Indonesia-US Data Transfer, IPB University Academics Highlights the Importance of Strengthening Data Governance

The issue of data transfers from Indonesia to other countries, particularly the United States (US), has resurfaced following the signing of the agreement on reciprocal torade (ART) between the two nations on February 19th 2026.

Regarding this, Dr Heru Sukoco, a lecturer in the Computer Science Program at IPB University, commented that cross-border data transfer is a very common practice in the global digital ecosystem. He noted that this phenomenon is not new. 

“Even without an MoU, Indonesians are already using global applications and storing data in foreign cloud services,” he said. 

The agreement reaffirms that data transfers remain subject to Law No 27 of 2022 on Personal Data Protection (PDP Law). Nevertheless, Dr Heru emphasized several risks that require serious attention.

He said that, on the one hand, this cooperation brings a number of benefits. For example, enhanced technological cooperation (access to more advanced artificial intelligence (AI), cloud, and big data technologies, as well as opportunities for knowledge transfer and capacity building). This cooperation also enables efficiency and innovation, where data can be used for global analysis and to drive a data-driven economy.

However, on the other hand, Dr Heru highlighted several serious risks, ranging from data leaks to misuse. He noted that data could potentially be exploited without full control from Indonesia, including for profiling and surveillance purposes.

This cooperation is also seen as potentially fostering technological dependency, where Indonesia risks becoming merely a “data supplier” without adding value. Additionally, the issue of data sovereignty is a major concern, given that citizens’ data constitutes a strategic asset that must be protected.

For this reason, he emphasized that strengthening data governance is the key. Dr Heru suggested several mitigation measures, including classifying data into public data, personal data (with very limited access), and strategic data such as health, financial, and biometric data, which must be strictly protected.

In addition, he emphasized the importance of applying data protection principles, namely consent (user consent), data minimization (using data only to the extent necessary), and purpose limitation (data must not be used beyond its original purpose).

“Critical data must be stored in Indonesia; transfers abroad should only be in aggregated or anonymous form. Encrypt sensitive data using end-to-end encryption mechanisms and conduct regular security audits,” he continued.

As a concrete step, he emphasized the importance of transparency in this MoU, clarity regarding the types of data being transferred, and restrictions on national strategic data.

He also cited the use of WhatsApp, where users often unknowingly share data such as contacts and communication metadata. On WhatsApp Business, the data shared can be even broader, such as business profiles and strategies.

“This shows that the flow of data overseas is already occurring in everyday life. Therefore, strengthening regulations, oversight, and public awareness are crucial steps to ensure that the benefits of the digital economy do not come at the expense of national data sovereignty,” he concluded. (dh) (IAAS/SSR)