Cross-Border Personal Data Transfers: The Remaining Issues Following the Indonesian Constitutional Court Decision

Indonesia’s Constitutional Court has effectively placed the responsibility for cross‑border personal data transfers on private controllers and a future regulator, rather than on the legislature. By interpreting Article 56 as an executive function, the Court sidestepped the constitutional requirement for parliamentary oversight, reinforcing the law’s extraterritorial scope. This legal posture mirrors the GDPR’s adequacy model but diverges in procedural safeguards, leaving a gap until the Personal Data Protection Authority (PDPA) is formally constituted and detailed implementing regulations are issued.

For multinational corporations, the ruling introduces both risk and flexibility. Companies targeting the Indonesian market must now conduct their own technical adequacy assessments for any data export, especially to the United States where the pending Indonesia‑USA Reciprocal Trade Agreement seeks to streamline data flows. Without a parliamentary sign‑off, firms cannot rely on a political guarantee of protection, heightening the need for robust contractual clauses, encryption, and pseudonymisation. The decision also signals that Indonesian courts are likely to assert jurisdiction over disputes, even when parallel proceedings occur abroad, complicating litigation strategy and enforcement.

Looking ahead, the urgency to finalize the PDP Law’s implementing regulations and to appoint the PDPA cannot be overstated. Clear criteria for adequacy, whitelist/blacklist mechanisms, and standardized transfer agreements will reduce compliance ambiguity. Until then, businesses should adopt a proactive governance framework, document all adequacy verifications, and engage local counsel to navigate potential court interventions. The evolving landscape underscores Indonesia’s ambition to align with global data protection norms while retaining sovereign control over personal data.