Indonesian PDP Law and Software Protection: Legitimate Interest for Software Companies in Combating Software Counterfeiting

Current technological advancements have fostered a growing awareness of the significance of intellectual property rights. Nevertheless, not everyone fully comprehends such importance. Many people, while appreciating the creative works of others, often find the cost of acquiring legitimate intellectual property to be prohibitive. As a result, a substantial number resort to acquiring counterfeit versions of software in Indonesia, making illegal software installation (without a license) a prevalent issue in the country. Software counterfeiting is more prominent due to the costs of licenses, and it’s not limited to individuals; even companies also engage in unauthorized usage for various purposes. Further discussion about software protection in Indonesia can be accessed here

In the context of software counterfeiting, where software companies are usually copyright holders, they have the right to seek compensation for losses resulting from counterfeit software. This principle is provisioned in Indonesia’s Copyright Law (Law No. 28 of 2014 regarding Copyright Law), specifically in Article 96(1) of Law No. 26 of 2014, which states that “Creators, copyright holders, related rights holders, or their heirs who suffer economic losses have the right to claim compensation.” Furthermore, from a criminal perspective, this matter is addressed in Article 113(3) of the Copyright Law, which stipulates, “Any person who, without right and/or without permission from the creator or copyright holder, commits an infringement on the economic rights of the creator as referred to in Article 9(1) (a), (b), (e), and/or (g) for commercial use, shall be subject to a maximum prison sentence of 4 (four) years and/or a fine of up to IDR 1,000,000,000.00 (one billion Indonesian Rupiah).” This legal provision serves as a significant deterrent against software counterfeiting, underscoring the serious consequences associated with such actions.

The initial question addresses a significant challenge regarding how a software copyright owner can ascertain instances of copyright infringement. Indeed, identifying copyright violations in software is not as straightforward as recognizing infringements that occur in tangible, physically observable works, such as film piracy or art plagiarism. The copyright owner must undertake comprehensive tracking or audits to obtain evidence of copyright infringements upon their products (re: software). Software companies typically employ advanced detection systems to identify unlicensed software usage. Information on the presence of such a security system is usually informed to the user in the software End User License Agreement (EULA) that users should agree to early on before operating the software. This process includes detecting various elements such as the IP address, MAC address, registration email, and identifying the users or entities using counterfeited software, whether for personal or business use. This system is often called “digital forensics“. These actions are carried out by the copyright owner to satisfy and compile evidence of the transgressions committed by the alleged infringer, with the aim of unequivocally demonstrating that an individual has indeed violated copyright. From a copyright perspective, Copyright holders have the legitimate right to safeguard their copyrights as outlined in Article 96 of the Indonesian Copyright Law, as previously mentioned, and further under Article 99, whereby copyright holders, or related rights owners have the entitlement to initiate a compensation claim through the Commercial Court for infringements related to copyright or related rights. To initiate this process, copyright owners are obligated to present initial evidence of copyright infringement, along with clear information concerning the items and/or documents required for evidentiary purposes. This procedure serves a dual purpose: it enables the Commercial Court to issue interim measures to cease the infringement and prevent further harm resulting from the copyright violation. 

One could say that a digital audit by the copyright owner could violate the privacy rights of the computer or device owner suspected of infringement. Those engaged in, or suspected of engaging in such infringements, often attempt to shield themselves from personal data protection or, previously, may have sought refuge under Article 30 of the Electronic Information and Transactions Law (ITE Law), which states that “Every person intentionally and without right or against the law accesses the computer and/or electronic system of another person by any means.” Nevertheless, this does not legitimize the infringer’s concealment, for there is a violation at hand, and there are rights vested in the copyright owner and holder that must be upheld in the pursuit and realization of their economic rights.

Speaking of the right to privacy itself, the enactment of the Personal Data Protection Law (PDP Law) has undoubtedly forms a concrete foundation, not only for the data subject (in this case, the party involved in the infringement) but also for the copyright owner and or holder, which, in this context, refers to the software company. 

Article 20(2) of the PDP Law, which addresses the basis for data processing, delineates the fundamentals of data processing. In the author’s view, of the six bases provided, the most suitable and foundation applicable to the copyright owner (re: software company) is stipulated in Article 20(2)(f): “fulfillment of other legitimate interests by taking into account the purposes, needs, and balance of interests of the Personal Data Controller and the rights of the Personal Data Subject.” The PDP Law does not offer a detailed explanation of the specific meaning of “legitimate interest” in this context, and there have been no comments or judicial rulings to date that interpret the intended meaning of “legitimate interest” as specified in Article 20(1)(f). Nevertheless, the copyright holder has its functions as a data controller with a legitimate interest, which is to protect their economic rights as the copyright holder. This pursuit does not contravene the PDP Law or other relevant privacy regulations, as it is aimed at detecting violations of their intellectual property, i.e. software counterfeiting. 

Furthermore, the digital forensics conducted by the copyright holder is not the sole evidence in their possession. It is part of a broader investigative effort to substantiate suspicions of infringement. This includes obtaining consent from the data subject, as outlined in Article 20(1)(a) of the PDP Law, to physically visit the premises indicated in the IP address. Thus, the actions undertaken by the copyright owner to enforce their economic rights do not violate specific regulations, especially those governing personal data protection. Consequently, the claim of legitimate interest is not merely an assertion by the copyright owner, but rather, they have a justifiable foundation for enforcing their rights, and these actions are executed with the intent to safeguard those rights.


It can be concluded that copyright infringements, i.e. software counterfeiting, are prevalent in Indonesia. This issue needs to be effectively addressed to protect the rights of software copyright owners and uphold their economic rights. To detect and enforce these rights, the collection of evidence and the identification of software infringements are necessary. Typically, software companies have systems capable of identifying unauthorized software usage, which can be deemed a copyright violation. However, such detection methods are often associated with concerns over data subject privacy, particularly the alleged infringers. In essence, the PDP Law serves to safeguard the interests of copyright owners, as they possess a legitimate interest under the PDP Law, especially under Art. 20(2)(f). In other words, software companies can perform digital forensics on a computer or device suspected of copyright infringement without the owner’s consent. This is because the software company has a legitimate interest in protecting their copyright and enforcing their rights. Therefore, the alleged infringer cannot claim that the forensic actions are unauthorized, as they are legally valid.



Picture of Fitri Astari Asril
Fitri Astari Asril

More Posts