The landscape of personal data protection in Indonesia has undergone a significant evolution, shifting from a technical issue to a fundamental pillar of citizens’ constitutional rights. Article 28G (1) of Undang-Undang Dasar Negara Republik Indonesia Tahun 1945 states that “Every person shall have the right to protection of his/her own person, family, honor, dignity, and possessions, and shall have the right to feel secure.” This provision serves as the constitutional basis for the state’s obligation to protect individuals, including their personal data, which has become an integral part of one’s digital identity.
The rapid growth of technology and the increasing number of internet users have heightened the risks of personal data breaches. For years, Indonesia had only partial regulations scattered across various laws, such as Law No. 19 of 2016 concerning Information and Electronic Transactions (the ITE Law) and Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions. However, this legal framework was considered insufficient to address the complexities of data protection. In response, the Indonesian government issued Law No. 27 of 2022 on Personal Data Protection (PDP Law) in September 2022. This law is a significant milestone in Indonesia’s legal system, as it specifically regulates the rights and obligations of data subjects, as well as the responsibilities of data controllers and processors, for both electronic and non-electronic processing.
However, digital dynamics have now transcended national borders, leading to the legal implications of cross-border personal data transfers. This article highlights a recent trade agreement between Indonesia and the United States that includes a personal data transfer clause. The purpose of this article is to conduct a detailed analysis of the implications of this trade agreement and to identify legal avenues available to Indonesian citizens in the event of data breaches by U.S. entities. The analysis will cover practical challenges in cross-border law enforcement, including the extraterritorial jurisdiction of the PDP Law and existing institutional gaps. The dynamics of personal data protection in Indonesia have entered a new phase with the issue of cross-border data transfers. This has come into sharp focus following the announcement of the Joint Statement on a Framework for a United States–Indonesia Agreement on Reciprocal Trade by the White House on July 22, 2025. This agreement is part of broader trade negotiations, where Indonesia committed to eliminating 99% of tariff barriers for U.S. products, while the U.S. would lower reciprocal tariffs on Indonesian goods to 19%.
A crucial point in this agreement is the clause that requires Indonesia to provide certainty regarding the ability to transfer personal data outside its territory to the United States. This is to be achieved through Indonesia’s official recognition of the U.S. as a jurisdiction that provides “adequate data protection” under Indonesian law. This recognition effectively creates a legal pathway for data transfers, which was previously strictly regulated by the PDP Law. The announcement sparked a heated debate with two different viewpoints. On one side, government officials, through Coordinating Minister for Economic Affairs Airlangga Hartarto and Minister of Communication and Digital Meutya Hafid, sought to reassure the public that data transfers would remain secure. They claim the process will be conducted within a framework of secure and reliable data governance under the strict supervision of Indonesian authorities, and that it will remain subject to the PDP Law. According to this view, the agreement provides legal certainty for U.S. companies operating in Indonesia, giving Indonesia a basis to demand their compliance with national privacy standards.
However, this perspective has faced sharp criticism. Civil society organizations like ELSAM have deemed the agreement “unfair” because it is perceived to favor the business interests of U.S. companies and could potentially lead to the commercialization of Indonesian citizens’ personal data. These concerns are heightened by the fact that the U.S. is a global hub for data brokerage and has a more fragmented and lenient regulatory oversight at the federal level. Hendra Suryakusuma, Chairman of the Indonesian Data Center Providers Organization (IDPRO), warned that this could erode Indonesia’s digital data sovereignty. Critics also highlight that recognizing the U.S. as providing “adequate data protection” risks weakening existing standards, especially if the derivative regulations of the PDP Law have not yet been enacted.
This tension arises from the fundamental difference between Indonesia’s comprehensive data protection framework (PDP Law) and the U.S. legal approach, which is more fragmented and sectoral.
