TheJakartaPost
Please Update your browser
Your browser is out of date, and may not be compatible with our website. A list of the most popular web browsers can be found below.
Just click on the icons to get to the download page.
Popular Reads
Top Results
No results found. Please check your search term and try again
Can't find what you're looking for?
View all search results
Popular Reads
Top Results
No results found. Please check your search term and try again
Can't find what you're looking for?
View all search resultsDid we just sell our privacy to the US?
Has Indonesia, by agreeing to allow personal data transfers to the United States under the new trade framework, effectively compromised its citizens’ privacy and undermined its own data sovereignty, especially in the absence of fully operational privacy institutions and enforceable safeguards?
Change text size
Gift Premium Articles
to Anyone
Share the best of The Jakarta Post with friends, family, or colleagues. As a subscriber, you can gift 3 to 5 articles each month that anyone can read—no subscription needed!
(-/-) (JP/T. Sutanto)
A
recent White House press release, "Fact Sheet: The United States and Indonesia Reach Historic Trade Deal," highlights a significant development regarding cross-border data transfer. Under the "Removing Barriers for Digital Trade" section, it states that Indonesia will recognize the US as a country or jurisdiction providing "adequate data protection" under Indonesian law.
This recognition aims to provide certainty for transferring personal data from Indonesia to the US. While American companies have sought these reforms for years, it is crucial to understand that this is not simply about "transferring" all Indonesian citizens' personal data to the US. Instead, it signifies that US tech companies are expected to act as personal data controllers compliant with Indonesia's Law No. 27/2022 on Personal Data Protection.
This raises a critical question: what does Indonesian law actually say about cross-border data transfer? According to Law 27/2022, such transfers are permitted only if the receiving country offers an adequate or higher level of data protection, there is explicit consent from the data subject and the transfer is based on binding contracts ensuring data protection.
Furthermore, the Indonesian government is responsible for overseeing the implementation of personal data protection, and Article 58 mandates that personal data controllers transferring data overseas must ensure legal and technical guarantees, subject to supervision by a yet-to-be-established Data Protection Authority.
Given this context, what can Indonesia learn from global best practices, and what is truly at stake if this deal comes into force?
Indonesia can draw valuable lessons from the European Union's cautious and rights-based approach to cross-border data transfers, particularly through the landmark Schrems I and II rulings by the Court of Justice of the European Union (CJEU). In both cases, the court invalidated data transfer frameworks between the EU and the US, Safe Harbor in 2015 and Privacy Shield in 2020. The primary reason for these annulments was that US surveillance laws, such as FISA Section 702, allowed excessive government access to personal data without sufficient safeguards or legal remedies for non-US citizens.
These decisions underscore the EU's firm stance that any third country receiving personal data must uphold a level of protection comparable to the EU's General Data Protection Regulation (GDPR).
