Background: The Indonesia-US Reciprocal Trade Agreement

The United States and Indonesia have agreed to a framework for a Reciprocal Trade agreement, aiming to eliminate digital trade barriers. A key component of this agreement stipulates Indonesia’s obligation to transfer its citizens’ personal data to the United States. This clause has sparked significant debate and concern among Indonesian human rights organizations, legal experts, and government officials.

The White House, in an official statement released on July 23, 2025, indicated that Indonesia would recognize adequate data protection in the U.S. and ensure the transfer of personal data abroad, including to the U.S. This recognition is notably contentious given the lack of comprehensive federal data protection regulations in the United States.

Komnas HAM’s Concerns and Legal Framework

The National Commission on Human Rights (Komnas HAM) has strongly urged the Indonesian government to prioritize the protection of its citizens’ personal data within the context of this trade agreement. Komnas HAM Chair Anis Hidayah emphasized that the right to personal data protection is a essential human right, and the government has a responsibility to uphold it.

This right is enshrined in several Indonesian legal instruments, including:

• The Constitution of Indonesia
• Law Number 39 of 1999 concerning Human Rights
• The International Covenant on civil and Political Rights (ICCPR), ratified as Law number 12 of 2005
• Law Number 27 of 2022 concerning Personal Data Protection

“Komnas HAM emphasizes the importance of the government to have sovereignty over digital data, including ensuring the protection of Indonesian citizens’ personal data as human rights,” Anis stated on August 22, 2025. The commission warned of the potential for misuse and leakage of sensitive citizen data.

Criticism and Concerns from Civil Society

The trade agreement’s data transfer clause has drawn criticism from various civil society organizations. Director of Imparsial, Ardi Manto Adiputra, argued that personal data should not be a commodity in trade or economic agreements.”The sovereignty of personal data is part of state sovereignty. President Prabowo is potentially surrendering it to foreign parties,” he stated on July 24, 2025.

The National Association of Information and Dialogue Technology Entrepreneurs (APTIKNAS) also weighed in, reminding the government that any transfer of personal data to the U.S. must fully comply with Indonesia’s Personal Data Protection (PDP) Law.

Alfons tanujaya, Chair of APTIKNAS’s Permanent Committee on cybersecurity Vigilance, stressed the need for stringent requirements.”If the Indonesian government allows public data to be managed or stored in the United States, there must be minimum requirements, namely that the U.S. companies must comply with Indonesian PDP Law and be audited by the PDP Commission,” he explained.

Data security Requirements and International Practices

APTIKNAS further emphasized the necessity of data encryption and explicit consent for access to transferred data. They also called for bilateral agreements to prevent misuse of data by foreign authorities. Alfons Tanujaya highlighted that data security is not solely dependent on the location of storage but rather on the discipline and methods employed for data management.

Minister of Communication and Digital Meutya Hafid assured the public that the transfer of data abroad is explicitly regulated by Indonesian law, specifically Law Number 27 of 2022 concerning Personal Data Protection and Government Regulation Number 71 of 2019 concerning the Implementation of Electronic Systems and Transactions. She stated that these regulations guarantee secure and reliable data governance while protecting citizen rights.

Meutya Hafid also pointed out that cross-border data transfers are a common practice among G7 nations – the U.S., Canada, Japan, Germany, France, Italy, and the United Kingdom – and are conducted securely and reliably. “The flow of data between countries is still carried out under the strict supervision of the Indonesian authorities, with caution and based on national laws,” she affirmed.

Understanding Indonesia’s PDP Law

Law number 27 of 2022 concerning Personal Data Protection (PDP) is Indonesia’s primary legislation governing the processing of personal data. Key provisions include:

Violations of the PDP Law can result in significant fines and other penalties.

Frequently Asked Questions

What is personal data?

Personal data refers to any information relating to an identified or identifiable natural person. This includes names, addresses, identification numbers, online identifiers, and more.

Why is data sovereignty important?

Data sovereignty refers to the idea that data is subject to the laws and governance structures of the nation within whose borders it is collected.It’s crucial for protecting privacy, national security, and economic interests.

What are the potential risks of transferring data to the US?

Without adequate safeguards, data transferred to the US could be subject to surveillance by US authorities, potentially violating Indonesian citizens’ privacy rights. The lack of a comprehensive federal data protection law in the US also raises concerns about accountability.

What is Indonesia doing to protect its citizens’ data?

Indonesia has enacted Law Number 27 of 2022 concerning Personal Data Protection,which regulates the processing and transfer of personal data. The government is also emphasizing the need for stringent safeguards in the trade agreement with the US.