In the recent bilateral trade deal between Indonesia and the United States, hailed by the White House as a “historic trade deal,” much attention has focused on tariff reductions in industry and agriculture.
Yet, embedded in this trade deal is a more controversial element: data governance. A key point allowed for cross-border data transfer (“CBDT”) from Indonesia to the United States, which has triggered heated debate due to the comparatively loose data protection landscape in the US.
According to the Indonesian government, this recognition enables the transfer of personal data by classifying the US as a jurisdiction that offers “adequate” data protection under Indonesia’s law.
The Coordinating Ministry of Economic Affairs clarified that the agreement covers commercial data such as transaction and market research, not sensitive personal or strategic data. Yet, the absence of public scrutiny and comprehensive enforcement mechanisms raises legitimate concerns.
Indonesia’s Personal Data Protection Law (PDP Law), enacted in 2022, provides the legal backbone for personal data management and cross-border transfers. It establishes a three-tiered framework: first, CBDTs must assess whether the receiving country offers protection equivalent to the PDP Law (Adequacy of Protection).
If this standard is not met, companies must implement appropriate safeguards, such as standard contractual clauses or binding corporate rules.
If neither option is viable, CBDT can only occur with the data subject’s explicit, informed consent. Even with the government-to-government agreement in place, the law still requires these safeguards to be satisfied.
Latest stories
Nvidia’s H200 chips could be ‘sugar-coated bullets’ for China
Statehood issue again could block Israel, Arabs from making nice
‘I Deliver Parcels in Beijing’ depicts grueling gig-economy toil
In practice, this means Indonesia’s recognition of the US cannot be a blanket waiver. Each data controller must evaluate case-by-case compliance to ensure that the citizens’ rights are not diluted in the name of trade diplomacy.
Global frameworks offer valuable lessons. The European Union’s General Data Protection Regulation (GDPR) ensures that protections “travel” with the data. Transfers to non-EU countries require either “Adequacy Decision” or “Appropriate Safeguards.”
Lacking both, derogations like explicit consent can be used, but only with clear communication of the risk involved. This also applies when data is transferred to non-EU countries (hereinafter referred to as “third country”).
China takes a more centralized approach. Under the Personal Information Protection Law (PIPL), companies must conduct a Personal Information Impact Assessment (PIIA) and use approved mechanisms, such as Cybersecurity Administration of China (CAC) contracts, certification or legal exemptions. Recipients must meet China’s standards, with continuous oversight and separate, explicit consent from the data subject.
Regulations on international data transfers have a major influence on the global economy. If data becomes fully fragmented, global GDP could shrink by 4.5% and exports by 8.5%. On the other hand, having no regulations might reduce trade costs but also erode trust.
The most effective approach appears to be open data systems with proper safeguards, which could increase global GDP by 1.77% and exports by 3.6%, especially benefitting low-income nations.
While geoeconomic fragmentation still has negative effects, they are less severe than total fragmentation. International collaboration that supports both data flow and trust can lead to stronger economic performance worldwide.
The recent Indonesia-US Trade Agreement provisions on CBDT may benefit both existing and future data transfer arrangements by businesses.
For businesses already transferring data to the US, the agreement’s potential adequacy recognition could provide greater legal certainty and clarity, establishing justification that their existing data transfer practices are in line with applicable regulations.
However, risks to data transfer and use remain, and it is therefore necessary to adhere to the existing regulatory framework while considering the interests of data owners on a case-by-case basis.
The private sector must assess data types, understand limitations and monitor the implementation of new US data transfer agreements. Relying on CBDT provisions without clear guidance risks non-compliance. To mitigate this, companies should conduct due diligence, ensure safeguards with data recipients and track regulatory updates.
Sign up for one of our free newsletters
- The Daily Report Start your day right with Asia Times' top stories
- AT Weekly Report A weekly roundup of Asia Times' most-read stories
The government must offer clear rules to ensure compliance with the PDP Law and build public trust. Legal certainty is essential for attracting investment, especially in uncertain times. While US relations matter, adherence to the rule of law will shape global trust.
The government must avoid the trap of treating data as mere numbers to exchange at will. As mathematician Clive Humby famously said, “data is the new oil,” and just like oil, if mishandled, it can pollute institutions, economies and democracies.
Indonesia must move beyond symbolic recognition to a rule-based, rights-centric digital trade policy. This means insisting on adequate protections, transparency in government negotiations and accountability in private sector implementation.
Amid intensifying global competition and fragmentation, a consistent and coherent approach to data governance will anchor Indonesia’s credibility and sovereignty in the digital age.
Randy Taufik (LL.M.,MPP) is legal counsel and University of Oxford alumni specializing in corporate and tech law.
Ahmad Novindri Aji Sukma (LL.M.,M.Phil) is a regulatory compliance lawyer based in London and PhD researcher at the University of Cambridge.
Sign up here to comment on Asia Times stories
Sign in with Google Or Sign up Sign in to an existing account
Thank you for registering!
An account was already registered with this email. Please check your inbox for an authentication link.
Ahmad Novindri Aji Sukma
The writer studied international business and economic law at Georgetown University Law Center under LPDP scholarship. He is passionate about the issue of anti-corruption, money-laundering, and asset recovery.
More by Ahmad Novindri Aji Sukma