A silent game-changer is emerging in Indonesia–U.S. data flows. As part of the U.S.–Indonesia Agreement on Reciprocal Tariffs (ART), a draft clause under discussion would allow:

“Indonesia will provide certainty regarding the ability to move personal data out of its territory to the United States through recognition of the United States as a country or jurisdiction that provides adequate data protection under Indonesia’s law.”

At first glance, this looks like a straightforward trade facilitation. But here’s the problem:

• Under Indonesia’s PDPL (Article 56), it is the data controller, not the government, who must determine whether the receiving country provides equal or higher protection.
• The PDPL currently does not allow the government to issue formal adequacy recognition.

This means the draft clause is in potential tension with domestic law, creating regulatory uncertainty and possible liability for businesses transferring data from Indonesia to the U.S.

Why it matters

• Companies cannot rely on government recognition; adequacy assessment remains the responsibility of the controller.
• Indonesia becomes an exception within ASEAN, where other countries rely on “free flow” or safeguarded transfer clauses.
• This draft clause may influence future ASEAN–U.S. digital trade rules, but it cannot override PDPL.

What I’ll unpack in the Summit

• Legal tension between the draft U.S.–Indonesia clause and PDPL Article 56
• How other ASEAN members handle cross-border data transfers to the U.S. — from “free flow” to safeguarded transfers
• Practical solutions for the country and companies to navigate or resolve the conflict between the proposed clause and PDPL.

Author
Prof. Abu Bakar Munir
Co-Founder Asosiasi Profesional Privasi Data Indonesia (APPDI)