This study analyzes the implementation, usage, and acceptance of AI-supported chatbots in customer communication in Germany and China. Based on a systematic literature review and seven expert interviews with representatives of international technology companies, the research investigates both technological and cultural contextual factors influencing chatbot adoption. The study highlights how varying regulatory frameworks, infrastructure readiness, and cultural attitudes shape the deployment and effectiveness of AI-driven communication tools in different markets. Findings indicate that in Germany, stringent data protection laws, regulatory complexity, and cultural hesitations around privacy and automation present major obstacles to chatbot integration. In contrast, China’s innovation-friendly regulatory environment, extensive government support, and high technology affinity foster rapid deployment and wide user acceptance of AI-based solutions. Moreover, differences in organizational priorities emerge, with Chinese companies emphasizing speed, platform integration, and functionality, while German firms focus on data security, compliance, and personalized, trust-building customer interactions. The study further explores variations in user experience and communication design, underscoring the importance of culturally adapted interfaces and context-sensitive implementation strategies. Derived from these insights, the paper offers strategic recommendations for businesses to successfully implement AI chatbots in diverse regulatory and cultural landscapes. Additionally, it outlines directions for future research, particularly regarding the development of agentic AI, multimodal interaction capabilities, and sustainable deployment models that consider ethical, infrastructural, and environmental aspects.

SUMMARY Large language models (LLMs) like OpenAI’s ChatGPT, Google’s Gemini and Anthropic’s Claude can be useful tools in psychiatric practice, helping with tasks such as searching for information, managing administrative work and supporting education. This article demystifies how these tools work by explaining their core operational principles and noting their key limitations, including the risks of confabulation (fabricating information), sycophancy and knowledge cut-offs. It provides practical guidance on mitigating these risks through structured ‘prompt engineering’ and offers a safety framework for integrating LLMs into low-risk administrative and educational workflows. The article stresses the importance of approaching these technologies with caution by independently verifying information, adhering to UK data protection laws and upholding the principles of best practice in patient care. The goal is to help clinicians use these powerful but fallible technologies wisely, ensuring that patient safety and professional responsibility remain paramount as they explore these new tools.

Countries under the constitution have a responsibility to protect the privacy of every citizen, one of which is through the protection of personal data. Indonesia has not yet had its own institution tasked with realizing the implementation of the protection of personal data in an integrated manner. Indonesia, when compared to several countries in the Southeast Asia and Asia region, can be said to be lagging behind in terms of having the PDP Law, including the absence of a Personal Data Protection Institution. As a policy study material to see the form of the Personal Data Protection Agency, the researcher will examine the Personal Information Protection Commission (PIPC), which is a personal data protection institution in South Korea. The selection of the country is based on the fact that South Korea is one of the countries in Asia that is considered to meet the equality standards of data protection laws. The type of research used is a normative legal research method supported by empirical legal research methods. The data collection technique was carried out by literature study supported by interviews with parties involved in the research. The main problem that will be raised in this study is how the Personal Data Protection Institutions in Indonesia and South Korea are similar and different. In addition, what is the urgency of establishing a Personal Data Protection Agency in Indonesia that adopts PIPC in South Korea. The adoption in question does not mean plagiarizing in a complete way, but adaptation by considering constitutional conditions, capacity, and specific needs.

Informed consent is a fundamental legal and ethical principle in medical practice that affirms the patient’s autonomy to make decisions based on complete and transparent information. The rapid digital transformation of health services in Mataram City—such as online registration systems, telemedicine consultations, and the implementation of digital signatures—has reshaped the legal framework of informed consent in Indonesia. This study aims to analyze the legal validity and implications of digital informed consent under Indonesian health law, as well as to identify mechanisms of patient protection in the digital era. Using a normative juridical method with statutory and conceptual approaches, this research examines relevant legislation, including the Medical Practice Law, the ITE Law, and the Personal Data Protection Law. The findings indicate that digital informed consent is legally valid as long as it fulfills the essential elements of a lawful agreement under Article 1320 of the Indonesian Civil Code and complies with Article 11 of the ITE Law regarding electronic signatures. However, regulatory gaps remain concerning technical procedures, authentication standards, and data protection mechanisms. Therefore, comprehensive regulations are urgently required to ensure legal certainty, medical accountability, and the protection of patient rights in Indonesia’s evolving digital health ecosystem.

