Penelitian ini bertujuan untuk menganalisis prinsip Privacy by Design (PbD) dalam kerangka hukum Indonesia, khususnya Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi (UU PDP), serta membandingkannya dengan standar global seperti General Data Protection Regulation (GDPR) dan APEC Privacy Framework. Selain itu, penelitian ini juga mengkaji secara empiris relevansi dan tantangan implementasi prinsip PbD dalam tata kelola layanan perizinan elektronik di Dinas Penanaman Modal dan Pelayanan Terpadu Satu Pintu (DPMPTSP) Provinsi DKI Jakarta yang berperan sebagai Penyelenggara Sistem Elektronik (PSE) lingkup publik.  Penelitian ini menggunakan metode penelitian hukum normatif-empiris (sosio-legal) dengan pendekatan perundang-undangan (statute approach), pendekatan konseptual (conceptual approach), dan pendekatan komparatif (comparative approach). Data yang digunakan meliputi data sekunder yang diperoleh melalui studi kepustakaan, serta data primer yang dikumpulkan melalui wawancara mendalam dengan pejabat di DPMPTSP DKI Jakarta. Analisis data dilakukan secara kualitatif dengan metode interpretasi hukum dan analisis deskriptif untuk memberikan gambaran komprehensif mengenai kesenjangan antara norma hukum dan praktik di lapangan.  Hasil penelitian menunjukkan kesimpulan: Pertama, bahwa meskipun UU PDP telah mengadopsi esensi PbD secara implisit melalui ketentuan prinsip pemrosesan, penilaian dampak, dan langkah teknis operasional, ketiadaan mandat eksplisit seperti Pasal 25 GDPR menciptakan ambiguitas dalam penerapannya akibat belum adanya peraturan pelaksana. Kedua, secara empiris, DPMPTSP DKI Jakarta telah memiliki modalitas teknis yang kuat, terbukti dengan sertifikasi ISO 27001, pelaksanaan uji kerentanan rutin, dan kebijakan segmentasi data sensitif. Namun, implementasi PbD masih bersifat parsial dan belum terinstitusionalisasi secara kokoh dalam tata kelola. Ketiga, Hambatan utama meliputi dinamika regulasi pusat yang sangat cepat yang seringkali menggeser fokus privasi demi fungsionalitas layanan, ketiadaan Pejabat Pelindungan Data (DPO) formal yang menyebabkan pengawasan internal terfragmentasi, serta keterbatasan teknis dalam manajemen siklus hidup data, khususnya proses pemusnahan data yang masih manual.  

This research aims to analyze the principles of Privacy by Design (PbD) within the Indonesian legal framework, specifically Law Number 27 of 2022 concerning Personal Data Protection (PDP Law), and to compare it with global standards such as the General Data Protection Regulation (GDPR) and the APEC Privacy Framework. Furthermore, this study empirically examines the relevance and challenges of implementing PbD principles in the governance of electronic licensing services at the Investment and One-Stop Integrated Service Agency (DPMPTSP) of DKI Jakarta Province, which serves as a public-sector Electronic System Operator (ESO).

This research employs a normative-empirical (socio-legal) methodology, utilizing a statute-based, conceptual, and comparative approach. The data used comprises secondary data from a literature review and primary data collected through in-depth interviews with key officials at DPMPTSP DKI Jakarta. Data analysis was conducted qualitatively, using legal interpretation methods and descriptive analysis, to provide a comprehensive overview of the gap between legal norms and their practical implementation.

The findings of this research indicate several conclusions: First, although the PDP Law has implicitly adopted the essence of PbD through provisions on processing principles, impact assessments, and technical-operational measures, the absence of an explicit mandate comparable to Article 25 of the GDPR creates interpretative ambiguity due to the lack of implementing regulations. Second, empirically, DPMPTSP DKI Jakarta possesses substantial technical capital, demonstrated by ISO 27001 certification, routine vulnerability testing, and sensitive data segmentation policies. However, PbD implementation remains partial and has not been firmly institutionalized within the governance structure. Third, the primary obstacles include rapid changes in central regulations that often prioritize service functionality over privacy, the absence of a formal Data Protection Officer (DPO), resulting in fragmented internal oversight, and technical limitations in data lifecycle management, particularly in manual data disposal processes.

Kata Kunci : privasi berbasis desain, pelindungan data pribadi, perizinan berusaha, DPMPTSP