The digital economy has grown at a pace few could have anticipated two decades ago. E-commerce platforms, ranging from global giants such as Amazon and Alibaba to regional platforms like Tokopedia and Shopee in Southeast Asia, now serve as the primary marketplace for billions of consumers. According to IBM (2024), the average global cost of a data breach reached USD 4.88 million, the highest figure ever recorded, underscoring the financial gravity of inadequate data protection systems (IBM Security, 2024). For e-commerce specifically, retail security incidents rose from 725 in 2023 to 837 in 2024, a 15% increase that signals a worsening threat environment (ISAC, 2024).
At the heart of this vulnerability lies personal data. Every transaction on an e-commerce platform involves the collection of sensitive information: names, addresses, payment credentials, browsing behavior, and purchase histories. These data points are not merely administrative records—they are assets, both to businesses seeking behavioral insights and to malicious actors seeking financial or reputational gain. The question of who is responsible for protecting this information, and under what legal framework, has therefore become one of the central questions of contemporary information law.
This article addresses that question through a structured academic inquiry. It examines existing legal frameworks, analyzes significant data breach incidents, considers expert perspectives from law and computer science scholarship, and evaluates the current state of Indonesia's data protection regime as a case study in emerging-economy compliance.
While prior scholarship has examined the GDPR–UU PDP comparison in general terms, a specific gap remains in the literature: the structural enforcement deficit within the e-commerce sector itself, existing studies tend to evaluate data protection frameworks at the legislative level without adequately interrogating why enforcement mechanisms fail specifically for e-commerce operators—a context defined by multi-party data supply chains, high MSME participation, and rapid technological change. This article addresses that gap by situating legal analysis within empirical evidence of breaches and governance critique, advancing the core argument that legislative enactment alone is insufficient without a sector-specific enforcement architecture and sustained institutional capacity.
Electronic commerce emerged as a commercial phenomenon in the 1990s, initially celebrated for its capacity to transcend geographic barriers and reduce transaction costs. The legal frameworks that governed commerce at the time—grounded in contract law, consumer protection statutes, and telecommunications regulations—were ill-equipped to address the unique characteristics of digital data flows. Personal information, once collected in physical form and stored in filing cabinets, now moves across national borders in milliseconds, processed by algorithms, shared with third-party vendors, and sometimes sold without the knowledge of the individuals to whom it belongs.
The foundational concern for data protection in commercial contexts is not new. As early as 1980, the Organisation for Economic Co-operation and Development (OECD) issued Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, establishing eight core principles, including collection limitation, data quality, purpose specification, and individual participation, that would later inform national and regional legislation worldwide (OECD, 2013). Yet it was not until the European Union enacted the General Data Protection Regulation (GDPR) in 2016, applicable from May 2018, that a comprehensive and enforceable international standard emerged.
The GDPR represented a paradigmatic shift. By establishing individual rights (including the right to erasure, the right to data portability, and the right to object to automated decision-making), imposing obligations on data controllers and processors, and threatening fines of up to 4% of global annual turnover, the GDPR forced multinational companies to treat data protection as a legal and commercial imperative rather than an optional best practice. In the years following its implementation, other jurisdictions including Brazil, South Korea, and Indonesia (UU PDP, 2022), enacted their own comprehensive frameworks, many of them inspired by the GDPR's structure.
Indonesia's digital commerce environment provides a particularly instructive context. With over 200 million internet users and a rapidly expanding e-commerce market, Indonesia has experienced several high-profile personal data breaches that exposed the vulnerabilities of both private platforms and public agencies. The enactment of Law No. 27 of 2022 on Personal Data Protection (UU PDP) marked a watershed moment for the country's approach to digital rights—but as subsequent sections of this article will demonstrate, enactment is only the first step.