Comparison of Personal Data Protection Clauses (Indonesian PDP Law vs. U.S Regulations)
| Indonesia Regulation (Law No. 27/2022) | U.S Regulations | |
| Legal Framework | A comprehensive Omnibus Law framework, covering all sectors and types of data.
|
Fragmented, consisting of various sectoral laws (e.g., HIPAA for health data, COPPA for children’s data) without a single comprehensive federal law for all sectors. |
| Jurisdiction | Applies extraterritorially to foreign data controllers who process the data of Indonesian citizens. | No single federal law with extraterritorial jurisdiction equivalent to the Indonesian PDP Law. Jurisdiction is subject to sectoral or state-level regulations. |
| Supervisory Authority | Mandates the establishment of an independent Personal Data Protection Authority (PDPA), which is accountable to the President. | There is no single body that functions as a PDPA. The Federal Trade Commission (FTC) has broad authority to prosecute unfair or deceptive data practices, but its main focus is on general competition and consumer protection, not specifically data privacy. |
| Data Subject Rights | Grants strong rights to data subjects, including the rights to access, correct, delete, and withdraw consent for data processing. | Individual rights vary depending on the applicable sectoral or state law. For example, the right to data deletion is not universally guaranteed across all sectors. |
| Sanctions | Administrative sanctions in the form of fines of up to 2% of annual revenue, as well as criminal and civil penalties. | Sanctions vary depending on the specific law violated (e.g., the FTC can impose financial penalties). Generally, the fine mechanism does not have a uniform standard like the Indonesian PDP Law. |
The legal foundation for enforcing regulations against foreign entities that process the personal data of Indonesian citizens is, in fact, quite robust. The PDP Law explicitly adopts the principle of extraterritorial jurisdiction, meaning it applies to data controllers, both public and private sector, who process the personal data of Indonesian citizens, even if the processing takes place outside Indonesia’s legal territory. This grants Indonesia the legal authority to demand compliance from major U.S. technology companies, such as Google and Amazon, whose data is inevitably processed abroad.
However, a strong legal foundation alone is not enough. The biggest and most pressing challenge facing Indonesia is the implementation gap. This gap stems from the failure to establish the independent supervisory body, referred to in the PDP Law as the Personal Data Protection Authority (PDPA). Articles 58 to 60 of the PDP Law mandate that this institution must be formed, as Article 74 of the PDP Law requires Data Controllers, Data Processors, and other parties involved in personal data processing to align their practices with the law by October 2024. As of July 2025, however, the establishment of the PDPA is still in the harmonization phase.
The absence of a PDPA creates a significant hole in the national data protection system. Crucial functions that this body should perform are left unfulfilled, including:
-
The PDPA should have the authority to supervise data controllers’ compliance and impose administrative sanctions, including fines of up to 2% of annual revenue. Without the PDPA, the enforcement of these sanctions is paralyzed (Article 57 of the PDP Law).
-
The PDPA is tasked with assessing the fulfillment of requirements for cross-border personal data transfers and collaborating with data protection authorities from other countries. In the context of the U.S. agreement, this role is vital to ensure that the claim of “adequate protection” is genuinely justifiable and not just a formality.
-
The institution is also meant to facilitate out-of-court dispute resolution, such as mediation and non-litigation adjudication.
This institutional gap has profound and interconnected implications. The government’s claims of “strict supervision” and “reliable data governance” in the agreement with the U.S. are difficult to substantiate and lack a clear basis for execution. This creates legal uncertainty that harms data subjects. Without a functioning PDPA, law enforcement against U.S. companies becomes heavily dependent on existing mechanisms, which have significant limitations. On the other hand, this trade agreement could also be seen as a unique opportunity. The external pressure from the agreement, which requires Indonesia to finalize implementing regulations and establish the PDPA, could act as a catalyst to accelerate long-delayed domestic reforms. This places Indonesia in a dilemma: is “data sovereignty” being sacrificed to fast-track the creation of a robust internal legal framework, or will data protection remain weak until the necessary institutions are in place.
When a personal data breach occurs and the perpetrator is a foreign entity based in the United States, the legal remedies available to Indonesian citizens become more complex. Theoretically, there are several avenues one can pursue, but each has significant implementation challenges.
