US-Indonesia trade deal concerns, private data commercialization

Through a recent reciprocal trade agreement between the United States and Indonesia, the Indonesian government has officially recognized the US as a jurisdiction with “adequate data protection.” This designation creates a legal pathway for the transfer of personal data from Indonesia to the US, effectively sidestepping existing data localization requirements by treating US-based entities, including data brokers, as equivalent to Indonesian data operators. As the US remains the global center for data brokerage, experts warn that this move could legitimize the large-scale commercialization of Indonesian personal data.

In the US, data brokers under relatively lax federal oversight. As long as user consent is technically granted, often through vague or bundled terms of service, companies can collect, analyze and resell consumer data in states that lack strong privacy laws. While certain federal laws like the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) do restrict how medical and financial data is handled, no comprehensive framework exists to protect general behavioral or preference-based data.

Economic Affairs Coordinating Minister Airlangga Hartarto has sought to reassure the public that US data centers managing Indonesian data are subject to Indonesia’s Law No. 27/2022 on Personal Data Protection (PDP) and Government Regulation No. 82/2012 on electronic system operators (PSE). Under the PDP Law, personal data, including usage patterns and behavior, cannot be sold to third parties, regardless of whether the user has given consent.

The unanswered question, however, is how this would be enforced. The government claims that Indonesia’s PDP Law has extraterritorial applicability. This would imply that there is a binding mechanism that forces US data operators to uphold Indonesian privacy rules. However, this has not been included in any of the documentation as part of the US-Indonesia trade agreement.

Once a data center or data operator is registered as a PSE, Indonesian authorities would theoretically have the right to perform audits. Yet, even before the signing of this trade agreement, Indonesia had not yet formed the Personal Data Protection Authority (PDPA) as mandated by the PDP Law. Without this regulatory body in place, the data protection compliance mechanism is incomplete, both at home and abroad.

The US does, to a degree, regulate the buying and selling of consumer data. A number of states, including California, Colorado and Virginia, have enacted consumer privacy laws that require transparency, opt-out rights or even outright bans on certain forms of data sales. Additionally, the Federal Trade Commission (FTC) has broad authority to prosecute companies engaging in unfair or deceptive data practices.

However, despite these protections, the US continues to experience significant privacy scandals even after the high-profile Cambridge Analytica incident in 2018. Data breaches, unauthorized profiling and opaque third-party sharing agreements remain relatively common in the US, partially due to how significantly it supports the country’s digital economy. Recent examples include the ongoing Clearview AI scandal, whereby the US based company scraped billions of images from public websites without user consent to build a facial recognition database.

On the other hand, it can also be argued that the current context, whereby digital trade is a core element of the US-Indonesia joint agreement, provides a unique opportunity. Communications and Digital (Komdigi) Minister Meutya Hafid argue that the deal now creates the legal basis to protect the private data of Indonesians using US services. In modern day-to-day activities, it is difficult to avoid using services from Google and Amazon, which require the user to provide personal data to use. This has inevitably led to the private data of Indonesians to be processed, stored or transferred overseas, beyond the reach of Indonesian oversight.

In this light, the recognition of the US as a jurisdiction with “adequate data protection” can be reframed not merely as a concession, but as a lever for regulatory influence. By establishing a legal basis for cross-border data transfers, Indonesia now has the grounds to demand adherence to its own privacy standards, including consent, purpose limitation and restrictions on onward transfers.

Still, for this opportunity to materialize, it will require more than legal recognition. It calls for clear cross-border enforcement protocols. If the future Indonesian Personal Data Protection Authority (PDPA) is to play an effective role in the context of cross-border personal data flows, especially under the new US-Indonesia reciprocal trade agreement, its authority would likely need to be acknowledged, formally or informally, by both countries.