The United States and Indonesia have agreed on a new framework for a reciprocal trade agreement that includes provisions on digital trade and cross-border data flows. As part of the deal, Indonesia is expected to recognize the U.S. as providing "adequate" personal data protection, paving the way for unrestricted data transfers to U.S. servers.

In a joint statement and accompanying fact sheet released by the White House on July 22, 2025, the U.S. highlighted the removal of digital trade barriers and its expectation that Indonesia ensures legal certainty on data transfers.

Civil society group, Institute for Policy Research and Advocacy (ELSAM) has urged the Indonesian government to review the data provisions in the deal, warning that it may violate the Personal Data Protection Law (UU PDP) and expose Indonesian citizens to serious privacy risks.

“Personal data of Indonesian citizens is not a commodity,” said ELSAM researcher Parasurama Pamungkas on July 24. “The government must ensure that data transfers respect the principles of data justice and rights-based governance, not business interests of foreign companies.”

ELSAM raised several concerns:

• Lack of legal parity: The U.S. does not recognize privacy as a fundamental right and lacks a comprehensive data protection framework comparable to Indonesia’s UU PDP
• Surveillance risks: The agreement opens the door to mass surveillance under Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA), which permits U.S. intelligence agencies to access foreign data stored on American servers.
• No independent oversight: Indonesia has yet to establish a Personal Data Protection Authority (BPDP), which is vital to assess data transfer requests and enforce compliance with the PDP Law.

The deal’s implications echo the precedent set by the European Court of Justice in the 2020 Schrems II ruling, which invalidated the EU-U.S. Privacy Shield due to similar surveillance concerns. ELSAM fears that by signing this deal, Indonesia is exposing its citizens to the same risks without equivalent safeguards.

“This agreement was negotiated behind closed doors and prioritizes foreign business interests over the privacy rights of Indonesian citizens,” Pamungkas said. “Without strong oversight mechanisms and legal safeguards, we are jeopardizing national digital sovereignty.”

To address these issues, ELSAM has demanded:

• Immediate evaluation of the Indonesia-U.S. trade deal’s data protection provisions.
• Prompt formation of an independent Personal Data Protection Authority.
• Finalization of implementing regulations under the PDP Law, with clear criteria for cross-border data flows.
• Parliamentary oversight and inquiry into the government’s handling of the agreement.
• Clear accountability and harmonization of sectoral regulations governing data transfers.

Indonesia’s current approach to data governance remains fragmented across multiple sectors, with overlapping and sometimes contradictory requirements. ELSAM warns that the new agreement risks undermining this already fragile system by removing safeguards, particularly in sensitive sectors like health, finance, and public administration.

“The government must act now to prevent irreversible damage to our data protection regime,” Pamungkas said. “We need regulation that centers the people’s rights, not foreign commercial gain.”