Application of the Regulation

GR 17/2025 shall apply to all public and private PSE which provides products, services and/or features that are intended for children use and/or can be accessible by children. Under GR 17/2025, “PSE” is defined as any individual, government body, business entity, or community that provides, manages, and/or operates an electronic system, either independently or in cooperation with others, for its own purposes or on behalf of others. Therefore, this regulation also applies to registered international PSEs (PSE asing). 

 

Age Requirement

GR 17/2025 provides a definition of a “Child” or “Children” as any person under (who is not yet) the age of 18. Further, GR 17/2025 provides “Age Range Classifications” where PSEs are required to provide information on the minimum age required to use the products, services or features to ensure “age-appropriate” content offered. The Age Range Classification are as follows:

(i)        3 to 5 years;
(ii)      6 to 9 years;
(iii)      10 to 12 years;
(iv)      13 to 15 years;
(v)       16 to under 18 years.

All PSEs must also take appropriate steps to verify that users meet the respective platform’s age requirements, which includes to confirm that the child is above the minimum age (3 years) and falls within the appropriate Age Range Classification.

Further, when an account registration requires for the use of the respective platform, it may only be permitted with the following conditions:

(i)        for Children under 13 years old - they may create an account related to products, services or features that are specifically designed for Children and classified as low-risk with obtaining parental consent;
(ii)      for Children between 13 to 16 years old - they may create an account related to products, services or features classified as low-risk with obtaining parental consent; and
(iii)      for Children between 16 to 18 years old - they may create an account related to all products, services or features with obtaining parental consent.

GR 17/2025 emphasizes the requirement to obtain parental consent and requires PSEs to create an appropriate mechanism for the collection of the consent from a Child’s parent and/or legal guardian before granting the access to Children. It further provides that PSEs shall provide a “reasonable” time frame for the respective parental consent to be obtained, which refers to 24hours indication. Specifically, for Children aged 17 years and above, the child may provide initial consent, but then the PSE is required to notify the parent or guardian and if no objection is received within 6 hours of such notification, the consent is deemed valid, and the service can be provided.

If parental consent is not obtained, or if consent is only provided by the child without the parental consent, the PSE must refrain from providing the service and must delete any data collected.

 

Assessment of Risk

One of the key requirement provided in GR 17/2025 is for the PSEs to conduct self-assessment to indicate whether it is a high risk or low risk to Children, which shall be carried out based on the following aspects:

(i)        contacting with unknown persons;
(ii)       exposed to pornographic content, violent content, content that is dangerous to life, and other content that is not suitable for Children;
(iii)      exploitation of Children as consumers;
(iv)      threatening the security of Children’s personal data;
(v)       causing addiction;
(vi)      disturbing the psychological health of Children; and
(vii)     physiological disorders of Children

If the assessment resulted in high value on one or more aspects above being covered, it shall be considered as high-risk.

 

Other obligations

The regulation explicitly sets out the obligations that shall be carried out by PSEs, which includes:

(i)        obtaining consent from the Children's parents or guardians;
(ii)       compiling an assessment of the impact of Personal Data Protection;
(iii)      configuring product, service, and feature settings that are specifically designed to be used or accessed by Children or that may be used or accessed by Children with a high level of privacy by default;
(iv)      providing complete, correct, accurate, and non-misleading information for users to understand the products, services, and features;
(v)       conducting education and empowerment of the digital ecosystem;
(vi)      providing notifications in the form of signs or signals in monitoring the activities or tracking the location of Children from products, services, and features;
(vii)     providing a choice of functions that are appropriate to the capacity and age of Children;
(viii)   firmly determining the party responsible for processing Children's Personal Data in the provision of toys or devices that allow the toys or devices to be connected to the internet;
(ix)     ensuring that the party appointed or collaborating with the PSE meets the provisions on Child protection; and
(x)       determining the officials or officers who carry out the function of protecting Personal Data.

Sanctions

GR 17/2025 provides sanctions that can be imposed by the Ministry of Communications and Digital (“COMDIGI”) that has the authority to supervise the implementation of the regulation including supervising all PSEs activities, and when there is a suspected violation, administrative sanctions in the forms of the following may be imposed:

(i)       written warning;
(ii)       administrative fine;
(iii)      temporary suspension; and/or
(iv)      access termination.

 

Transitional Period

GR 17/2025 provides a two year transitional period for all PSEs to adjust their system, policies and operational implementation for the compliance with the regulation. COMDIGI is expected to further outline a ministerial regulation to implement further of this regulation.

 

How does this affect the Japanese Companies?

Japanese Companies that falls within the definition of PSE (domestic or foreign, public or private) should reassess the terms of use and privacy policy, to include requirements as sets out in GR 17/2025.

 

TMI Indonesia Practice Group