2.1. Conceptual Foundations of Personal Data Protection
Scholars of information law have long distinguished between two competing visions of data protection. The first treats privacy as a fundamental human right, grounded in constitutional dignity and autonomy. This perspective, championed by theorists such as Westin (1967) in his landmark Privacy and Freedom, holds that individuals possess an inherent interest in controlling information about themselves. The second vision treats data protection primarily through a market-efficiency lens, viewing personal information as an economic good subject to contractual exchange and consumer choice. The tension between these perspectives informs virtually every contemporary regulatory debate.
Warren and Brandeis (1890) first articulated the concept of a 'right to be let alone' in American legal discourse, a formulation that influenced privacy theory for over a century. More recently, Solove (2006) proposed a taxonomy of privacy harms—including information collection, aggregation, insecurity, and intrusion—that maps well onto the specific risks posed by e-commerce platforms. Solove argued that privacy cannot be adequately understood through a single unifying theory; instead, context matters, and the law must respond with contextually sensitive rules. This insight has direct relevance for e-commerce, where the acceptable use of personal data depends heavily on the reasonable expectations of consumers at the time of collection.
Bygrave (2014) offers a comparative legal analysis of data protection law across multiple jurisdictions, identifying convergence around key principles (transparency, proportionality, and individual rights) while noting significant divergence in enforcement architecture and cultural attitudes toward privacy. His work underscores the difficulty of achieving genuine harmonization in an international digital marketplace—a problem that platforms operating across borders continue to navigate.
Taken together, these foundational scholars reveal a persistent tension that structures the entire field: a rights-based camp, represented by Westin and Solove, argues that data protection must be grounded in individual dignity and contextual integrity, resisting reduction to contractual exchange; while a market-based camp treats consumer consent and competitive incentives as the primary regulatory mechanisms. Bygrave's comparative work demonstrates that neither approach has proven fully adequate in isolation—effective frameworks tend to combine rights-protective floors with market-compatible flexibility. For e-commerce specifically, this synthesis matters: platforms operate simultaneously as commercial actors subject to market discipline and as custodians of personal information that carries constitutional weight. The regulatory analysis in subsequent sections evaluates Indonesia's UU PDP against this dual standard.

2.2. Regulatory Frameworks: From GDPR to UU PDP
The GDPR is widely regarded as the most influential data protection regulation in the world. Kuner et al. (2020) describe it as a 'regulation of global reach' that effectively exports European privacy norms to any entity that processes the personal data of EU residents, regardless of where that entity is established. For e-commerce platforms, this means that a Tokopedia seller accepting orders from an EU customer must, in principle, comply with GDPR requirements—a practical challenge that highlights the complexity of transnational data governance.
Comparatively, Indonesia's UU PDP has been described by scholars at Swiss German University (Yulianto, 2025) as a significant legislative advancement, largely modelled on the GDPR, that establishes personal data as a legal subject deserving of constitutional protection. The law distinguishes between general personal data (name, address, contact details) and specific (sensitive) personal data (biometric data, health information, financial records, and criminal history), imposing stricter requirements for the latter. Data subjects are granted rights to access, correction, deletion, and withdrawal of consent—rights that, once the implementing regulations and the planned Personal Data Protection Agency (Lembaga PDP) are established, will carry meaningful legal force.
However, scholars such as Judijanto (2024) have noted the risks of a 'legislation without enforcement' scenario, where the mere existence of a law provides false assurance without producing behavioral change. They argue that Indonesia's institutional framework—specifically the absence of an independent data protection authority as of 2025—leaves the UU PDP without adequate teeth. This assessment is echoed by comparative studies that highlight the EU's experience: even the GDPR, with its substantial fines and dedicated supervisory authorities, took several years to produce consistent enforcement outcomes across member states.

2.3. Consumer Trust and the Economics of Data Protection
Research consistently demonstrates a close relationship between data protection and consumer trust. A study by Strzelecki and Rizun (2022) found that approximately 65% of consumers affected by a data breach reported that they would likely cease doing business with the affected company. More strikingly, up to 80% of consumers stated they would abandon an e-commerce platform if they did not feel confident their data was secure. These figures have direct implications for platform operators: inadequate data protection is not merely a legal risk but a commercial liability.
Kumari et al. (2014), writing in Advances in Consumer Research, demonstrated that perceived privacy risk and hedonic motivation interact in complex ways in e-commerce decision-making. Consumers who derive high enjoyment from the online shopping experience may discount perceived risks, while those with high privacy salience may abandon platforms even in the absence of a confirmed breach. This behavioral complexity suggests that legal compliance alone is insufficient—platforms must also proactively communicate their data governance practices to build and sustain trust.
The economic dimensions of data breaches reinforce this point. IBM (2024) reported that lost business costs encompassing customer turnover, reputational damage, and operational downtime represented the largest single component of breach costs, averaging USD 1.63 million per incident. The global average cost per compromised record was USD 173, rising to USD 429 in the healthcare sector. For e-commerce retailers specifically, the FBI's Internet Crime Complaint Center reported USD 16 billion in total cybercrime losses in 2024, a 33% increase from the previous year.

