Data Exchange Is Not A Highway To Economic And Political Espionage
JAKARTA – Remember the World or Worldcoin platform? This biometric identification service platform, owned by US-based Tools for Humanity (TFH), partnered with PT Sandina Abadi Nusantara as its local partner in Indonesia, once caused a stir in Indonesia.
Before being suspended by the Ministry of Communication and Digital, their activities had successfully collected approximately 500,000 retinal or iris biometric data of Indonesian citizens since 2021, before the Personal Data Protection Law was passed.
In mid-2025, Komdigi finally suspended the platform's activities after conducting a thorough review of the biometric data collection, which was deemed to be inconsistent with national law. Furthermore, the data collection targeted vulnerable groups, including children, the elderly, people with disabilities, and communities in areas with low digital literacy.
Now, with the inclusion of a personal data transfer clause as one of the conditions for the US government's reciprocal tariff reduction to Indonesia, the public is undoubtedly wondering whether an incident like the World App or Worldcoin case will happen again.
According to Unpad Law Professor Ahmad M. Ramli, the transfer of personal data is actually a common and inevitable phenomenon in international business transactions. In fact, since the advent of the digital era, mechanisms for transferring personal data, both domestically and internationally, have been in place for a long time.
He explained that the transfer of personal data to the US is not unique to Indonesia; other countries have also done so. For example, European Union countries, which strictly protect personal data, have also entered into agreements regarding personal data with the US government.
"What must be understood is that the transfer of personal data does not mean that we are transferring the management of all personal data of Indonesian citizens to the US government," said Ramli on Saturday, July 26, 2025.
He stated that, reflecting on the European Union's actions, they have already established an agreement with the US for trade transactions worth $7.1 trillion. In fact, the European Commission has adopted the 'EU-US Data Privacy Framework' (DPF), which came into effect on July 10, 2023.
Meanwhile, regarding Indonesia's cooperation with the US, the transfer of personal data is explicitly referred to as "Moving personal data out" in the White House Fact Sheet entitled "The United States and Indonesia Reach Historic Trade Deal," which clearly mentions steps to eliminate Digital Trade Barriers between Indonesia and the US.
"The point is that Indonesia will facilitate the transfer of personal data to the US by recognizing the US as a country with adequate data protection under Indonesian law. This refers to the mechanism for cross-border personal data transfer on a case-by-case basis, to ensure data flows remain legal and protected in the digital economy era," Ramli explained.
He revealed that personal data transfers are already taking place everywhere. For example, if someone flies to New York from Jakarta, the transfer of personal data can involve more than one country, especially if they use different airlines.
Another example is internet users in Indonesia, who, according to APJII 2025 data, numbered 221,563,479 people, have also provided their personal data to various global digital platforms for processing and transfer between territories and jurisdictions. This provision of personal data occurs when creating an email account, Zoom, YouTube, WhatsApp, ChatGPT, Google Maps, or other platforms.
Ramli emphasized that the transfer of personal data is inevitable. Without the transfer of personal data, there would be no digital services and transactions. Therefore, the Indonesian government's major task is to oversee, monitor, evaluate, and enforce compliance with the Personal Data Protection Law (PDP) to ensure that data transfers worldwide remain accountable and comply with applicable laws.
"In this regard, the Personal Data Protection Agency plays a very strategic role in optimally implementing the provisions of the PDP Law. The government should not delay the establishment of this PDP Agency any longer," he concluded.
Indonesia Must Become a Regulator of Personal Data Transfer Regulations
Although considered a common occurrence in the digital era, Ari Sutedja, Chairman of the Indonesia Cyber Security Forum, highlighted the risk of privacy and national security violations arising from the personal data transfer agreement between Indonesia and the US. He stated that the PDP Law may permit cross-border data transfers to the US, but the real issue is who will determine the terms of such data flows. "The root of the problem is not whether cross-border data flows are permitted or not, but under whose terms and conditions those data flows are regulated," he added.
He said the PDP Law contains strict requirements to grant Indonesia control and sovereignty over data transfers. However, when it comes to the US, these controls could be relaxed. Moreover, the agreement aims to remove barriers and maximize the freedom of data flows, which could strip away that control and sovereignty.
Ardi then outlined several potential risks, one of which is the potential misuse of Indonesian citizens' personal data by foreign parties. This could increase the risk of cyberattacks, including data theft and ransomware attacks. From an economic perspective, there is the threat of digital colonization, where giant US technology companies that control global data will become increasingly dominant, leading to unfair business competition.
"They can analyze Indonesian market data from their servers in the US to create highly competitive products, stifling local innovation and startups that don't have access to such vast data," he explained.
A similar warning was issued by Amelia Anggraini, a member of Commission I of the Indonesian House of Representatives (DPR RI), who reminded the Indonesian government to be cautious in transferring personal data as part of trade negotiations with the US government. Personal data is not a trade commodity, but a fundamental citizen right guaranteed by the constitution and protected by the Personal Data Protection Law.
She emphasized that, according to Article 56 of the Data Protection and Personal Data Protection Law, the transfer of personal data abroad can only be carried out to countries that have a level of personal data protection equal to or higher than that of Indonesia, and must be carried out through an agreement mechanism, bilateral agreement, or adequate protection guarantees as stipulated in Articles 57 and 58.
The politician from the NasDem Party faction urged the government to expedite the establishment of an independent authoritative institution. Amelia urged the government to ensure that the precautionary principle and the protection of data subjects' rights are truly implemented.
The NasDem Party legislator further highlighted the importance of accelerating the establishment of an independent authoritative institution, or PDP Institution, as mandated in Articles 58 and 59 of the PDP Law. "This PDP Institution ensures oversight, evaluation, and law enforcement of all data processing and transfer practices, including in the context of international cooperation," Amelia said.