The rapid growth of vehicles has made traffic law enforcement a critical issue in urban areas. This normative legal research examines the implementation of the e-ticketing system in handling traffic violations in Denpasar City. The study finds that the implementation of e-tilang has a strong and multi-level legal foundation, primarily based on Law Number 22 of 2009 concerning Traffic and Road Transportation, supported by other regulations such as the ITE Law and the Personal Data Protection Law. However, the research also identifies significant legal consequences, including a shift towards objective liability for vehicle owners and challenges related to the protection of constitutional rights, such as the right to be heard and data privacy. While the system aligns with the principles of good governance, particularly in transparency, accountability, and efficiency, its full success depends on massive socialization, clear complaint mechanisms, and affirmative policies for the technologically vulnerable. The study concludes that e-tilang is a legitimate instrument for law enforcement in the digital era, provided it is balanced with a strong commitment to data protection and all principles of good governance.

The personal data leak experienced by Tokopedia in 2020 was one of the biggest incidents in the history of data protection in Indonesia. This incident, which involved more than 91 million user accounts, raised concerns about weak cybersecurity and the lack of law enforcement related to personal data protection. This study aims to analyze the legal responsibility of companies for the leakage of consumer personal data based on applicable laws and regulations, including the Personal Data Protection Law (PDP Law), the Electronic Information and Transaction Law (ITE Law), and their derivative regulations. The research method used is normative legal research through the study of laws and regulations, literature, and case documents. The results of the study show that as an Electronic System Operator (PSE), Tokopedia has an obligation to ensure the security of personal data and is responsible for any violations that occur. Affected users have several legal remedies, including administrative complaints to the Ministry of Communication and Information Technology, civil lawsuits based on unlawful acts, class actions, and criminal reports. This study emphasizes the importance of enforcing the principles of accountability and consumer protection in personal data management to prevent similar incidents from recurring in the future.

ABSTRACT The expansion of digital educational platforms and artificial intelligence solutions in public school systems has intensified the large-scale processing of data from students, families and education professionals. In this context, the implementation of Brazil’s General Data Protection Law, Law 13.709 of 2018, becomes a legal and ethical imperative, especially when dealing with children and adolescents as data subjects. This article discusses challenges and opportunities regarding compliance with the data protection framework in the use of digital platforms and AI tools in public education. It is a bibliographical and analytical study, based on Brazilian legislation, guidance documents from national and international organizations, and recent research on data protection, ethics of artificial intelligence and information governance in the educational sector. The findings indicate that, despite recent advances in laws, guidelines and manuals tailored to education, there are persistent weaknesses related to the lack of data governance, algorithmic opacity, excessive data collection, limited risk assessment and low participation of school communities in setting rules for technology use. The article argues that effective implementation of the data protection law in digital educational platforms requires an articulation between legal compliance, ethical responsibility and pedagogical projects, supported by data governance policies, continuing professional development, transparency and social participation. Keywords: General Data Protection Law; Digital educational platforms; Artificial intelligence; Ethics; Public school systems.

Background: Healthcare institutions are high-value targets for cybercriminals. In Indonesia, digitalization of patient records and national regulatory changes (Personal Data Protection law) have increased both attack surface and legal obligations for hospitals. Objectives: This study quantifies plausible attack incidence and operational consequences for a representative mid-sized Indonesian hospital, and evaluates mitigation effectiveness of a socio-technical defense framework combining Zero Trust, staff training, and regulatory compliance. Methods: We synthesized public incident data and peer-reviewed literature (2019–2025) and constructed a rationalized, plausible dataset representing one mid-sized public hospital (300 beds) and five small private clinics in a provincial health system. We simulated ransomware/phishing incidents and measured operational impacts (downtime, cancelled elective procedures, data exposure estimates) and costs (direct IT recovery + indirect clinical costs). Results: Our simulated baseline (current typical security posture) returned an annualized incident probability of 0.38 for at least one major ransomware event per facility, average electronic system downtime of 48–72 hours per incident, mean direct recovery cost USD 120k per major incident, and estimated indirect clinical costs (delays, diversions, lost revenue) USD 180k. Implementing a socio-technical defense package reduced successful major incidents by 76%, median downtime by 85%, and combined annualized cost by ≈70%. Conclusion: Indonesian healthcare institutions face materially elevated cyber risk; pragmatic investments in Zero Trust architectures, staff education, robust backups, and compliance with the Personal Data Protection law yield strong risk reduction and business continuity gains. Policy action, national incident-sharing, and subsidized cybersecurity support for resource-limited hospitals are recommended.