This study employs a qualitative literature review methodology, consistent with approaches commonly used in legal and socio-legal scholarship. The qualitative literature review is appropriate for this research objective because it enables the systematic synthesis of existing legal texts, empirical studies, case reports, and expert commentary without requiring the collection of primary data. Rather than testing a quantitative hypothesis, this study seeks to construct an interpretive account of how personal data protection operates in e-commerce environments, drawing on a curated body of authoritative sources.
The research process involved four stages. First, a systematic search was conducted across academic databases, including Google Scholar, SSRN, and LexisNexis, using terms such as 'personal data protection AND e-commerce,' 'GDPR AND platform compliance,' 'UU PDP Indonesia,' and 'data breach AND consumer trust.' The initial search returned approximately 340 candidate sources. Inclusion criteria required that sources: (a) were published in peer-reviewed journals, authoritative legal commentaries, or reports from recognized international bodies; (b) were published between 2015 and 2025 (with foundational theoretical works before 2015 included selectively for conceptual grounding); and (c) directly addressed personal data protection in either a legal, regulatory, or empirical e-commerce context. Exclusion criteria eliminated sources that were non-English without available translation, lacked identifiable authorship, or originated from sources without editorial oversight. Following screening, 42 sources were retained for substantive analysis. To minimize selection bias, the author applied a multi-database approach, deliberately sought out sources critical of or divergent from the dominant GDPR model, and ensured geographic diversity by including scholarship from the Indonesian, ASEAN, European, and global contexts.
Second, publications were screened for relevance and quality, prioritizing peer-reviewed journal articles, authoritative legal commentaries, and reports from recognized international organizations (IBM, OECD, World Bank) published between 2015 and 2025. Third, data from identified sources were coded thematically around three core themes: (1) legal frameworks, (2) empirical breach evidence, and (3) governance challenges. Fourth, findings were synthesized and critically interpreted in light of the research questions.
This study acknowledges limitations inherent in the qualitative literature review approach. The selection of sources, while guided by explicit criteria, involves an element of researcher judgment. Additionally, because data protection law evolves rapidly, particularly in jurisdictions like Indonesia, where implementing regulations are still pending, some findings may require updating as new regulatory developments occur. These limitations are mitigated by the explicit documentation of search parameters and the triangulation of findings across multiple source types.

4.1. The Scale and Pattern of E-Commerce Data Breaches
The empirical record of data breaches in e-commerce is substantial and growing. The number of data compromises reported in the United States alone rose from 447 in 2012 to over 3,200 in 2023—a more than sevenfold increase in just over a decade. Globally, over 500 million records were exposed in breaches in 2021 alone (Kumari et al., 2014). These figures, while drawn from diverse sectors, reflect a trend that is particularly pronounced in consumer-facing digital commerce.
Table 1 below presents a chronological record of significant data breach incidents affecting e-commerce and related digital commerce platforms, with particular attention to incidents relevant to the Indonesian market and key global cases.

Table 1. Significant E-Commerce and Digital Platform Data Breach Incidents (2018–2024)

The pattern that emerges from Table 1 is not random. E-commerce breaches tend to target high-value data categories, such as financial credentials, national identity numbers, and behavioral profiles, and they disproportionately affect platforms with large user bases and limited security investment relative to the scale of their data operations. The 2020 Tokopedia breach, in which 91 million user records were reportedly sold on the dark web for approximately USD 5,000, illustrates how cheaply consumer data can be monetized once security perimeters are breached.
What makes the e-commerce context distinctive is the layered nature of its data processing architecture. Platforms do not merely process data themselvesthey rely on extensive networks of third-party vendors, payment processors, logistics providers, and marketing analytics firms, each of which represents a potential vulnerability. According to Shopify's 2024 Retail Cybersecurity Report, 30% of all retail breaches in 2024 involved a third-party compromise, nearly double the rate from 2023. This 'supply chain' dimension of e-commerce data risk has important implications for regulatory design: rules that apply only to the platform operator may leave significant portions of the data lifecycle unregulated.
The structural causes of these patterns warrant deeper analytical attention. The near-doubling of third-party breach rates in a single year is not incidental; it reflects a systemic governance failure in how platform operators manage downstream data custodians. Contractual data processing agreements, where they exist, frequently lack audit rights or minimum security standards—leaving the platform legally exposed but operationally blind to vendor vulnerabilities. This is compounded by a market concentration dynamic: smaller e-commerce operators and MSMEs, which lack the bargaining power of platforms like Shopee or Tokopedia, must accept standard vendor contracts with limited ability to negotiate data protection terms. The governance failure is therefore structural rather than merely technical: it originates in power asymmetries across the supply chain that regulation targeting only primary data controllers cannot adequately address. The legislative response—including Article 51 of UU PDP, which imposes liability on joint controllers and processors—is a meaningful attempt to close this gap, but without enforcement infrastructure, such provisions risk remaining aspirational.

