can be identified through it, such as name, address, national number, and others. Exposing electronic personal data poses risks, necessitating individual awareness and improved security measures. UAE Law penalties deter violations, promote compliance, and raise awareness. Violations of privacy laws result in criminal penalties and civil liability. Victims have the right to request cessation and compensation.

Notaries as public officials who are authorized to make authentic deeds carry out their duties and authorities inseparable from the processing of Personal Data, both physical and electronic. Notaries process Personal Data not only for Personal Data subjects, namely Clients, but also for workers or interns, or third parties whose information is provided by the Client. Since the enactment of the PDP Law, Notaries as officials who make authentic deeds in processing Personal Data are not only obliged to maintain the confidentiality of Personal Data, but there are also several other obligations regulated in the PDP Law as an effort to prevent and eradicate potential cybercrime. In this study, the author will dissect the role and obligations of Notaries in the security of Personal Data based on the PDP Law. The study used a normative legal method with a statutory approach and a conceptual approach. Through this study, it is concluded that a Notary as an official who makes authentic deeds has a crucial role, namely as a Personal Data Controller who can determine the purpose and method of processing personal data. Notaries have several obligations as regulated in the PDP Law, including having a basis for processing, ensuring the security of personal data, assessing the impact of Personal Data Protection, recording all personal data processing activities, appointing Personal Data Protection officials, fulfilling the rights of personal data subjects, and others. The ultimate goal of this study is expected to provide knowledge and legal certainty related to Personal Data Protection in notarial practice.

The rapid expansion of digital platforms in Indonesia has transformed personal data into a strategic economic asset while increasing the risk of large-scale data breaches affecting consumers. Although Law No. 27 of 2022 on Personal Data Protection has been enacted, the civil liability framework governing digital platforms remains fragmented and doctrinally unclear. This article aims to reconstruct the civil liability model applicable to digital platforms for consumer losses arising from personal data breaches within the Indonesian private law system. This research employs a normative juridical method using statutory, conceptual, and comparative approaches, integrating the Civil Code, the Consumer Protection Law, the Electronic Information and Transactions Law, and the Personal Data Protection Law, complemented by a comparative analysis with the GDPR. The study concludes that digital platforms cannot be regarded merely as neutral intermediaries due to their structural control over data processing and economic exploitation of personal data. The traditional fault-based liability regime under Article 1365 of the Civil Code is insufficient to address evidentiary imbalance and systemic digital risks. This article proposes a reconstructed liability framework based on a risk-based or quasi-strict liability approach, while affirming that limitation-of-liability clauses contradicting mandatory consumer protection norms are legally invalid. The novelty lies in repositioning personal data as a protected civil legal interest and integrating classical private law principles with contemporary digital regulation.

The article is devoted to the study of the organizational and legal mechanism of personal data protection. The concept of "personal data protection" is developed in detail in domestic jurisprudence. The law regulates legal relations related to the protection and processing of personal data, with the aim of protecting the fundamental rights and freedoms of a person and a citizen, and, first of all, the right to non-interference in personal life, in connection with the processing of personal data. However, the rapid development of information technologies, the digitization of society forces us to improve the organizational and legal mechanism of personal data protection every time, to search for more effective and reliable methods and means of their protection. The actual legal basis for the protection of personal data can be found in the Constitution of Ukraine, the Criminal Code of Ukraine, the Civil Code of Ukraine, the Law of Ukraine "On the Protection of Personal Data", decisions of the Constitutional Court of Ukraine, international legal acts, consent to the mandatory use of which was given by the Verkhovna Rada of Ukraine. It is substantiated that it is the state that acts as the guarantor of the protection of a person's personal data - its task is to create an organizational and legal mechanism that would effectively protect human rights related to personal data, etc. The organizational component of the personal data protection mechanism covers the vertical of state bodies and services, which, in accordance with the powers assigned to them, carry out personal data protection activities. On the basis of the conducted research, we came to the conclusion that the organizational and legal mechanism for the protection of personal data is a set of legal norms and a complex of preventive measures carried out by relevant state bodies and services aimed at protecting personal data, stopping offenses, applying coercion to offenders and restoring violated human rights related to personal data.