Generative Artificial Intelligence (GAI) is derived from Artificial Intelligence that uses deep learning techniques to consequently generate new, human-like content, such as text, images, audio, and video. The objectives of this study were to conduct a review of the legal challenges related to copyright in the use of GAI, to formulate questions about these challenges, to query the five most popular chatbots, and to analyze their responses in comparison to the current literature. A Scoping Review was conducted using the criteria of Cochrane Systematic Reviews combined with PRISMA, in the Scopus database. Through selection and classification methods, 86 articles were analyzed, indicating that the main challenges were: the lack of clear legislation defining who holds the rights to works and content created by GAI, the practice of web scraping in model training that violates data protection laws (LGPD), and the lack of regulation regarding the use of this technology for academic and scientific production in universities. When asked about these challenges, five of the most popular chatbots answered in agreement with the scientific literature. The technology exists, and its use must be regulated so that, in the future, it does not go from being a promising technology to becoming one that violates the law.

Artificial Intelligence (AI) based credit scoring systems have rapidly transformed lending practices in Indonesian banking. AI enables automated assessment using non-traditional variables, including digital footprints, e-commerce behavior, and mobile device metadata. While this innovation enhances efficiency and financial inclusion, it also creates significant legal and ethical challenges. Existing regulations, Bank Indonesia regulations, OJK regulations on risk management, and the Personal Data Protection Law have not yet provided a comprehensive and specific framework for algorithmic transparency, fairness, and liability in automated decision-making. This article examines the regulatory gaps in Indonesian laws related to AI-driven credit scoring, evaluates the risks of algorithmic bias, and formulates a normative model for consumer protection. Using a normative juridical method, this paper compares Indonesia’s regulatory landscape with global frameworks such as the EU Artificial Intelligence Act, OECD AI Principles, and U.S. fair lending rules. The study finds that the Indonesian financial regulatory regime lacks clear provisions on explainability, auditability, and accountability for AI decisions. It concludes that regulatory reform is required to mitigate discrimination risks and strengthen legal certainty for consumers and financial institutions.

Unauthorized access incidents often occur stealthily, with password spraying attacks resulting in the misuse of legitimate credentials. This study reconstructs a real-world incident using system logs from Identity Provider/Single Sign-On (IdP/SSO), Security Information and Event Management/Endpoint Detection and Response (SIEM/EDR), and application-level sources. The attack techniques were mapped to the MITRE ATT&CK framework, focusing on T1110 (Brute Force) and T1078 (Valid Accounts). A Data Protection Impact Assessment (DPIA) was conducted based on the Indonesian Personal Data Protection Law (Law No. 27 of 2022), complemented by a gap assessment against ISO/IEC 27001 and 27002 controls. The results show that the attack’s success was driven by incomplete Multi-Factor Authentication (MFA) deployment, the continued use of legacy/basic authentication, weak adaptive rate-limiting and lockout mechanisms, and a monitoring system limited to alert-only functions. The DPIA identified exposure of thousands of personal data records with medium-to-high privacy risks, particularly concerning confidentiality breaches and identity impersonation, necessitating possible notification to authorities and affected data subjects. The study recommends enforcing MFA across all access channels, disabling legacy authentication, implementing risk-based or step-up authentication, activating automatic blocking for password spraying and impossible travel anomalies, extending DPIA coverage during control changes, and updating the Statement of Applicability to reflect modern security controls. Strengthening identity protection and adopting preventive monitoring are shown to significantly reduce privacy risks while easing compliance obligations.

The exponential expansion of digital technologies, while reconfiguring social and economic dynamics, catalyzes the proliferation of cybercrime, imposing critical challenges to the traditional penal system. This article investigates to what extent the General Personal Data Protection Law (Law No. 13,709/2018) operates as a strategic instrument in preventing and repressing digital criminal conduct and identifies the main obstacles to its application in the criminal sphere, notably in the typification, investigation, and sanctioning of crimes. Methodologically, the study is based on a narrative and doctrinal bibliographic review, consulting specialized scientific databases such as SciELO and Google Scholar. The results show that, although the LGPD constitutes an essential normative advance for privacy protection, its contribution to criminal repression is severely limited by the absence of specific typifications in the Penal Code and the transnational complexity of virtual environments. It is concluded that the criminal protection of personal data requires a systemic reform, demanding the development of more robust legal instruments, massive investment in institutional capacity-building for legal operators, and the urgent strengthening of international legal cooperation to effectively combat cybercrime.

