Indonesia-US Data Transfer: PDP Law Remains Key to Cross-Border Flows

Indonesia Affirms Data Transfer Agreement with U.S. Remains Subject to Domestic Law JAKARTA – Indonesia has clarified that its agreement with the United States regarding data transfers, formalized as part of the Agreement on Reciprocal Trade (ART) on February 19, 2026, will operate within the framework of Indonesian Law Number 27 of 2022 concerning Personal Data Protection (PDP). The agreement, detailed in Article 3.2 of Annex III – Section 3, Digital Trade and Technology – centers on Indonesia recognizing the U.S. As possessing an adequate level of data protection under Indonesian law, thereby enabling cross-border data transfer. Haryo Limanseto, spokesperson for the Coordinating Ministry for the Economy, stated the data covered by the agreement pertains to information necessary for business operations and application systems. He emphasized that cross-border data transfer is crucial infrastructure for sectors including e-commerce, digital financial services, and cloud computing. “This means there is no surrender of data sovereignty,” Limanseto said in a written statement on Monday, February 23, 2026. The Indonesian government has assured that all data transfers, whether physical, digital, or via cloud or cable transmission, will adhere to secure and reliable data governance protocols, safeguarding citizen rights. According to the law, the transfer of personal data is permissible to other controllers or processors outside of Indonesia, provided it aligns with the stipulations of the PDP Law. The clarification comes as Indonesia seeks to strengthen its position as a regional digital economic hub. Officials believe that clear regulations facilitating cross-border data processing, coupled with robust data protection measures, are essential to attract investment in data centers, cloud infrastructure, and related digital services. Article 56 of the PDP Law outlines the conditions for international data transfers. Paragraph 2 stipulates that recipient countries must have equivalent or higher personal data protection standards than those mandated by Indonesian law. If this standard is not met, the data controller must ensure the implementation of adequate and legally binding personal data protection measures. The passage of Law No. 27 of 2022, modeled in part on the European Union’s General Data Protection Regulation (GDPR), followed years of discussion beginning in 2019. The law applies to individuals, companies, public institutions, and international organizations operating within Indonesia, granting them a two-year period to achieve full compliance. It also extends to entities processing personal data outside of Indonesia that has a legal impact within the country or on Indonesian citizens abroad. The law defines roles such as “Data Controller” – the entity determining data processing purposes – and “Data Processor” – the entity carrying out processing on behalf of the controller.