Jakarta, INTI - The Indonesian government has agreed to implement cross-border data transfers with the United States (US), as outlined in the reciprocal trade agreement known as the Agreement on Reciprocal Tariff (ART).
The provision regarding the transfer of Indonesian consumer data to the US is stated in Section Three of the reciprocal trade agreement. Article 3.2 point (b) specifies that Indonesia will facilitate digital trade with the US, including by ensuring trusted cross-border data transfers through electronic means with adequate protection for conducting business activities.
This data exchange agreement between Indonesia and the US is seen as potentially reshaping the growth trajectory of the national data center industry. However, Chairman of the Indonesia Data Center Provider Organization (IDPRO) Hendra Suryakusuma stated that the overall impact will depend on how the policy is implemented.
According to Hendra, if the cross-border data transfer clause is interpreted as a relaxation of domestic data placement or processing requirements, some workloads could shift outside Indonesia, particularly data that is not strictly required to be processed domestically.
“Because of cost reasons, global integration, or corporate policies. This could slow the growth of domestic data center demand in certain segments,” Hendra told Katadata.co.id on Thursday, February 26.
However, he emphasized that the scenario is not as simple as a decline in data center demand. If the government maintains regulatory certainty for sensitive data compliance while encouraging investment in cloud and artificial intelligence (AI), and strengthening supporting infrastructure such as energy, connectivity, and licensing efficiency, Indonesia could remain highly attractive as a regional hub.
“So the impact is not automatically a decline, but rather a shift in the driving factors, from regulatory localization pressure to fundamental competitiveness such as energy, latency, connectivity, legal certainty, and security,” he said.
Four Risks to Anticipate
Hendra also identified several potential risks arising from the implementation of the digital agreement. The first is the risk of changes in demand composition, or demand mix.
With more flexible cross-border data transfer options, certain workloads could be more easily relocated overseas. This may alter the structure of the domestic data center market.
“The potential shift of part of the workload overseas if cross-border data flow regulations make offshoring options easier,” Hendra said.
The second risk relates to regulatory certainty. If the digital clauses are interpreted too broadly, the industry may face ambiguity, particularly regarding the definition of sensitive data, obligations for specific sectors, as well as audit and supervisory standards.
The third risk concerns rising compliance costs. “The need to adjust data processing contracts, conduct security audits, and manage cross-border data transfer governance could increase operational costs, especially for local or mid-sized operators,” Hendra explained.
The fourth risk involves supply chains and vendors. Should there be adjustments to information and communication technology security policies, including alignment with export controls or sanctions, the choice of vendors and procurement timelines for data center equipment such as servers, networking systems, and security infrastructure could be affected.
“This ultimately impacts capital expenditure and the timeline for developing new facilities,” he said.
Limited Details on Data Transfer
IT experts have also raised concerns regarding the lack of detailed provisions in the data exchange agreement. Cybersecurity researcher at the Communication Information System Security Research Center (CISSReC), Pratama Persada, noted that the phrase ‘data required for business application systems’ appears overly broad and could invite multiple interpretations.
In modern data governance, Pratama argued that data categories must be clearly defined, as each type of data carries different levels of sensitivity and risk. “When the government does not specify whether the data includes personal data, sensitive data, or even biometric data, the scope for legal and technical uncertainty becomes very large,” Pratama said.
Unclear definitions may open room for broader interpretation by data controllers, particularly global technology companies whose infrastructure is largely based in the United States, such as Google LLC, Microsoft Corporation, and Amazon Web Services.
He emphasized that the main danger of vague wording lies in the potential mixing of operational business data with sensitive personal information. Data used for application systems may include user identities, addresses, phone numbers, transaction histories, consumption patterns, and even location data.
“In digital economic practices, such data is often enriched through advanced analytics and artificial intelligence to form highly detailed behavioral profiles,” he said.
If transferred data includes sensitive categories, such as health records, financial data, or biometric information, the risks increase exponentially.
According to him, biometric data such as fingerprints, facial recognition, or iris scans are permanent and cannot be replaced if leaked. Unlike passwords that can be changed, biometric breaches are irreversible and carry long-term implications for individual identity security.
The Coordinating Ministry for Economic Affairs stated that the agreed data transfers under the ART remain subject to domestic regulations, namely the Personal Data Protection Law (PDP Law). “The data referred to in the agreement is data required for business purposes such as application systems,” the ministry said in a press release on Sunday, February 22, 2026.
However, the ministry did not provide further clarification on the specific data categories. It only stated that cross-border data transfers serve as essential infrastructure for e-commerce, digital financial services, cloud computing, and other digital services.
“It means there is no surrender of data sovereignty,” the ministry stated. The government assured that both physical and digital data transfers, such as cloud transmissions and cable networks, will be conducted within a framework of secure and reliable data governance, without compromising citizens’ rights.
Conclusion
The Indonesia–US data transfer agreement presents both opportunities and structural risks for the national data center industry. While it could enhance digital trade and global integration, regulatory clarity, data protection safeguards, and infrastructure competitiveness will determine whether Indonesia strengthens its position as a regional hub or faces shifts in domestic demand dynamics.
Read more: Portugal's EDP Acts to Support the Data Centre Boom in Iberia, Says CEO