This op-ed reflects the author’s own analysis and views and does not necessarily represent those of The Reformist.

Say you are getting a notification that your email or digital wallet was accessed by an unknown device. You’d panic: who has your data, and from where?

Now imagine that your personal data, stored in Indonesia, is legally transferred (potentially without your knowledge) to servers in California, where entirely different privacy laws apply. This scenario is unfortunately not hypothetical.

In July 2025, the White House published a Joint Statement on the Framework for United States–Indonesia Agreement on Reciprocal Trade. Buried in it was a critical line: “Indonesia will provide certainty regarding the ability to transfer personal data out of its territory to the United States.” This wasn’t a passing remark; it was posted on an official US government website, signaling a binding commitment in Washington’s eyes.

But here’s the problem: Indonesia isn’t institutionally ready to uphold that promise. The government has yet to establish a national data protection authority—the very body responsible for reviewing and approving cross-border data transfers. The result is a legal vacuum, where international commitments outpace domestic safeguards.

To understand the stakes, it helps to look at what Indonesia’s existing law on personal data protection actually requires.

What the PDP Law requires

Indonesia’s Personal Data Protection (PDP) Law (no. 27/2022) was a major step in building a legal foundation for privacy in the digital age, establishing a framework for how personal data is collected, stored, processed, and transferred. A key feature is its regulation of cross-border data transfers.

Article 56 of the law states that personal data may only be transferred to another country if that country has a level of protection that is equal to or higher than Indonesia’s. Alternatively, such transfers require an international agreement or special approval following a government assessment. This is not a mere formality; it is a safeguard to protect Indonesian citizens from having their data sent to jurisdictions with weaker privacy rights.

In global privacy law, this is known as the principle of adequacy, a standard used by many countries to prevent legal risks when data crosses borders.

However, meeting this requirement is not automatic. It requires a designated institution to review the recipient country’s legal system and determine its level of protection before a transfer can proceed.

In Indonesia’s case, this role belongs to a national data protection authority that does not yet exist. As long as this institution is absent, any attempt to permit data transfers abroad rests on a shaky legal foundation.

So, can we trust the US to provide ‘adequate’ data protection?

For a data transfer to be permitted under Indonesia’s PDP Law, the recipient country must show that its legal protections are at least equal to Indonesia’s. The United States presents a unique challenge in this regard. Unlike the European Union with its comprehensive GDPR, the US lacks a single federal data protection law. Instead, it uses a mix of sector-specific regulations and state-level rules.

While some states like California offer strong protections through laws like the California Consumer Privacy Act (CCPA), others provide few legal safeguards. This fragmented system creates legal uncertainty about which standards would apply to Indonesian data and what recourse an Indonesian citizen might have if their data is misused.

This raises the question of how the Indonesian government can determine the US provides an equivalent level of protection, especially without an independent body to conduct such an evaluation.

Even the European Union has struggled to establish stable legal grounds for data transfers to the US. Two prior frameworks, Safe Harbor and Privacy Shield, were invalidated by the European Court of Justice over concerns about US surveillance practices and the lack of effective legal remedies for foreign individuals.

Given this history, it is difficult to assume the US qualifies as an ‘adequate’ jurisdiction under Indonesian law without a formal legal evaluation. Such a conclusion would be premature and would risk the rights of Indonesian citizens.

The missing authority at home

The 2022 PDP Law mandated the establishment of an independent Data Protection Authority. This institution was envisioned as the guardian of data privacy in Indonesia, responsible for enforcing the law.

Among its duties would be to evaluate whether a foreign country is qualified to receive personal data from Indonesia.

Like what the law requires: a competent and impartial authority is to assess international transfer.

But more than two years after the law was enacted, this institution remains just a concept. There is no formal structure, leadership, or visible authority acting in its name. While government officials state the formation is ongoing, no official roadmap or deadline has been made public.

This absence has significant consequences. Without a body to assess foreign legal systems, there is no lawful basis to determine if another country meets Indonesia’s data protection standards and no mechanism to enforce accountability once data has left the country.

The gov’t may be bypassing its own law

Committing to cross-border data transfers before the necessary domestic institutions are built is a risky shortcut. It creates legal uncertainty, undermines the PDP Law’s authority, and weakens public trust in the government’s commitment to data governance.

When the government proceeds with international policy decisions without the independent oversight body mandated by law, it suggests that executive priorities supersede legislative rules.

The consequences are clear: without an independent authority to assess adequacy, any data transfer agreement risks being legally challenged as unlawful, leading to disputes and reducing certainty for businesses. It also limits the ability of Indonesian citizens to seek remedies if their data is mishandled abroad.

More broadly, this sets a dangerous precedent, opening the door for future policy decisions to be made without proper legal procedure or oversight. Acting before the legal infrastructure is complete risks turning a well-intentioned reform into an empty promise.

Reform cannot stand without institutions

Ultimately, no meaningful data protection regime can exist without the institutions to support it. A law is merely a symbolic gesture if it is not given life and accountability through a functioning enforcement body.

The effectiveness of Indonesia’s PDP Law, therefore, is entirely dependent on the government’s commitment to building the Data Protection Authority it mandates.

The government must prioritize domestic legal and institutional readiness before making international promises that carry long-term legal and political consequences. The current approach, making a commitment to the US to facilitate data transfers while the required domestic oversight mechanism is absent, suggests that diplomatic or trade objectives are taking precedence over legal safeguards for Indonesian citizens.

This path is not only risky but also self-defeating, as it undermines the very legal framework Indonesia sought to build. To be a credible actor in the global data economy, Indonesia must first demonstrate that its legal commitments are backed by genuine institutional strength.

Trust, the bedrock of data protection, is built by rules. But it can only be maintained through strong, independent institutions.

Josua Satria Collins is a graduate law student at Universitas Indonesia, specializing in constitutional law. He was an expert staff for a Member of Parliament (2019–2024), contributing to the Personal Data Protection Bill.

Want to share your views on public policy reforms or other political issues?

Write to us: connect@thinkpolicy.id