Written by Dr Priskila Pratita Penasthika, Assistant Professor, Faculty of Law, Universitas Indonesia

INTRODUCTION

The Indonesian Personal Data Protection Law, Law Number 27 of 2022 (Indonesian PDP Law), came into effect on 17 October 2022. Before its enactment, data protection rules in Indonesia were fragmented across different sector-specific laws and regulations. The Indonesian PDP Law aims to unify these laws and regulations, providing greater clarity and ensuring consistent personal data protection across all sectors in the country. The Indonesian PDP Law sets out normative provisions on personal data protection; however, detailed, practical rules have yet to be specified in the implementing regulations. As of now, the drafting of these implementing regulations is still underway.

Many of the fundamental elements of the Indonesian PDP Law, including definitions of covered data and entities, lawful grounds, processing obligations, accountability measures, and relationships between data controllers and processors, are modelled after the European Union’s General Data Protection Regulation (GDPR). Nonetheless, several key provisions are tailored specifically to the Indonesian context. For instance, the Indonesian PDP Law has broad extraterritorial reach, which shall apply to entities insofar as their personal data processing activities have legal implications within Indonesia or pertain to an Indonesian national data subject outside Indonesian jurisdiction.

To date, there have been five decisions by the Constitutional Court of the Republic of Indonesia (Mahkamah Konstitusi Republik Indonesia) concerning the Indonesian Personal Data Protection Law. Briefly, the Indonesian Constitutional Court functions as one of Indonesia’s apex judicial authorities, alongside the Supreme Court. Its primary jurisdiction involves the constitutional review of enacted laws (undang-undang) in Indonesia to assess their conformity with the 1945 Indonesian Constitution (as lastly amended in 2002), thereby safeguarding the constitutional rights therein. Its decisions are final, legally binding, and possess immediate legal effect upon issuance, with no provisions for appeal or annulment by any other institutional body.

This piece will focus on the most recent ruling by the Constitutional Court issued on 19 January 2026 regarding the Indonesian PDP Law, namely Case Number 137/PUU-XXIII/2025, as it pertains to matters within private international law.

FACTS

The Petitioner mainly requests a constitutional review of Article 56 of the Indonesian PDP Law, which specifies the requirements for cross-border personal data transfers. Article 56 delineates a tiered set of prerequisites for such transfers. A personal data controller responsible for transmitting personal data abroad (data exporter) must verify that the recipient country offers an adequate or higher level of personal data protection than that provided by the Indonesian PDP Law. If this requirement is not met, the data exporter must ensure that sufficient and binding data protections are in place in the recipient country. If neither condition is satisfied, the data exporter is obliged to obtain consent from the data subject prior to transferring personal data abroad. Furthermore, the forthcoming implementing regulations are expected to provide further details on the specific requirements for cross-border data transfers.

The petition was initiated with the briefing announcement issued by the White House on 22 July 2025 concerning the Framework for Negotiating a Reciprocal Trade Agreement between Indonesia and the United States of America (Indonesia-USA Reciprocal Trade Agreement Negotiation Framework). As part of this framework, Indonesia has committed to establishing legal certainty regarding the ability to transfer personal data outside its borders to the United States.

The Petitioner argued that the Indonesia-USA Reciprocal Trade Agreement Negotiation Framework has led to a key interpretation of Article 56 of the Indonesian PDP Law concerning the transfer of citizens’ personal data beyond Indonesian borders. The Petitioner maintained that, under a strict interpretive approach, the PDP Law allows data controllers to assess the adequacy requirement independently, without parliamentary oversight. This could potentially weaken democratic accountability and expose personal data vulnerable to misuse. Additionally, the Petitioner emphasised that such commitments should require approval from the House of Representatives, as they directly impact national sovereignty and the protection of citizens.

The foundation of the Petitioner’s petition is based on Article 28G, paragraph (1) of the 1945 Indonesian Constitution, which protects citizens’ rights to their dignity, family, honour, and property, as well as the right to be free from threats to their fundamental rights. Additionally, the Petitioner referred to Article 11 of the 1945 Indonesian Constitution, which confers authority on the House of Representatives and the President to conclude international agreements.

Therefore, the Petitioner requests that the Constitutional Court interpret the provisions of Article 56 of the Indonesian PDP Law to mean that transferring personal data to jurisdictions such as the United States should occur only if there is an international agreement approved by the Indonesian House of Representatives. Moreover, transfers to countries considered to lack adequate personal data protection standards should take place only with the consent of the data subjects, after informing them of the risks involved in the cross-border transfers of their personal data.

CONSTITUTIONAL COURT DECISION

The Constitutional Court rejected all of the Petitioner’s petition and arguments. According to the Court, the cross-border transfer of personal data constitutes part of the administrative and technical measures carried out by the executive branch, rather than an agreement between nations that creates rights and obligations in the domains of politics, defence, or sovereignty. Based on this reasoning, the Court affirmed that there is no constitutional obligation to involve the Indonesian House of Representatives in any cross-border data transfer process, including in determining the adequacy decision regarding such a personal data transfer.

