The Data Deal: What the Indonesia-US Reciprocal Trade Agreement Means for Cross-Border Data Transfers
Indonesia and the United States (US) recently reached a preliminary agreement that allows the cross-border transfer of Indonesian citizens’ personal data to the US, as part of broader trade and digital cooperation discussions. This development has raised questions from business undertakings, in its interaction with Indonesia’s Law No. 27 of 2022 on Personal Data Protection (“PDP Law”) and the implications towards businesses operation.
Current Regulatory Framework
The PDP Law is a primary regulatory framework governing personal data protection, including cross-border data transfers. To conduct cross-border data transfer (“CBDT”), the regulation provides specific tiered framework to ensure secure and compliant transfers.
Data controllers must firstly assess whether the recipient country has data protection standards equal to or higher than those of the PDP Law, known as “Adequacy of Protection”. If the recipient country does not meet this standard, controllers must implement binding safeguards (“Appropriate Safeguards”), which should be anticipated as to include contractual clauses or binding corporate rules, to ensure data security and compliance with the PDP Law. Should neither Adequacy of Protection nor Appropriate Safeguards are feasible, explicit and informed consent from the data subject (“Consent”) will be required for the CBDT.
As of July 2025, Indonesia has yet to publish an official list of countries meeting the Adequacy of Protection standard and the PDP Institution – mandated to oversee and enforce data protection regulations, including issuance of such standard – remains unestablished. Additionally, the Draft Government Regulation on Implementing Regulation of the PDP Law (“Draft GR PDP”), intended to clarify technical details such as adequacy assessments and safeguard mechanisms, remains pending, leaving interim oversight to the Indonesian Ministry of Communication and Digital (“MOCD”).
Key Points of the Indonesia–US Reciprocal Trade Agreement relating to CBDT
Indonesia and the United States recently agreed to a framework for negotiating an agreement on reciprocal trade that among other things, opens the door for the cross-border transfer of Indonesian citizens’ personal data to the US. According to the joint statement provided by the US White House on July 22, 2025, Indonesia commits to ensuring that personal data can be transferred to the US by recognizing the US as a country that provides adequate data protection under Indonesia’s law. While the main focus of the deal is to reduce reciprocal trade tariff between the countries, the inclusion of personal data transfer has raised questions because the details remain vague. So far, the public disclosures on the deal lack clarity on which types of personal data will be covered or how broad the scope will be.
The MOCD has stated that cross-border personal data transfers are permitted for legitimate, limited, and legally justifiable purposes – such as search engines, cloud storage, social media communications, e-commerce transactions, and digital research – under strict compliance with the PDP Law and Government Regulation No. 71 of 2019. To support the implementation, the Coordinating Ministry of Economic Affairs clarified that the data transferred to the US under the Indonesia-US CBDT Agreement is commercial in nature, such as transaction or market research data, not personal or strategically sensitive data.
The government stresses that CBDT to the US will follow a secure and transparent governance framework to protect citizens' rights while supporting Indonesia’s role in the global digital economy. Although the MOCD states the trade agreement will serve as a legal basis, the specific conditions and safeguards for implementation remain unclear. In the coming weeks, the US and Indonesia will finalize and sign the Reciprocal Trade Agreement and complete domestic procedures before it takes effect.
Consistency with PDP Law and Draft GR on PDP
The Indonesia-US Reciprocal Trade Agreement may serve as a foundation for conducting CBDT under the principles of Adequacy of Protection or Appropriate Safeguards. Establishing such an agreement could facilitate data transfers to the US without additional safeguards (e.g., requiring specific data protection clauses) or individual consent, resemble the approach adopted for the EU-US Data Privacy Framework that allows transfer of personal data from the EU to the US on the basis of adequacy decision.
The Draft GR PDP, whilst have not been enacted yet, provides indications as to how the government plans to regulate the requirements regarding the implementation of CBDT requirements. First, assessment of Adequacy of Protection is carried out based on whether the receiving country to have laws, supervisory authority on data protection, and international commitments offering personal data protection equal to or higher than Indonesia’s. Second, Appropriate Safeguards may be in the form of international agreements, standard contractual clauses, binding corporate rules, or other mechanisms approved by the PDP Institution, with data controllers required to document compliance.
While the framework on the Indonesia-US Reciprocal Trade Agreement refers to the US as providing ‘adequate’ data protection under Indonesian law, it does not yet clarify whether the US has been formally evaluated as providing a level of personal data protection that meets or exceeds Indonesia’s standards under the PDP Law. The PDP Institution, as the responsible authority, is expected to conduct a comprehensive assessment of U.S. laws and regulations—both federal and state—to ensure their compatibility with the PDP Law if the agreement is to be recognized as an Adequacy of Protection mechanism. Alternatively, if the agreement is to be framed as a form of Appropriate Safeguard, the PDP Institution must establish a clear enforcement framework for the authorities against any violations towards undertakings within their respective jurisdictions.
