Breaking Data Barriers: How Can Indonesia Boost Cross-Border Data Transfers?
Indonesia has been asserting its role in global digital governance. As G20 President in 2022, Indonesia led international discussion on trusted cross-border data transfers (“CBDT”) and personal data protection (“PDP”) while continuing to engage with major digital economies, including the European Union ("EU") and the United States, through bilateral and multilateral forums.
As data becomes central in global digital economy, CBDT must occur smoothly and securely. However, there are stringent requirements for jurisdictions exchanging personal data. Many countries, notably EU, restrict transfers of personal data to foreign countries unless they offer “adequate” level of protection under the EU General Data Protection Regulation ("GDPR").
This presents a challenge for Indonesia. Although it has enacted its Personal Data Protection ("PDP") Law (Law No. 27/2022), the full regulatory framework and key enforcement mechanisms are still under development. This gap creates legal and operational risks for businesses, which may deter CBDT-reliant partnerships and investments.
Indonesia’s lacking GDPR adequacy status may hinder the realization of its full potential in the global digital economy. Furthermore, aligning with the GDPR is not about favoring the EU over other partners, but rather reflecting widely accepted benchmark of PDP laws that supports interoperability across jurisdictions, thus positions Indonesia as a trusted partner not just for the EU, but for a broader range of international community.
In GDPR term, adequacy is not just technical, but rather a formal recognition granted by the European Commission (“EC”) that confirms that a country’s PDP measures are equivalent to that within the EU. With adequacy, personal data can flow from the EU to Indonesia without the need for additional safeguards such as pre-approved PDP clauses in data transfer contracts known as Standard Contractual Clauses, or a set of internal policies adopted by multinational companies to govern data transfers within intra-group companies known as Binding Corporate Rules. This shall not only significantly ease CBDT but also reduce legal friction. However, gaining adequacy status is not easy. The EC evaluates legal frameworks, data subject rights implementation, enforcement mechanisms, and the independence of the data protection authority.
The core question, then, is: How can Indonesia demonstrate that its legal framework offers sufficient PDP measures for secure CBDT? One promising avenue lies in its current accession to the Organisation for Economic Co-operation and Development ("OECD"). OECD membership can be one of the supporting factors for Indonesia to strengthen its case for being recognized as “adequate” and a safe partner for CBDT. As part of the accession process of OECD, Indonesia is expected to commit to OECD principles such as rule of law, human rights, transparency, accountability, and market openness, all of which are closely aligned with the values embedded in the GDPR.
Indonesia has been closely aligning its PDP framework with relevant OECD principles starting from its accession process in early 2024. However, OECD accession is a long-term, multi-layered process. Aligning with OECD values requires not only legislation but compliance across multiple governance, institutional, and economic policy areas. While the PDP Law has been enacted, its implementation remains ongoing, as key implementing regulations are still in draft and the establishment of the independent supervisory authority is in progress.
Despite legislative progress, significant gaps remain in terms of enforcement capacity and institutional readiness, areas that are not only critical for OECD accession but also for future adequacy consideration under GDPR. In this context, Indonesia must not only enact laws but ensure their effective enforcement through transparent governance structures that reflect both OECD standards and EU-level data protection principles.
Seeing Japan and South Korea as two Asian countries which have obtained adequacy decisions from the EU and are members of OECD, offer useful models for Indonesia. Japan amended its Act on the Protection of Personal Information to provide stronger data subject rights and implement stricter CBDT mechanisms under the supervision of the Personal Information Protection Commission (“PIPC”). Similarly, in South Korea, the Personal Information Protection Act provides comprehensive coverage to both the private and public sectors, with enforcement led by its central supervisory body, also named the PIPC.
Further, both countries are also active participants in international data forums, such as the Global Privacy Assembly and engage with Council of Europe initiatives, showing their commitment to global standards in implementing PDP in CBDT. Indonesia can look up to these examples not only for regulatory alignment but also for building trust through strong institution and global engagement.
While countries like Japan and South Korea have taken clear steps to align with EU standards, Indonesia’s PDP framework still reflects notable gaps. The enactment PDP Law in 2022 was a significant milestone, but several essential components, such as detailed enforcement mechanisms, a fully independent supervisory body, and clarity on international cooperation-remain under development. Without these, Indonesia may fall short of meeting the high standard required by EU for adequacy decision.
To address this, Indonesia should prioritize finalizing the implementing regulations of the PDP Law, particularly those that address enforcement and CBDT safeguards. Equally important is the establishment of an independent Data Protection Authority with legal and operational autonomy to oversee both public and private sector compliance. Additionally, deepening international engagement, such as actively participating in global data governance forums like the OECD and Global Privacy Assembly would signal long-term commitment to global standards.
Therefore, advancing toward GDPR adequacy and broader regulatory interoperability would not only enable more seamless CBDT but also signal to international stakeholders that Indonesia is committed to high standards of data governance, rule of law, and institutional trust. In an era where trusted data flows underpin innovation, competitiveness, and digital integration, building international confidence in Indonesia’s data governance will be essential to serve not only as a compliance milestone, but as a catalyst for innovation, investment, and regional digital leadership. With momentum from ongoing global engagement and OECD accession, now is a critical window for Indonesia to strengthen its legal foundations and position itself as a trusted player in the global digital landscape.
Author Profiles
Ardhitia Prawira Rusyadi
ardhitia.prawira@gmail.com
Ardhitia is a Senior Manager of Data Privacy and Legal Commercial at a leading digital identity company in Indonesia. He obtained his Bachelor of Laws degree from Universitas Gadjah Mada in 2018 and holds a Master of Laws degree from Cornell Tech, Cornell Law School, in 2025. He has broad experience in corporate, commercial, and technology-related matters, with a particular focus on data protection compliance. He is also an active member of the Indonesian Data Privacy Professionals Association.
Aisyah Danti
aisyahradanti@gmail.com
Danti is a Data Protection Officer at a leading digital identity company in Indonesia. She earned her Bachelor of Laws degree from Universitas Gadjah Mada in 2021. She has broad experience in data protection-privacy governance in digital platforms and legal academic research. She is also an active member of the Indonesian Data Privacy Professionals Association.
Bahas
Silakan login atau berlangganan untuk mengomentari kolom ini