August 1, 2025
YOGYAKARTA – Arecent White House press release, “Fact Sheet: The United States and Indonesia Reach Historic Trade Deal,” highlights a significant development regarding cross-border data transfer. Under the “Removing Barriers for Digital Trade” section, it states that Indonesia will recognize the US as a country or jurisdiction providing “adequate data protection” under Indonesian law.
This recognition aims to provide certainty for transferring personal data from Indonesia to the US. While American companies have sought these reforms for years, it is crucial to understand that this is not simply about “transferring” all Indonesian citizens’ personal data to the US. Instead, it signifies that US tech companies are expected to act as personal data controllers compliant with Indonesia’s Law No. 27/2022 on Personal Data Protection.
This raises a critical question: what does Indonesian law actually say about cross-border data transfer? According to Law 27/2022, such transfers are permitted only if the receiving country offers an adequate or higher level of data protection, there is explicit consent from the data subject and the transfer is based on binding contracts ensuring data protection.
Furthermore, the Indonesian government is responsible for overseeing the implementation of personal data protection, and Article 58 mandates that personal data controllers transferring data overseas must ensure legal and technical guarantees, subject to supervision by a yet-to-be-established Data Protection Authority.
Given this context, what can Indonesia learn from global best practices, and what is truly at stake if this deal comes into force?
Indonesia can draw valuable lessons from the European Union’s cautious and rights-based approach to cross-border data transfers, particularly through the landmark Schrems I and II rulings by the Court of Justice of the European Union (CJEU). In both cases, the court invalidated data transfer frameworks between the EU and the US, Safe Harbor in 2015 and Privacy Shield in 2020. The primary reason for these annulments was that US surveillance laws, such as FISA Section 702, allowed excessive government access to personal data without sufficient safeguards or legal remedies for non-US citizens.
These decisions underscore the EU’s firm stance that any third country receiving personal data must uphold a level of protection comparable to the EU’s General Data Protection Regulation (GDPR).
For Indonesia, which has just begun implementing Law 27/2022, the EU’s example offers a crucial reminder: Data transfers should not be driven solely by trade interests, but must also be grounded in solid legal protections, institutional readiness and a genuine commitment to individual privacy rights, even when negotiating with powerful economies like the US.
The US remains one of the only major economies without a comprehensive federal data protection law. Its intelligence laws, like FISA Section 702, permit broad surveillance of non-US citizens, including foreign data subjects whose information is processed on US servers.
Compounding this issue, Indonesia itself is not yet institutionally prepared to safeguard its citizens’ data in cross-border contexts. The implementing regulations of the Personal Data Protection Law are still being finalized, and the Data Protection Supervisory Body, mandated under Article 58, remains non-existent. This means there is no independent authority to assess whether the US offers “adequate protection,” or to supervise data transfers, conduct audits or impose sanctions. In short, Indonesia is entering into a legally binding digital handshake with its eyes half-closed.
Indonesia’s digital economy, particularly its data center industry, is positioned to become a regional leader, partly due to previous commitments to data localization. However, the government’s willingness to grant exemptions for US-based companies could undercut this competitive edge.
Article 20 of Law 27/2022 clearly stipulates that personal data controllers providing services in Indonesia are required to process and store personal data within Indonesian territory, unless specific criteria for cross-border transfers are met. If this obligation is suspended or relaxed under pressure from US trade negotiators, local data centers stand to lose major clients, especially multinational cloud and platform providers.
This creates a chilling effect not only on foreign investment in Indonesian digital infrastructure, but also on long-term digital sovereignty. Why should companies invest in Indonesia-based infrastructure when they are allowed to simply route data back to US servers?
At its core, this deal reflects an unsettling asymmetry in how digital sovereignty is respected, depending on who holds the power. The US has repeatedly voiced concern over foreign apps like TikTok storing US user data in Chinese territory, citing national security and surveillance risks. Yet, through this Indonesia-US trade framework, the US is now demanding the very same data access it vehemently opposes when the tables are turned. This raises a fundamental question: is Indonesia’s weaker bargaining position being exploited to override its own legal principles?
The implications stretch beyond privacy and into the realm of democratic vulnerability. History shows us how personal data, when misused, can be weaponized, as seen in the Cambridge Analytica scandal, where data harvested from Facebook users was exploited to manipulate electoral outcomes across multiple democracies.
With no independent oversight body and no guarantee of redress, Indonesian citizens’ data, especially political profiling, behavioral data and social media activity, could be harvested and repurposed by US-based entities, intelligence bodies or even Indonesian political actors with strong ties to foreign interests, to influence elections, shape narratives and tilt democratic processes in their favor.
In an age where AI-driven micro-targeting can be used to sway public opinion, handing over such sensitive digital infrastructure to a foreign power is not just a technical matter. Rather, it is a strategic risk.
In a time when US foreign and trade-related policies are uncertain and hard to predict, Indonesia’s agreement to recognize the US as an “adequate” destination for personal data transfers may seem like a technical regulatory decision, but it has far-reaching consequences.
While it does not necessarily mean “selling” our privacy, regulatory and technical weaknesses remain. Without a functioning data protection authority, fully enacted regulations or proper oversight mechanisms, this move risks turning Indonesia into a passive data exporter, without the tools to protect its citizens from surveillance, profiling or manipulation. It also undermines the growth of the local digital economy and sets a dangerous precedent for future negotiations, where sovereignty may be traded away under the guise of trade liberalization.
If privacy is indeed a human right, then it cannot be subordinated to trade convenience or geopolitical pressure. Indonesia must ensure that any cross-border data framework is grounded in reciprocity, enforceable protections and democratic accountability. Until then, this deal deserves public scrutiny.
The writer is executive manager at Intellectual Property, Law and Technology Centre, Islamic University of Indonesia (UII), Yogyakarta. The views expressed are personal.