Regarding the adequacy decision, the Court held that the personal data controller (data exporter) shall undertake technical verification procedures to ascertain whether the recipient country of the personal data transfer maintains data protection standards that are adequate or even higher than those provided in the Indonesian PDP Law. Furthermore, the Court pointed out that cross-border personal data transfers do not rely solely on the personal data controller to ensure adequacy or higher protection standards in the recipient country. Instead, it also necessitates the existence and active involvement of the Personal Data Protection Authority (PDPA), as prescribed in Articles 58-61 of the Indonesian PDP Law. The PDPA is tasked with overseeing, evaluating, and implementing technical policy measures to ensure compliance with requirements for cross-border personal data transfers. Nevertheless, it is important to note that such authority has yet to be established.

 REMARKS

Despite the Constitutional Court’s rejection of the petition, Case Number 137/PUU-XXIII/2025 brings to light persistent concerns regarding the Indonesian PDP Law, particularly its provisions on cross-border personal data transfers. These issues call for further discussion and highlight the pressing need to pass the implementing regulations and establish the PDPA.

First, clarification is required regarding the party responsible for conducting cross-border transfers of personal data. Article 56 of the Indonesian PDP Law exclusively employs the term ‘personal data controller’ (pengendali data pribadi) in the context of cross-border data transfers, which seems to imply that only personal data controllers are authorised to carry out such transfers.

Second, it is necessary to delineate which countries are recognised as having adequate or higher levels of personal data protection. In this context, Article 60(f) of the Indonesian PDP Law provides that the PDPA is empowered to assess whether the requirements for cross-border personal data transfers are satisfied. The significant role of the PDPA in cross-border personal data transfer is also emphasised by the Constitutional Court Judges in Case Number 137/PUU-XXIII/2025. Since the PDPA has not yet been established or designated to date, this situation underscores the urgent need to set up or appoint such an authority.

Third, the forthcoming implementing regulations of the Indonesian PDP Law are expected to clarify issues surrounding cross-border personal data transfers, including the incorporation of whitelists and blacklists of specific jurisdictions, standardised contractual language, and specific data processing activities such as pseudonymisation and encryption. It is also presumed that the personal data controller and the forthcoming PDPA will be required to report to the Indonesian Ministry of Communication and Digital regarding cross-border transfers of personal data.

Fourth, as set out at the outset of this piece, the Indonesian PDP Law has an extensive extraterritorial scope. In the event of a personal data breach involving cross-border transfer of personal data, any individuals, corporations, public entities, and international organisations—irrespective of their origin or residence—whether functioning as personal data controllers or processors, may be considered potential defendants for violations that affect the rights of an Indonesian data subject. Referring to Article 2 of the Indonesian PDP Law, this applicability is contingent upon the occurrence of their misconduct (1) within the jurisdiction of Indonesia or (2) outside of Indonesia, provided that such misconduct results in legal consequences (a) within the Indonesian jurisdiction or (b) impacting an Indonesian personal data subject outside of Indonesian territory.

The subsequent issue concerns the court’s jurisdiction. As no cross-border data protection litigation has occurred in Indonesia to date, the court’s position in this matter remains indeterminate. Nevertheless, Indonesian courts are notorious for their indifference and insularity when addressing foreign-related issues. Furthermore, Indonesian civil procedural law does not specify provisions regarding parallel litigation. Consequently, in case of parallel proceedings concerning a cross-border data transfer dispute, it is likely that the Indonesian court would exercise jurisdiction and proceed with the legal proceeding in Indonesia, notwithstanding the existence of an ongoing legal proceeding involving the same dispute and parties in a foreign court.

If proceedings are conducted in a foreign court, the complexities of the issues may increase. Indonesia maintains a stringent stance that a foreign judgment is not enforceable unless it pertains to damages arising from marine salvage. Any foreign, other than those on damages resulting from marine salvage, must undergo re-examination by an Indonesian court. In light of this stance, it is apparent that Indonesian courts would not recognise or enforce foreign judgments concerning cross-border personal data transfer disputes and would require such disputes to be relitigated before an Indonesian court.

Practical challenges also include the complexities of seizing assets or digital evidence located in foreign jurisdictions, given that Indonesia has not yet acceded to the HCCH 1970 Evidence Convention.

Further details concerning the Indonesian PDP Law and its private international law aspects are available in Priskila Pratita Penasthika, “Chapter 12 – Indonesia” in Adrian Mak, Ching Him Ho, and Anselmo Reyes (eds.), Privacy and Personal Data Protection Law in Asia (Hart Publishing, 12 December 2024).