EU-US Data Privacy Framework On The Verge Of Failure, Indonesia Must Ensure Data Transfer Security
JAKARTA — The EU-US Data Privacy Framework (DPF), which since its adoption in July 2023 has served as the primary foundation for personal data transfers between the European Union and the United States, now faces a bleak future. Significant policy changes in the United States and skeptical reactions from European data protection authorities have raised concerns about the framework's sustainability.
One of the biggest blows to the DPF's sustainability was the dismissal of three of the five members of the US Privacy and Civil Liberties Oversight Board (PCLOB), leaving the body without a quorum and losing its role as an independent watchdog over US government data privacy and oversight practices. The board was previously considered a crucial pillar in maintaining accountability for US intelligence systems regarding foreign citizens' data.
Another issue stems from Executive Order 14215, signed by the US President in early 2025. This order requires all actions of the Federal Trade Commission (FTC), the primary agency enforcing the DPF principles, to be reviewed by the US President.
This is seen as a direct threat to the independence of the oversight agency and the credibility of data protection law enforcement in the US. Furthermore, the extension of Section 702 of the Foreign Intelligence Surveillance Act (FISA) in April 2024 further expanded the US government's authority to access electronic data belonging to non-US citizens without a court mandate. This situation reinforces the perception that the US does not provide adequate privacy protections for foreign citizens, including citizens of the European Union and, of course, Indonesia.
In Europe, various data protection authorities have begun to voice their concerns. Authorities from Norway, Denmark, Germany, Sweden, and Belgium have issued calls for businesses to prepare exit strategies from the Data Protection Fund (DPF).
Norwegian authorities, for example, advised companies to consider alternative mechanisms for transferring data to the US. The German government emphasized the importance of the US keeping its promises regarding restrictions on surveillance of foreign citizens' data.
Meanwhile, Belgium even ruled that the FATCA agreement, which allows the exchange of financial information between the US and European Union countries, violated the region's privacy principles.
However, as of the end of July 2025, the DPF technically remained in effect, and more than 2,800 US companies maintained their certification under the framework. However, with the current geopolitical and legal uncertainty, most companies are evaluating alternative options such as the use of Standard Contractual Clauses (SCCs) and considering regional data storage to avoid relying on unstable cross-border transfer mechanisms.
While the European Union has expressed concerns about the security of data protection in the United States, this situation has not directly impacted cooperation on data transfers from the US to Indonesia. The Indonesian government ensures that any transfer of personal data involving Indonesian citizens must comply with the Personal Data Protection Law (PDP Law) No. 27 of 2022. This law, which came into full effect in October 2024, provides comprehensive protection for all activities of collecting, storing, and processing personal data.
In the context of bilateral cooperation, on July 22, 2025, Indonesia and the United States agreed on a digital trade framework that includes recognition of the US as a country with an adequate level of data protection.
This agreement is designed to eliminate digital barriers between the two countries and provide legal certainty for companies transferring personal data across borders. However, the Indonesian government emphasized that this agreement does not transfer sovereignty over citizens' personal data to foreign entities.
Minister of Communication and Information Technology Meutya Hafid stated that this collaboration actually strengthens domestic data protection mechanisms. Data transfers from the US to Indonesia are only permitted for legitimate and limited purposes, for example, for the use of digital services like Google, Facebook, or Instagram by Indonesian citizens.
Minister of State Secretary Prasetyo Hadi also clarified that no Indonesian citizens' data will be freely handed over to foreign governments. The government only regulates how such data is protected when used in the international digital ecosystem.
However, this agreement has received considerable criticism. Some cybersecurity experts, such as Ardi Sutedja of the Indonesia Cyber Security Forum, cautioned that the United States still lacks federal legislation specifically regulating personal data protection.
This raises concerns that Indonesian citizens' data could be exposed without adequate legal guarantees. Tb Hasanuddin, a member of the Indonesian House of Representatives (DPR RI) from the Indonesian Democratic Party of Struggle (PDI-P), even called for the government to act more transparently and cautiously in managing cross-border data transfer cooperation.
Although the DPF faces an uncertain future, the Indonesian government emphasized that the national data protection system remains robust and will continue to be safeguarded. Data transfers from abroad, including from the United States, will be continuously monitored to ensure compliance with the PDP Law.
If the destination country is deemed not to meet equivalent protection standards, additional protection mechanisms such as bilateral agreements or standard contractual clauses are required. If these are not met, explicit consent from the data owner must first be obtained.
With evolving global dynamics, Indonesia now faces a significant challenge in ensuring that the protection of its citizens' personal data is not compromised amidst the flow of cross-border digitalization. The government and industry players are expected to continuously update their compliance with national regulations and monitor developments in international law to ensure that the digital rights of all citizens remain secure in an era of unstoppable global connectivity.