The advancement of information and communication technology had caused an increase in data breaches and data misuse. The state is encouraged to have strong law regulations concerning the protection of personal data of its society. This research then aims to explain the lack of legal regulation in Indonesia regarding the protection of personal data. In analyzing the problem, this research used the juridical-normative method (legal research) by oriented on the law principles, law norms, and positive law in Indonesia which is relevant to the research’s topic. The conceptual approach was also used in this research because the researcher is more focused on the law regulation that had been issuance. Legal sources were then much used as research data, starting from the Indonesian Constitution to the draft regulation. This research shows that different from Malaysia and Singapore that are already have the Personal Data Protection Act, Indonesia does not yet have a comprehensive personal data protection law. This is because the protection and misuse of personal data in Indonesia are still regulated as sectoral or scattered in several regulations and acts. As a consequence, Indonesia does not have a clear reference for handling the data misuse cases that are happening. This research then gives some advice and recommendations to the government to pass the Draft Regulation on Personal Data Protection which has been discussed since 2016.

Introduction: Banks as an institution are not only required to protect customer funds but are also obliged to maintain the confidentiality of customer personal data.Purposes of the Research: This paper aims to examine the regulations governing the protection of customers' personal data and to examine the supervision and law enforcement of the protection of banking customers' personal data.Methods of the Research: This research uses normative legal research methods with a statutory approach, conceptual approach, and case approach. The statutory approach relates to legislation on personal data protection and banking. The conceptual approach relates to the concepts of banking and personal data protection. The case approach relates to cases of supervision and law enforcement of violations or crimes of personal data of banking customers.Results of the Research: The results show that regulations governing customer data protection are contained in various laws and regulations related to personal data protection and banking and other technical regulations. In addition, the study results also show that supervision of the protection of personal data of banking customers has been carried out by three institutions that have supervisory authority, namely Bank Indonesia, the Financial Services Authority, and the Deposit Insurance Corporation. Law enforcement against violations and crimes against customers' personal data still faces challenges, because although there are many cases of crimes using customers' personal data, only a few can be enforced against crimes against customers' personal data.

This article is to find out and analyze how criminal responsibility is for misuse of personal data in cybercrimes and also how legal protection is from misuse of personal data. The research method used is Normative Juridical with a statutory approach (statute approach), conceptual approach (conceptual approach) and case approach (case approach). The research results show that in Law Number 27 of 2022 Concerning Personal Data Protection it is still not explicitly explained if there is a failure to protect data from criminal liability data subjects obtained by the Personal Data Manager in any form and it is also contained in Article 56 that not explained in the management of personal data the subject of personal data must obtain permission in the management of such data. Suggestion: law reform should be carried out against Law Number 27 of 2022 Concerning Personal Data Protection by clarifying what criminal liability is obtained by personal data managers and also the permits that must be explicitly explained in the management of personal data so as not to create an understanding in the community that their rights are being ignored. Abstrak Artikel ini adalah untuk mengetahui dan menganalisis bagaimana pertanggungjawaban pidana terhadap penyalahgunaan Data Pribadi pada tindak pidana dunia maya dan juga bagaimana perlindungan hukum dari penyalahgunaan data pribadi tersebut. Metode Penelitian yang digunakan adalah Yuridis Normatif dengan pendekatan perundang-undangan (statute approach), pendekatan konsep (conceptual approach) dan pendekatan kasus (case approach). Hasil Penelitian menunjukkan bahwa di dalam Undang-Undang Nomor 27 Tahun 2022 Tentang Perlindungan Data Pribadi tersebut masih belum dijelaskan secara eksplisit jika terjadinya kegagalan dalam melindungi Data dari subjek data pertanggungjawaban pidana yang didapatkan oleh Pengelola Data Pribadi berupa apa saja dan juga terdapat di Pasal 56 bahwa tidak dijelaskan dalam pengelolaan data pribadi subjek data pribadi harus mendapatkan perijinan dalam pengelolaan data tersebut. Saran: hendaknya dilakukan pembaharuan hukum terhadap Undang-Undang Nomor 27 Tahun 2022 Tentang Perlindungan Data Pribadi dengan memperjelas pertanggungjawaban pidana apa yang didapatkan oleh pengelola data pribadi dan juga perijinan yang harus eksplisit dijelaskan dalam pengelolaan data pribadi agar tidak menimbulkan pemahaman dimasyarakat bahwa hak mereka diabaikan.