Abstract This article critiques the fixation on data as an object of regulation for addressing a broad range of digital problems. We challenge the idea that data are always the appropriate regulatory targets for addressing information-related problems, specifically in the context of data protection and the General Data Protection Regulation (GDPR). The GDPR tackles a broad range of digital problems by regulating personal data. This results in regulatory imprecision. Framing digital problems as (personal) data problems often does not reflect the causal processes law aims to control, pre-empts modernising traditionally non-digital legal domains, such as consumer and labour law, and distracts from what is really problematic and in need of regulatory intervention. Drawing on theories of regulation and information, we distinguish between two different causal processes underlying information-induced problems: semantic (meaning-driven) and syntactic (meaning-agnostic). We propose a roadmap for improving legal protection against information-related problems.

Assisted Reproductive Technology (ART), particularly In Vitro Fertilization (IVF), generates highly sensitive medical data classified as Protected Health Information (PHI) under international privacy and data protection laws. Ensuring the secure, transparent, and ethically governed management of this data is both essential and legally mandated. However, conventional Electronic Medical Record (EMR) systems often present significant challenges, including data-integrity risks, unauthorized access, and limited patient control—issues that become especially critical in contexts such as fertility preservation for cancer patients. EmbryoTrust introduces a blockchain-based framework designed to ensure the confidentiality, integrity, and availability of IVF-related information through a private, permissioned network integrated with role-based access control (RBAC). Smart contracts, implemented in Solidity on the Ethereum platform, verify spousal identities and enforce data immutability in compliance with religious legislation and ethical regulations. Off-chain data are stored in MongoDB for scalable, privacy-preserving management, while on-chain summaries provide tamper-evident traceability and verifiable auditability. The system was deployed and validated on the Ethereum Holešky testnet using Solidity 0.8.21 and Node.js 18.17, achieving an average transaction-confirmation time of 2.8 s, 99.9% uptime and a 95% user-satisfaction rate. Functional, integration, and usability testing confirmed secure and efficient data handling with minimal computational overhead. Comparative analysis demonstrated that the hybrid on-/off-chain architecture reduces latency and gas costs while maintaining automated compliance enforcement. The modular design enables adaptation to other jurisdictions by reconfiguring ethical and regulatory parameters within the smart-contract layer, ensuring flexibility for global deployment. Overall, the EmbryoTrust framework illustrates how blockchain logic can technically enforce medical and ethical rules in real time, providing a reproducible model for secure, culturally compliant, and privacy-preserving digital-health information management. Its alignment with Saudi Vision 2030 and the Wold Health Organization (WHO) Global Strategy on Digital Health 2020–2025 highlights its potential as a scalable solution for next-generation ART information systems.

Schools play a vital role in student health but often lack real-time medical updates. Traditional parental reporting of student illnesses is slow and prone to errors. This paper proposes integrating hospital Electronic Health Records (EHRs) with the Educational Management Information System (EMIS) for real-time health monitoring and automated medical leave certification. The system uses FHIR/HL7-compliant APIs to securely send medical updates and leave certificates from hospitals to schools. Role-based access control (RBAC) and encryption ensure compliance with data protection laws. When a student is diagnosed, hospitals update the EHR, generating a digital medical leave certificate that is instantly sent to EMIS, allowing schools to update attendance and support remote learning. This integration improves emergency response, automates leave tracking, prevents fraud, and enhances communication between schools, parents, and healthcare providers. Anonymized data can also help government agencies track disease outbreaks. Challenges like data privacy, interoperability, and adoption resistance are addressed through encryption, standardized protocols, and pilot testing. Future research will explore AI-driven health risk prediction and blockchain-based medical leave verification. By connecting healthcare and education, this system enhances student safety, reduces administrative burdens, and improves communication among stakeholders.