4.2. Legal Frameworks: Strengths and Gaps
The GDPR, now in its seventh year of full enforcement, has produced a growing body of enforcement decisions that clarify the obligations of e-commerce operators. Notably, major platforms, including Amazon (fined EUR 746 million by Luxembourg's data protection authority in 2021), Meta, and Google, have faced significant sanctions for violations related to consent mechanisms and behavioral advertising. These cases establish that the GDPR's requirements are enforceable against the largest and most powerful digital actors, a precedent that strengthens the hand of consumers and regulators alike.
Indonesia's UU PDP, by contrast, entered into full legal effect on 17 October 2024, but without the institutional infrastructure necessary for credible enforcement. As of early 2025, the implementing government regulation (RPP PDP) had not been finalized—it was in its fourth harmonization process—and the national Personal Data Protection Agency had not yet been established (ICLG, 2025). This gap between legal text and institutional reality creates a period of regulatory uncertainty that may be exploited by non-compliant actors, particularly smaller e-commerce operators and MSMEs that lack the resources for proactive compliance.
A 2024 study by Swiss German University involving 126 Indonesian MSMEs found that compliance awareness was low, with limited technical knowledge, inadequate training resources, and an absence of structured governance frameworks identified as the primary obstacles (Yulianto, 2025). Larger corporations in banking, telecommunications, and major e-commerce platforms had generally progressed further in aligning with GDPR-equivalent standards, often driven by international business partner requirements rather than domestic regulatory pressure alone.

4.3. Key Legal Obligations Under UU PDP for E-Commerce Operators
Under Law No. 27 of 2022, e-commerce operators processing personal data of Indonesian citizens bear specific obligations regardless of where the platform is established—a provision that mirrors the GDPR's extra-territorial scope. Key obligations include: (1) obtaining explicit, informed consent before data collection; (2) limiting data collection to the minimum necessary for stated purposes; (3) appointing a Data Protection Officer (DPO) for large-scale or sensitive data processing operations; (4) conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities; (5) notifying data subjects and relevant authorities within a specified timeframe in the event of a breach; and (6) ensuring that international data transfers are conducted in compliance with established safeguards.
The law grants data subjects seven enumerated rights: the right to know the purpose and legal basis of processing; the right to access their data; the right to correct inaccurate data; the right to delete or destroy data; the right to withdraw consent; the right to object to automated processing; and the right to file objections regarding data processing decisions that have legal consequences for them. Non-compliance can result in administrative sanctions, fines of up to 2% of annual revenue, bans on data processing activities, and criminal liability for willful violations. These sanctions, though not yet actively enforced, signal a significant escalation of legal risk for non-compliant operators.

4.4. Discussion
4.4.1. The Gap Between Enactment and Enforcement
The central challenge facing personal data protection in e-commerce—not only in Indonesia but across many emerging economies—is the implementation gap: the distance between the legal text of a statute and the behavioral change it is intended to produce. Judijanto (2024) have characterized this as a structural problem arising from insufficient institutional capacity, limited judicial familiarity with data protection concepts, and the absence of a dedicated enforcement body. The lesson from more mature jurisdictions is instructive: the GDPR, despite the strength of its provisions and the sophistication of the EU's legal culture, produced minimal enforcement activity in its first two years largely because supervisory authorities were still establishing procedures and processing a backlog of complaints.
For Indonesia, this suggests that the period between the enactment of UU PDP and the eventual establishment of Lembaga PDP is not merely a bureaucratic transition—it is a critical window during which legal culture must be cultivated, organizational practices reformed, and public awareness elevated. More fundamentally, the analysis reveals an institutional failure that is not merely procedural: the absence of Lembaga PDP reflects a political economy in which data protection has historically been treated as a second-order priority relative to economic liberalization and platform growth. Closing the implementation gap will therefore require not only technical institution-building but a deliberate reorientation of regulatory philosophy—one that treats data protection as a precondition for sustainable digital commerce rather than a constraint upon it.

4.4.2. Technological Complexity and Platform Accountability
A recurring theme in the literature is the difficulty of applying law developed for identifiable actors to a technological environment characterized by distributed processing, algorithmic decision-making, and opaque data supply chains. Solove (2006) argued that privacy law tends to lag behind technological change because legislators and courts cannot anticipate how new data practices will affect individual interests. This is nowhere more evident than in e-commerce, where behavioral profiling, real-time bidding for advertising inventory, and AI-driven personalization systems process personal data in ways that consumers neither perceive nor understand.
The concept of 'privacy by design,' first articulated by Cavoukian (2009) and later codified in Article 25 of the GDPR, offers a promising response to this challenge. Rather than treating privacy as a compliance obligation imposed after systems are built, privacy by design requires that data protection principles be embedded into the architecture of platforms from the outset. For e-commerce operators, this means designing consent mechanisms that are genuinely meaningful rather than perfunctory; building data minimization into recommendation algorithms; and ensuring that third-party integrations are subject to contractual data protection obligations. The extent to which UU PDP's implementing regulations will incorporate privacy by design principles remains to be seen, but scholarly commentary (Yulianto, 2025) suggests that alignment with GDPR-equivalent standards is both feasible and advisable.