The increase in cases of personal data breaches in Indonesia in recent years has become a very serious problem. So a personal data protection institution is needed to guarantee the protection of personal data. The existence of an independent personal data protection agency is an important aspect in carrying out personal data protection and is key in ensuring independence in the monitoring, auditing and prosecution processes. This is very crucial because regulations regarding personal data security apply to all public institutions, including executive, legislative and judicial. This research uses a normative juridical research type with a statutory approach, a comparative approach and a conceptual approach. The research results show that the personal data protection law that regulates this institution shows that there is executive involvement in the formation of the institution, thereby reducing its independence. As a result, this institution is at risk of being influenced by political interests and unable to carry out its duties accountably, effectively and efficiently.

Introduction: The rapid development of information technology has triggered an increase in digital activities, including the collection and storage of personal data. On the other hand, the phenomenon of theft of personal data and personal identity has become rampant and has caused increasingly significant losses, both materially and immaterially. This study aims to examine legal protection against theft of personal data and personal identity in Indonesia and to examine the law enforcement mechanisms and obstacles faced in the process.The research method used is normative juridical, with a regulatory, conceptual, and comparative approach. Data sources come from literature studies of regulations, legal literature, and relevant court decisions. The results of the study show that personal data protection in Indonesia is still in the developing stage, marked by the enactment of Law Number 27 of 2022 concerning Personal Data Protection. However, there are still limitations to norms in terms of implementation, criminal sanctions, and strong supervisory institutions. In addition, law enforcement against theft of personal data faces various obstacles, including limited authority of law enforcement officers, low public awareness of the importance of protecting personal data, and the complexity of evidence in cases of cross-border cybercrime. International efforts, such as cross-secret cooperation and extradition of perpetrators, are also still not optimal due to differences in legal systems between countries. This study recommends strengthening technical regulations for implementing the PDP Law, increasing the capacity of independent supervisory institutions, educating the public about data security, and increasing international cooperation in combating cybercrime. Effective national legal protection of personal data is an important foundation in maintaining citizens' privacy rights and building trust in the digital ecosystem.Purposes of the Research: Analyze and explain law enforcement against the crime of personal data theft on social media (Facebook).Methods of the Research: The research method used is normative juridical, with a statutory and conceptual approach. Sources of legal materials used are primary, secondary and tertiary legal materials. The technique of collecting legal materials carried out in this research is through library research, namely by searching legal materials by reading, viewing, listening and now many are done by searching through the internet then the data will be analyzed using quantitative data analysis techniques, in an approach Quantitative related to the relationship of variables analyzed using an objective theory, then described to solve the main problem in this study.Results / Findings / Novelty of the Research: Law enforcement against personal data theft in Indonesia has a strong legal basis through the Personal Data Protection Law, the Electronic Information and Transactions (ITE) Law, and other relevant regulations. However, its implementation still faces various obstacles, such as technological limitations, inadequate investigative capabilities, and difficulties in tracking and gathering evidence in the cyber realm. The cross-border nature of cybercrime also presents jurisdictional challenges, necessitating strong international cooperation mechanisms for effective law enforcement