[Statement] Tifa Foundation Emphasizes the Importance of Guaranteeing Citizens’ Privacy Protection in the Indonesia-U.S. Trade Agreement

[Statement] The Tifa Foundation Emphasizes the Importance of Ensuring Privacy Protection for Citizens in the Indonesia-U.S. Trade Agreement

Jakarta, July 24, 2025 — The Indonesian government recently signed a reciprocal trade agreement with the United States that includes a clause regarding the cross-border transfer of personal data. By signing this agreement, the Indonesian government commits to ensuring the ability to transfer personal data from Indonesia to the United States, recognizing that the United States is a country with data protection standards that meet Indonesian legal requirements.

The Tifa Foundation believes that this agreement requires critical scrutiny, particularly regarding the protection of privacy rights, the threat of data commodification, the lack of clarity regarding adequate protection standards in the destination country, and the readiness of domestic regulations and institutions. In an increasingly globally connected digital context, personal data holds immense value and is at risk of becoming the subject of massive commercialization and monetization. Cross-border data transfers, without adequate safeguards, open the door to surveillance and the use of data beyond the control of citizens and the country of origin. The process of drafting this agreement, which has involved minimal public engagement and lacks transparency, has the potential to create various vulnerabilities for the protection of citizens’ privacy rights in Indonesia.

The Tifa Foundation has examined a number of key issues related to this agreement.

First, the cross-border data transfer provisions of the agreement open the door to potential violations of Indonesian citizens’ right to privacy without adequate protection or compensation. The right to privacy, as a fundamental right, is an essential prerequisite for safeguarding civil liberties and enabling citizens to express themselves, assemble, and associate without fear of surveillance or intimidation. This right has received increasingly robust recognition and protection through Law No. 27 of 2022 on Personal Data Protection (PDP Law), which serves as Indonesia’s primary regulation governing the management of personal data. The PDP Act mandates key principles of data protection, data subject involvement, and the obligations of data controllers and processors, complete with administrative and criminal sanctions.

Although these regulations have been enacted, the implementation and institutional readiness of data protection oversight in Indonesia still face significant challenges. The Personal Data Protection Agency, as an independent data protection oversight body, is not yet fully operational, and its mechanisms have not been comprehensively established. Similarly, secondary regulations governing the procedures for cross-border data transfers and the assessment of the adequacy of protection in the destination country are incomplete or have not been effectively implemented. This situation increases the potential risk of data commoditization and monetization if cross-border data transfers are conducted without optimal protection. The suboptimal state of governance and oversight creates loopholes for data leaks, misuse, and even mass surveillance of Indonesian citizens’ personal data.

Second, the adequacy criteria applied to the United States in this agreement raise serious concerns. In the context of cross-border data protection, an adequacy decision is a process whereby a country to which data is transferred is deemed to have data protection standards that are equivalent to or adequate for those of the sending country. These standards serve as a “legal guarantee” to ensure that data subjects’ rights remain protected when their personal data is processed abroad. The sector-specific nature of U.S. data protection standards and the lack of federal legislation do not provide an affirmative guarantee of privacy protection equivalent to Indonesia’s Personal Data Protection Law (PDP) or international standards such as the EU’s GDPR. Without concrete and transparent criteria, a unilateral adequacy determination for the U.S. creates legal risks and weakens the protection of Indonesian citizens when their data is transferred abroad. An adequacy assessment that should be substantive risks becoming a mere formality, with citizens’ rights reduced to mere administrative procedures.

Third, the negotiation process and the drafting of data transfer clauses in this trade agreement took place without adequate transparency and with minimal involvement of civil society and independent experts. The lack of public discussion has created a legitimacy gap, resulting in policies that do not fully represent the need to protect citizens’ rights. Yet, Minister of Trade Regulation No. 7 of 2021 on the Stages and Procedures for the Preparation of International Trade Agreements explicitly stipulates that during the pre-negotiation stage and the formulation of negotiating positions, the Ministry of Trade is required to gather input from relevant ministries/agencies and stakeholders before negotiations begin. This underscores the need for public consultation and the collection of substantive input on the initial draft of the agreement.

Fourth, there are clear indications of an imbalance of power and interests between the governments of the United States and Indonesia, as reflected in the content of the Indonesia-U.S. trade agreement. The structure of this agreement is dominated by trade liberalization and the economic interests of the superpower, whereby large U.S. businesses and industries gain far broader access to the Indonesian market, including the penetration of goods, services, and digital products.

In various digital trade agreements between countries in the Global North and advanced and developing countries in the Global South, data liberalization and digitalization are often included as part of a “trade package” in pursuit of short-term commercial gains. This grants large corporations access to domestic data and digital infrastructure, undermines developing countries’ sovereign control over their data, and deepens their dependence on—and potential for exploitation by—global corporations. This context demands that Indonesia remain vigilant so as not to be trapped in a global pattern where the voices and protections of developing countries are weak in the digital trade arena, and underscores the importance of negotiations that are equitable and grounded in the long-term interests of its own people.

With reference to the above notes, the Tifa Foundation emphasizes the importance of the government to:

conduct an evaluation of the provisions in the Framework Agreement on Reciprocal Trade that place the privacy rights of Indonesian citizens in a vulnerable position, particularly with regard to policies on the cross-border transfer of personal data;
promptly finalize all implementing regulations for the Personal Data Protection Act (PDPA), while conducting a comprehensive evaluation of the level of equivalence in personal data protection between Indonesia and the United States, particularly regarding the regulation of cross-border data flows;
promptly establish an independent personal data protection authority and build effective institutional capacity to address gaps in oversight and enforcement regarding the management of personal data, including cross-border data transfers; and
Ensure transparency in trade negotiation processes that may impact citizens’ rights by actively engaging civil society, independent experts, and relevant stakeholders, so that the resulting policies are grounded in accountability and the public interest and comprehensively protect the rights of citizens.

For more information about the Tifa Foundation’s position statement, please contact Debora, the Tifa Foundation’s Program Manager for Data Governance and Policy ([email protected] / 081807035447).