Personal data has become a source of debate recently. Organizations can use these data to be innovative and efficient in accessing individuals. However, the handling of these data varied among organizations making the usage turned from technical error to moral failure. This paper review and compares the legal systems in the European union (General Data Protection Regulation (GDPL), American law (California’s consumer privacy act (CCPA), and Saudi Arabia’s personal data protection law (PDPL). These laws deals with negligence. The methodology of this study is a qualitative, doctrinal method and the study utilizes the Tort Theory, Accountability Theory, and Shariah Jurisprudence (Fiqh Al-Muamalt) to investigate how laws and ethics works to protect personal data. The findings showed that GDPR and CCPA have pushed negligence far beyond its traditional role in tort theory going beyond compensating for harm to the constant vigilance. On the other hand, in Saudi Arabia, the framework is still being developed and lacks independent system of enforcement. However, the Shariah principles have addressed these the issues of negligence by act such as trust, responsibility and prevention of harm. This makes that protecting data in Saudi Arabia not legal issue alone but ethical and moral expectation.

This research aims to implement an AI-driven system for managing Records of Processing Activities (RoPA) and Data Protection Impact Assessments (DPIA) at Bank XYZ to comply with Indonesia’s Personal Data Protection Law (PDPL). The research uses a qualitative approach, incorporating case studies and interviews to investigate the AI system’s impact on improving compliance, efficiency, and data security within the banking sector. Initial results show significant improvements in the accuracy and speed of processing personal data protection documents. The AI system simplifies the management of RoPA and DPIA and promotes a robust compliance environment by adhering to national and international data protection standards. It is recommended to continually advance AI and provide ongoing training to address emerging data security and privacy challenges.

BackgroundWhen using ePortfolios in healthcare education, the collection and processing of personal data from various stakeholders, also known as data subjects (e.g., students, mentors, supervisors) is inevitable. This is why it is crucial to identify the stakeholders who need to comply with legal obligations imposed by data protection law, and to assess the legal grounds for processing personal (health) data. Research on the legal aspects of such ePortfolios is lacking. Therefore, the aim of this study was to identify and document the data protection requirements for ePortfolios in clinical healthcare education that apply in the EU.MethodsDesk research based on a traditional legal analysis of legislation, policy documents, guidelines, case law, and legal doctrine was performed during a multidisciplinary ePortfolio research project.ResultsThe analysis resulted in a description of the relevant EU data protection requirements covering the Charter of Fundamental Rights and the General Data Protection Regulation, a translation of these legal requirements into the context of ePortfolios in clinical healthcare education and the formulation of recommendations for data protection compliance based on these insights: (1) the duties and responsibilities of educational institutions and the healthcare student must be clarified in an agreement before the start of an internship, (2) ‘(substantial) public interest’ is the most appropriate legal basis for the processing of health data in ePortfolios, and (3) adequate and appropriate measures to protect the fundamental rights and interests of the data subjects must be provided.ConclusionThis study contributes to the limited literature on the legal aspects of the use of digital technologies, such as ePortfolios, in healthcare education. There is a need for rigorous evidence on how to design legally compliant ePortfolios for healthcare education.

Telemedicine has become a fundamental part of modern healthcare delivery, transforming the contractual and liability relationships between healthcare providers and consumers. In Indonesia, the growing use of telemedicine raises complex issues in civil law, particularly concerning consumer protection, data privacy, and accountability for malpractice. This study aims to analyze the legal protection of telemedicine consumers under Indonesian law specifically Law No. 8 of 1999 on Consumer Protection, the Civil Code, and sectoral health regulations and to evaluate the civil liability of telemedicine providers when harm or loss occurs. Using a normative juridical (doctrinal) approach, this research employs statutory, conceptual, and comparative methods. The study reviews current laws such as the Health Omnibus Law (Law No. 17 of 2023), the Personal Data Protection Law (Law No. 27 of 2022), the Ministry of Health Regulation No. 20 of 2019 on Telemedicine, and Government Regulation No. 28 of 2024 as its implementing regulation. Findings indicate that Indonesia’s legal framework remains fragmented, with unclear boundaries between consumer law and health regulations. Comparative analysis with international standards reveals the need for a harmonized civil law framework to ensure accountability, guarantee patient rights, and strengthen consumer protection in digital health services.

Transferring data to foreign authorities under Chinese data protection law