1. Non-Litigation Through the Personal Data Protection Authority (PDPA)
Ideally, the PDPA would be the primary gateway for dispute resolution. A data subject could file a complaint or report with the PDPA, which would then conduct an investigation and impose administrative sanctions. The PDPA would also have the authority to cooperate with data protection agencies from other countries to resolve alleged cross-border data breaches, similar to the model used by the General Data Protection Regulation (GDPR) in the European Union. As previously explained, however, this path is not yet available because the PDPA has not been established.
2. Civil and Criminal Litigation in Indonesian Courts
That based on Article 12 Paragraph (1) of the PDP Law, subjects of personal data have the right to sue and receive compensation for violations of data processing. This legal position is reinforced by Article 1365 of the Civil Code concerning Unlawful Acts (PMH). In terms of jurisdiction, Article 2 of the PDP Law provides for extraterritorial reach, so that Indonesian courts have the authority to adjudicate these cases as long as the impact of the damage occurs within Indonesian territory. However, technical obstacles arise at the execution stage. The absence of a reciprocal agreement between Indonesia and the US means that Indonesian court decisions cannot be directly enforced in the US. Victims must file a new lawsuit in a US court, using the Indonesian ruling as supporting evidence through the principle of comity. In addition to civil proceedings, the PDP Law also allows for criminal prosecution as stipulated in Articles 67 to 73 of the PDP Law, which prohibit the unlawful collection, disclosure, and use of data. It is important to note that Article 70 of the PDP Law explicitly regulates corporate criminal liability, which allows charges to be brought against the management, controllers, or the corporation itself. Although the principle of extraterritoriality applies, criminal law enforcement against perpetrators abroad is highly dependent on Mutual Legal Assistance (MLA) instruments and international cooperation. Practical challenges include differences in legal systems and the complexity of seizing assets or digital evidence located in foreign jurisdictions.
3. Citizen Lawsuit
As an alternative, a more relevant legal strategy in this case is a Citizen Lawsuit filed in the General Court. This mechanism provides space for citizens to sue state administrators for negligence in fulfilling the constitutional rights of citizens, including the right to personal data protection. In this case, government negligence, such as signing an agreement that recognizes the adequacy of US data protection without first establishing a Personal Data Protection Agency (PDPA) as mandated by the Personal Data Protection Law (PDP Law), can be qualified as an unlawful act as stipulated in Article 1365 of the Civil Code. Citizens’ lawsuits are not intended to seek direct material compensation, but rather to encourage the government to take its obligations to protect citizens’ rights more seriously. Therefore, the petition in the lawsuit usually contains a request for the government to issue corrective policies or measures so that similar negligence does not occur in the future. The defendant in this lawsuit can be the President or state officials responsible for personal data protection policies. The plaintiff only needs to prove that they are an Indonesian citizen without having to demonstrate material damages. Before filing a lawsuit, the plaintiff usually sends a warning letter to the government as a reminder to immediately fulfill their obligations.
The enactment of Law No. 27 of 2022 on Personal Data Protection provides legal certainty for data governance in Indonesia. However, the dynamics of international economic cooperation, such as with the United States, show that the implementation of equivalent data protection standards still requires special attention. The designation of foreign jurisdictions as areas with adequate protection levels aims to facilitate cross-border data flows, but this must be accompanied by effective oversight mechanisms to ensure that the rights of data subjects remain protected under the framework of national digital sovereignty. In the context of risk management, practical obstacles in resolving cross-border disputes, particularly those related to the enforcement of court decisions abroad, emphasize the importance of early prevention. The legal risks that arise are often not only caused by technical obstacles, but also by a lack of thoroughness in drafting agreement clauses from the initial stages of a transaction.
Therefore, integrating personal data compliance principles into business contracts is a standard of professionalism and operational readiness for companies in facing regulatory dynamics and stakeholder expectations. Companies that prioritize the principle of prudence will ensure that every business decision involving personal data processing is supported by in-depth legal review. This proactive step is crucial to anticipate potential disputes before they develop into more complex legal issues. Ultimately, business sustainability in the digital economy era depends heavily on a company’s ability to map risks early on and place personal data protection as an integral part of its long-term business strategy, not merely as a regulatory compliance obligation.
This concludes the discussion in this article. Should you require further information or wish to discuss any part of this article, you may contact us at TRNP Law Firm for the most current details.