4.4.3. Consumer Literacy and the Consent Paradox
No discussion of personal data protection in e-commerce would be complete without addressing the consent paradox: the irony that the legal mechanism most commonly used to legitimize data processing—individual consent—is also the mechanism most routinely undermined by the information asymmetry between platforms and users. Consumers are presented with lengthy, opaque privacy policies that few read, and fewer still comprehend. Studies have estimated that reading the privacy policies of all services an average American uses annually would consume approximately 76 work days (McDonald & Cranor, 2008) a figure that has likely grown with the proliferation of digital platforms.
UU PDP's consent requirements, which mandate that consent be 'explicit and voluntary' and that data subjects receive specific information about the purpose, duration, and legal basis of processing, represent a meaningful step forward. However, without active enforcement and consumer education, these requirements risk becoming paper formalities. Scholars at Universitas Tarumanagara (FH Untar, 2025) have argued that genuine consumer empowerment requires not only legal rights but also digital literacy programs that enable individuals to exercise those rights in practice. This is a dimension of data protection policy that falls outside the conventional scope of legal scholarship but is essential to the social goals that data protection law is intended to serve.

4.4.4. Cross-Border Dimensions and International Harmonization
Indonesia's UU PDP, like the GDPR before it, adopts an extra-territorial scope that applies to any organization processing the personal data of Indonesian citizens, regardless of where that organization is established. This is a legally ambitious position that reflects the global nature of e-commerce but creates enforcement challenges when the data controller is located in a jurisdiction with different standards or limited diplomatic engagement with Indonesia.
As Cisometric (2025) has noted, Indonesia's recognition as a jurisdiction offering 'adequate' data protection by the EU—which would facilitate data transfers between the two regions—depends on factors including the establishment of Lembaga PDP, the finalization of implementing regulations, and demonstrated enforcement practice over time. The precedent set by the EU's Schrems I and II judgments, which invalidated the Safe Harbor and Privacy Shield arrangements with the United States because US surveillance law did not offer equivalent protection, illustrates the high standards that adequacy determinations impose. For Indonesian e-commerce operators seeking to engage European customers, or for European companies processing Indonesian consumer data, this regulatory uncertainty introduces tangible commercial risk.

Personal data protection in e-commerce platforms represents one of the defining legal challenges of the digital era. This article has demonstrated, through a qualitative review of legal texts, empirical data, and scholarly commentary, that the problem is multidimensional: it encompasses questions of institutional design, technology governance, consumer psychology, and international legal relations.
The enactment of Indonesia's UU PDP in 2022 represents a genuine legislative achievement that positions the country within the emerging community of states committed to comprehensive data protection. However, the article's findings underscore that legislation is a necessary but not sufficient condition for effective protection. The absence of an independent enforcement authority, incomplete implementing regulations, low compliance awareness among MSMEs, and the structural complexity of e-commerce data ecosystems all constitute significant obstacles that require sustained policy attention.
Several recommendations emerge from this analysis. First, the establishment of Indonesia's Lembaga PDP should be treated as a matter of urgency, with adequate resources and statutory independence to ensure credible enforcement. Second, implementing regulations should incorporate privacy by design requirements, mandating that e-commerce platforms embed data protection into their technical architecture rather than treating it as a compliance overlay. Third, the government and relevant civil society organizations should invest in digital literacy programs that enable consumers to exercise their rights under the UU PDP meaningfully. Fourth, Indonesia should pursue bilateral and multilateral data governance dialogues—including with ASEAN partners and the EU—to build toward mutual recognition frameworks that facilitate cross-border commerce while protecting consumer data. Fifth, sector-specific guidance for e-commerce operators, particularly MSMEs, should be developed to lower the compliance cost of legal adherence.
The stakes of this policy agenda are high. As the Advances in Consumer Research study (Kumari et al., 2014) demonstrated, up to 80% of consumers may abandon a platform they do not trust with their data. In a digital economy where consumer trust is the foundation of commercial viability, personal data protection is not merely a legal obligation—it is an economic imperative. Governments, platforms, and scholars who recognize this connection are better positioned to advance both the interests of consumers and the vitality of the digital economy that serves them.