By: Dhita Karuniawati )*
In the digital era, marked by the rapid growth of information and communications technology, cross-border data flows have become an integral part of global economic activity. One significant phenomenon in this context is the transfer of commercial data between Indonesia and partner countries, including the United States (US). While data transfers can open up significant economic opportunities, the Indonesian government continues to emphasize the importance of protecting its citizens’ personal data. In this regard, Law Number 27 of 2022 concerning Personal Data Protection (PDP Law) is the primary instrument for ensuring that commercial data transfers abroad, including to the US, are conducted securely, legally, and responsibly.
The PDP Law demonstrates the Indonesian government’s commitment to safeguarding national data sovereignty and guaranteeing citizens’ constitutional rights to personal data protection. In the context of commercial data transfers abroad, including to the United States, the PDP Law establishes strict mechanisms that data controllers and processors must comply with.
Minister of Communication and Digital Affairs (Menkomdigi), Meutya Hafid, stated that the Indonesia-United States trade agreement is not a free handover of personal data, but rather provides a valid, secure, and measurable legal basis for managing cross-border personal data traffic. The agreement in question can actually provide a legal basis for protecting the personal data of Indonesian citizens when using digital services provided by US-based companies, such as search engines, social media, cloud services, and e-commerce.
Meutya said that negotiations and technical discussions between the Indonesian and United States governments were still ongoing, and the agreement conveyed by the White House was still being finalized.
The data transfer process is carried out while upholding the core principles of good data governance, protecting individual rights, and upholding national legal sovereignty. It is also carried out under adequate data protection conditions under Indonesian law. The transfer of personal data across borders is permitted for legitimate, limited, and legally justifiable purposes.
The Ministry of Communication and Digital Technology cites examples of legitimate data transfer activities, including the use of search engines, data storage through cloud computing services, digital communication through social media platforms, transaction processing through e-commerce platforms, and digital research and innovation purposes.
The government emphasized that data transfers between countries remain under strict supervision by Indonesian authorities, with a precautionary principle and based on national legal provisions.
Communication and Digital Minister Meutya Hafid stated that the legal basis refers to Law Number 27 of 2022 concerning Personal Data Protection and previously, Government Regulation Number 71 of 2019 concerning the Implementation of Electronic Systems and Transactions, which explicitly regulate the mechanisms and prerequisites for sending personal data outside of Indonesian jurisdiction.
The government ensures that data transfers to the United States are not conducted haphazardly. Instead, the entire process is conducted within a reliable and secure data governance framework, without compromising citizens’ rights. With transparent and accountable governance, Indonesia will not be left behind in the dynamics of the global digital economy, while maintaining full sovereignty in the oversight and law enforcement of its citizens’ personal data.
Similarly, Deputy Minister of Communication and Digital Affairs (Komdigi), Nezar Patria, guaranteed that data transfers from Indonesia to the United States (US) comply with the mechanisms stipulated in the Personal Data Protection (PDP) Law. Therefore, Nezar urged the public to avoid misunderstandings regarding the transfer of personal data.
Nezar stated that the data transfer process to the US will be conducted according to strict standards and with the consent of the data owners. The Indonesian data that will be transferred to the US is data related to commercial aspects. For example, Indonesian data can only be tracked when they use a US-based search engine platform. This data transfer has been ongoing for some time, so it’s not a new occurrence. He is grateful that Indonesia already has a Personal Data Protection Law.
Previously, United States (US) President Donald Trump announced important points in the import tariff agreement agreed with the Indonesian Government, one of which mentioned the transfer of personal data.
In an official statement released by the White House, this is stipulated in a point regarding the removal of barriers to digital trade. The United States and Indonesia will finalize commitments related to digital trade, services, and investment. Among the commitments made by Indonesia is ensuring the ability to transfer personal data from its territory to the United States.
In an official White House statement, it was stated, “Indonesia will also provide certainty regarding the ability to transfer personal data out of its territory to the United States by recognizing that the United States is a country or jurisdiction that provides adequate data protection under Indonesian law.”
Commercial data transfers abroad, particularly to the United States, remain permitted as long as they comply with the principles of personal data protection as stipulated in the Personal Data Protection Law. The Indonesian government is committed to safeguarding data sovereignty and protecting citizens’ privacy rights through strict oversight, clear legal regulations, and international cooperation. With consistent implementation and support from all stakeholders, the Personal Data Protection Law serves as a crucial foundation for ensuring that Indonesia’s digital economic growth does not compromise individual human rights in the digital space.
*) The author is a contributor to the Indonesian Strategic Information Study Institute