In a bold move that underscores Indonesia’s digital sovereignty, a leading lawmaker has issued a sharp warning: any transfer of personal data to the United States must comply fully with Indonesia’s Personal Data Protection (PDP) Law. This uncompromising stance highlights growing concern over privacy risks and legal mismatches in emerging digital trade deals.
Representative Sukamta, Deputy Chair of DPR Commission I, emphasized that under Article 56 of Law No. 27 of 2022, personal data controllers may transfer data abroad only if the receiving jurisdiction offers equal or higher protection, and if adequate legal safeguards—such as audit rights and reciprocal protections—are in place.
He urged negotiators to uphold these safeguards and to view data transfers not merely as trade matters, but as core issues of national security, economic justice, and digital sovereignty.
If those conditions are unmet, Sukamta added, data controllers must secure explicit consent from the data subjects before proceeding with cross-border transfers. This requirement stems directly from the layered approach in the PDP Law: first check for adequacy of protection, then appropriate safeguards, and finally rely on individual consent if needed.
Simultaneously, government officials have sought to clarify the scope of the deal. The Ministry of Communication and Digital Affairs explained that the confidential trade agreement with the US does not permit unrestricted flows of Indonesian citizens’ data. Instead, it creates a tightly managed legal framework for certain digital services and commercial exchanges—which may involve data, but only under regulation and protection.
Meanwhile, the Presidential Communication Office stated that data sharing is limited to select commodities and strategic commercial purposes, such as identifying buyers of palm-based glycerin material, rather than wide-ranging submission of personal information.
Civil society voices, including ELSAM, have voiced strong concerns. They warn that Indonesia may unintentionally repeat mistakes similar to Europe’s invalidated Privacy Shield by failing to match US legal protections. They stress the absence of a federal data protection law in the US, which may expose Indonesians to mass surveillance under instruments like the FISA Section 702.
Analysts note that although Indonesia’s PDP Law began transition in October 2024, critical implementing regulations and a dedicated national data authority remain delayed. Sukamta called on the government to finalize both by early 2026 to fully operationalize the law’s protections.
