The Fate of 280 Million Indonesians' Data at the Mercy of Trade Agreements

Beyond the tariff negotiations and investment figures, there exists a less visible but far more consequential concern: the fate of the personal data of 280 million Indonesians under the recently signed Indonesia–United States trade agreement.

The “Agreement on Reciprocal Trade” (ART) contains two clauses that directly undermine the digital regulatory foundation Indonesia has recently established. First, it prohibits Indonesia from requiring US companies to store or process data within Indonesian territory. Second, it obligates Indonesia to acknowledge that the United States possesses adequate data protection standards according to Indonesian law—effectively predetermining the outcome of the adequacy assessment mechanism mandated by the Personal Data Protection Law (Law No. 22 of 2022). These clauses are not merely about tariffs; they concern national sovereignty.

That said, the agreement does bring legitimate tangible benefits: reducing export tariffs from 32 per cent to 19 per cent provides significant trade advantages for Indonesia’s manufacturing sector.

Previously, Indonesia required digital companies operating within its borders to store data domestically for certain data categories. Government Regulation on Electronic System Operators No. 71 of 2019, Article 20 paragraph (2) mandates the management, processing, and storage of public electronic systems within Indonesian territory. Bank Indonesia takes a firmer stance: Regulation No. 23/6/PBI/2021 Article 48 paragraph (4) requires transaction processing systems to be housed in data centres within Indonesian jurisdiction. Similar provisions appear in the Financial Services Authority’s Regulation (POJK 11/2022) Article 35 paragraph (1) for banking operations.

The ART clause reverses this logic. Google, Meta, and other US platforms no longer need to maintain servers in Indonesia—user data from Indonesia can be stored in Virginia or Oregon.

The implications are tangible: bank customer data, fintech transactions, and Indonesians’ digital medical records could potentially be stored in different jurisdictions and subject to foreign law. Most concerning is the applicability of the CLOUD Act (Clarifying Lawful Overseas Use of Data Act), which enables the US government to access data held by American companies globally—including data of Indonesian citizens. Beyond this, data flowing to the United States is also subject to FISA Section 702, which permits US intelligence access to foreign nationals’ data without equivalent protection guarantees.

Three layered risks emerge immediately.

Article 56 of the Personal Data Protection Law stipulates that Indonesian citizens’ personal data may only be transferred abroad if the destination country demonstrates equivalent or higher protection standards. This mechanism was designed following the European GDPR model and represents one of Indonesia’s most important digital regulatory achievements. The process intended to serve as an objective oversight tool risks becoming an administrative formality with predetermined outcomes.

The United States does not possess comprehensive federal data protection legislation. Its protections are sectoral: HIPAA for health data, Gramm-Leach-Bliley for finance, and CCPA applicable only in California. The ambiguity in Article 3.2 of the ART concerning “transfer of data across trusted borders with appropriate protection” adds further uncertainty—whether this constitutes automatic adequacy recognition or leaves room for interpretation remains unclear, necessitating renegotiation for more protective textual certainty.