In the US, data brokers under relatively lax federal oversight. As long as user consent is technically granted, often through vague or bundled terms of service, companies can collect, analyze and resell consumer data in states that lack strong privacy laws. While certain federal laws like the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA) do restrict how medical and financial data is handled, no comprehensive framework exists to protect general behavioral or preference-based data.

Economic Affairs Coordinating Minister Airlangga Hartarto has sought to reassure the public that US data centers managing Indonesian data are subject to Indonesia’s Law No. 27/2022 on Personal Data Protection (PDP) and Government Regulation No. 82/2012 on electronic system operators (PSE). Under the PDP Law, personal data, including usage patterns and behavior, cannot be sold to third parties, regardless of whether the user has given consent.

The unanswered question, however, is how this would be enforced. The government claims that Indonesia’s PDP Law has extraterritorial applicability. This would imply that there is a binding mechanism that forces US data operators to uphold Indonesian privacy rules. However, this has not been included in any of the documentation as part of the US-Indonesia trade agreement.

Once a data center or data operator is registered as a PSE, Indonesian authorities would theoretically have the right to perform audits. Yet, even before the signing of this trade agreement, Indonesia had not yet formed the Personal Data Protection Authority (PDPA) as mandated by the PDP Law. Without this regulatory body in place, the data protection compliance mechanism is incomplete, both at home and abroad.

The US does, to a degree, regulate the buying and selling of consumer data. A number of states, including California, Colorado and Virginia, have enacted consumer privacy laws that require transparency, opt-out rights or even outright bans on certain forms of data sales. Additionally, the Federal Trade Commission (FTC) has broad authority to prosecute companies engaging in unfair or deceptive data practices.

Viewpoint

Every Thursday

Whether you're looking to broaden your horizons or stay informed on the latest developments, "Viewpoint" is the perfect source for anyone seeking to engage with the issues that matter most.

View More Newsletter

By registering, you agree with The Jakarta Post's Privacy Policy

Sign Up

Thank You

for signing up our newsletter!

Please check your email for your newsletter subscription.

View More Newsletter

However, despite these protections, the US continues to experience significant privacy scandals even after the high-profile Cambridge Analytica incident in 2018. Data breaches, unauthorized profiling and opaque third-party sharing agreements remain relatively common in the US, partially due to how significantly it supports the country’s digital economy. Recent examples include the ongoing Clearview AI scandal, whereby the US based company scraped billions of images from public websites without user consent to build a facial recognition database.

Popular

'Kebaya': Living history, modern elegance

NASA astronauts depart space station after five-month mission

Bali immigration forms a special task force to crack down on unruly tourists