Data Transfers to the United States Remain Subject to Indonesian Regulations

The government has affirmed that data transfer processes agreed upon in the Agreement on Reciprocal Trade (ART) between Indonesia and the United States remain subject to domestic regulations. The relevant domestic regulation is Law Number 27 of 2022 on Personal Data Protection (PDP).

Data transfer is one of the commitments signed by Indonesia and the United States on 19 February 2026. The data transfer provisions are set out in Article 3.2: Data Transfers, under Annex III: Specific Commitments, Section 3. Digital Trade and Technology.

The article states that Indonesia will provide certainty regarding the ability to transfer personal data outside its territory to the United States by recognising the country as a jurisdiction that provides adequate data protection under Indonesian law.

Spokesperson for the Coordinating Ministry for Economic Affairs Haryo Limanseto explained that the data referred to in the agreement pertains to data required for business operations or application systems. According to Haryo, cross-border data transfer is a key piece of infrastructure for e-commerce, digital financial services, cloud computing, and other digital services. “This means there is no surrender of data sovereignty,” Haryo said, as quoted from a written statement on Monday, 23 February 2026.

Haryo assured that the process of transferring data, whether physically or digitally through cloud transmission and cables, would be carried out within a framework of secure and reliable data governance. This process, he said, would be conducted without compromising citizens’ rights.

He considers that regulatory certainty on data transfers can strengthen Indonesia’s position as a digital economy hub in the region. Haryo explained that global technology companies require regulations that facilitate cross-border data processing with adequate data protection. “With credible governance, Indonesia can attract investment in data centres, cloud infrastructure, and other digital services,” he said.

The PDP Act does not prohibit the transfer of personal data from Indonesia overseas. The regulation governing data transfers is contained in Article 56. Paragraph 1 states that Personal Data Controllers may transfer personal data to controllers or processors of personal data outside Indonesian jurisdiction in accordance with the provisions of the law.

Article 56 paragraph (2) stipulates that personal data controllers must ensure that the country where the receiving controller and/or processor of personal data is domiciled has personal data protection that is equivalent to or higher than that provided under the PDP Act. If this condition is not met, the personal data controller must ensure that adequate and binding personal data protection measures are in place.