Practical Implications & What Businesses Should Do Next
The recent Indonesia-US Reciprocal Trade Agreement provisions on CBDT may benefit both existing and future data transfer arrangements by businesses. For businesses already transferring data to the US, the agreement’s potential adequacy recognition could provide greater legal certainty and clarity, establishing justification that their existing data transfer practices are already in line with applicable regulations.
For businesses planning new transfer of personal data to the US, it is crucial to assess the nature of the data involved, understand any limitations, and closely monitor the agreement’s implementation. Premature reliance on the CBDT provisions without clear regulatory guidance may lead to compliance gaps or enforcement risks. To mitigate this, businesses should proactively conduct due diligence, ensuring appropriate contractual or other safeguards with the data recipient, and stay informed on regulatory developments. Remaining alert to future guidance from Indonesian authorities will be key to ensuring lawful and secure CBDT practices.
However, it is still important for business undertakings to remain vigilant and always apply the appropriate personal data protection measures beyond merely to comply with the minimum legal requirements, but also to improve reliability and trust from the public.
By partner Agus Ahadi Deradjat (aderadjat@abnrlaw.com), senior associate Mahiswara Timur (mtimur@abnrlaw.com), associate Vanessa Nethania (vnethania@abnrlaw.com), and trainee associate Alda Eunique.
This ABNR News and its contents are intended solely to provide a general overview, for informational purposes, of selected recent developments in Indonesian law. They do not constitute legal advice and should not be relied upon as such. Accordingly, ABNR accepts no liability of any kind in respect of any statement, opinion, view, error, or omission that may be contained in this legal update. In all circumstances, you are strongly advised to consult a licensed Indonesian legal practitioner before taking any action that could adversely affect your rights and obligations under Indonesian law.
More Legal Updates
- 14 Aug 2025 “What does it really take to become a corporate lawyer?”
- 11 Aug 2025 2-Year Rule and Abandoned Land: Authority, Process, and Consequences
- 04 Aug 2025 Breaking Barriers in the Courtroom: ABNR’s Ulyarta Naibaho Named to ALB Asia Super 50 Disputes Lawyers 2025
- 29 Jul 2025 ABNR Advises PT Samudera Indonesia Tbk (SMDR) on IDR500 Billion Phase II Sukuk Ijarah Issuance for Strategic Maritime Expansion
- 21 Jul 2025 Empowering Indonesia’s Rail Future: ABNR Acts on Landmark Financing for KAI’s Fleet Modernization
- 24 Jun 2025 ABNR Named Best Full-Service Law Firm in Indonesia by Hukumonline
NEWS DETAIL
18 Aug 2025
The Data Deal: What the Indonesia-US Reciprocal Trade Agreement Means for Cross-Border Data Transfers
Indonesia and the United States (US) recently reached a preliminary agreement that allows the cross-border transfer of Indonesian citizens’ personal data to the US, as part of broader trade and digital cooperation discussions. This development has raised questions from business undertakings, in its interaction with Indonesia’s Law No. 27 of 2022 on Personal Data Protection (“PDP Law”) and the implications towards businesses operation.
Current Regulatory Framework
The PDP Law is a primary regulatory framework governing personal data protection, including cross-border data transfers. To conduct cross-border data transfer (“CBDT”), the regulation provides specific tiered framework to ensure secure and compliant transfers.
Data controllers must firstly assess whether the recipient country has data protection standards equal to or higher than those of the PDP Law, known as “Adequacy of Protection”. If the recipient country does not meet this standard, controllers must implement binding safeguards (“Appropriate Safeguards”), which should be anticipated as to include contractual clauses or binding corporate rules, to ensure data security and compliance with the PDP Law. Should neither Adequacy of Protection nor Appropriate Safeguards are feasible, explicit and informed consent from the data subject (“Consent”) will be required for the CBDT.
As of July 2025, Indonesia has yet to publish an official list of countries meeting the Adequacy of Protection standard and the PDP Institution – mandated to oversee and enforce data protection regulations, including issuance of such standard – remains unestablished. Additionally, the Draft Government Regulation on Implementing Regulation of the PDP Law (“Draft GR PDP”), intended to clarify technical details such as adequacy assessments and safeguard mechanisms, remains pending, leaving interim oversight to the Indonesian Ministry of Communication and Digital (“MOCD”).
