Between Trade and Trust: Rethinking Indonesia–US Cross-Border Personal Data Transfer

Indonesia’s move to recognise the United States as an adequate jurisdiction for personal data protection—made through a new trade deal and implemented before its own Personal Data Protection Authority and adequacy criteria are in place—raises concerns over legal legitimacy, regulatory preparedness, and data security. While the decision aims to facilitate digital trade and provide clarity for US firms, it exposes Indonesian personal data to systemic risks in the US, including corporate misuse, cybersecurity vulnerabilities, expansive surveillance laws, and a fragmented privacy regime. By contrast, the EU’s reciprocity-based and institution-driven adequacy model underscores the importance of robust safeguards and oversight in cross-border data governance. To restore regulatory credibility and protect citizens’ privacy, Indonesia should accelerate its domestic PDP framework, reconsider and temporarily suspend US adequacy status, embed data protection in future trade negotiations, and strengthen regional cooperation—ensuring that future data transfer decisions align with both national interests and global best practices.

Learn More About It Here