Key Points of the Indonesia–US Reciprocal Trade Agreement relating to CBDT
Indonesia and the United States recently agreed to a framework for negotiating an agreement on reciprocal trade that among other things, opens the door for the cross-border transfer of Indonesian citizens’ personal data to the US. According to the joint statement provided by the US White House on July 22, 2025, Indonesia commits to ensuring that personal data can be transferred to the US by recognizing the US as a country that provides adequate data protection under Indonesia’s law. While the main focus of the deal is to reduce reciprocal trade tariff between the countries, the inclusion of personal data transfer has raised questions because the details remain vague. So far, the public disclosures on the deal lack clarity on which types of personal data will be covered or how broad the scope will be.
The MOCD has stated that cross-border personal data transfers are permitted for legitimate, limited, and legally justifiable purposes – such as search engines, cloud storage, social media communications, e-commerce transactions, and digital research – under strict compliance with the PDP Law and Government Regulation No. 71 of 2019. To support the implementation, the Coordinating Ministry of Economic Affairs clarified that the data transferred to the US under the Indonesia-US CBDT Agreement is commercial in nature, such as transaction or market research data, not personal or strategically sensitive data.
The government stresses that CBDT to the US will follow a secure and transparent governance framework to protect citizens' rights while supporting Indonesia’s role in the global digital economy. Although the MOCD states the trade agreement will serve as a legal basis, the specific conditions and safeguards for implementation remain unclear. In the coming weeks, the US and Indonesia will finalize and sign the Reciprocal Trade Agreement and complete domestic procedures before it takes effect.
Consistency with PDP Law and Draft GR on PDP
The Indonesia-US Reciprocal Trade Agreement may serve as a foundation for conducting CBDT under the principles of Adequacy of Protection or Appropriate Safeguards. Establishing such an agreement could facilitate data transfers to the US without additional safeguards (e.g., requiring specific data protection clauses) or individual consent, resemble the approach adopted for the EU-US Data Privacy Framework that allows transfer of personal data from the EU to the US on the basis of adequacy decision.
The Draft GR PDP, whilst have not been enacted yet, provides indications as to how the government plans to regulate the requirements regarding the implementation of CBDT requirements. First, assessment of Adequacy of Protection is carried out based on whether the receiving country to have laws, supervisory authority on data protection, and international commitments offering personal data protection equal to or higher than Indonesia’s. Second, Appropriate Safeguards may be in the form of international agreements, standard contractual clauses, binding corporate rules, or other mechanisms approved by the PDP Institution, with data controllers required to document compliance.
While the framework on the Indonesia-US Reciprocal Trade Agreement refers to the US as providing ‘adequate’ data protection under Indonesian law, it does not yet clarify whether the US has been formally evaluated as providing a level of personal data protection that meets or exceeds Indonesia’s standards under the PDP Law. The PDP Institution, as the responsible authority, is expected to conduct a comprehensive assessment of U.S. laws and regulations—both federal and state—to ensure their compatibility with the PDP Law if the agreement is to be recognized as an Adequacy of Protection mechanism. Alternatively, if the agreement is to be framed as a form of Appropriate Safeguard, the PDP Institution must establish a clear enforcement framework for the authorities against any violations towards undertakings within their respective jurisdictions.
Practical Implications & What Businesses Should Do Next
The recent Indonesia-US Reciprocal Trade Agreement provisions on CBDT may benefit both existing and future data transfer arrangements by businesses. For businesses already transferring data to the US, the agreement’s potential adequacy recognition could provide greater legal certainty and clarity, establishing justification that their existing data transfer practices are already in line with applicable regulations.
For businesses planning new transfer of personal data to the US, it is crucial to assess the nature of the data involved, understand any limitations, and closely monitor the agreement’s implementation. Premature reliance on the CBDT provisions without clear regulatory guidance may lead to compliance gaps or enforcement risks. To mitigate this, businesses should proactively conduct due diligence, ensuring appropriate contractual or other safeguards with the data recipient, and stay informed on regulatory developments. Remaining alert to future guidance from Indonesian authorities will be key to ensuring lawful and secure CBDT practices.
However, it is still important for business undertakings to remain vigilant and always apply the appropriate personal data protection measures beyond merely to comply with the minimum legal requirements, but also to improve reliability and trust from the public.
By partner Agus Ahadi Deradjat (aderadjat@abnrlaw.com), senior associate Mahiswara Timur (mtimur@abnrlaw.com), associate Vanessa Nethania (vnethania@abnrlaw.com), and trainee associate Alda Eunique.
This ABNR News and its contents are intended solely to provide a general overview, for informational purposes, of selected recent developments in Indonesian law. They do not constitute legal advice and should not be relied upon as such. Accordingly, ABNR accepts no liability of any kind in respect of any statement, opinion, view, error, or omission that may be contained in this legal update. In all circumstances, you are strongly advised to consult a licensed Indonesian legal practitioner before taking any action that could adversely affect your rights and obligations under Indonesian law.