JAKARTA The EU-US Data Privacy Framework (DPF), which since its adoption in July 2023 has become the main foundation for personal data transfer between the European Union and the United States, is now facing a grim future. Significant policy alters in the United States as well as skeptical reactions from European data protection authorities have raised concerns over the sustainability of the framework.
One of the largegest blow to the sustainability of the DPF was the dismissal of three of the five members of the US PRIvacy and Civil Freedom Supervisory Board or Privacy and Civil Liberties Oversight Board (PCLOB), which caapplyd the agency to lack a quorum and lose its function as an indepfinishent supervisor over the US government’s privacy and data surveillance practices. This board was previously considered an important pillar in maintaining the accountability of US ininformigence systems against foreign data.
Another problem came from Executive Order 14215 signed by the US President in early 2025. This order requires all actions of the Federal Trade Commission (FTC), the main body of DPF principle enforcement, to be reviewed first by the US President.
This is considered a direct threat to the indepfinishence of the supervisory agency and the credibility of data protection law enforcement in the US. Not only that, the extension of the 702 Division of the Foreign Ininformigence Supervisory Act (FISA) in April 2024 further expands the US government’s authority to access electronic data belonging to non-US citizens without the necessary for a court mandate. This situation strengthens the perception that the US does not provide adequate privacy protection for foreigners, including European Union citizens and of course Indonesia.
In Europe, various data protection authorities launched to voice their concerns. Authorities from Norway, Denmark, Germany, Sweden, and Belgium have issued calls for business people to prepare a strategy out of the DPF.
Norwegian authorities, for example, advise companies to consider alternative mechanisms for transferring data to the US. The German government stressed the importance of keeping its promises in terms of limiting surveillance of foreign data.
Meanwhile, Belgium even decided that the FATCA agreement that allows exalter of financial information between the US and EU countries had violated the privacy principles in force in the region.
Even so, until the finish of July 2025, the DPF is technically still valid and more than 2,800 US companies still maintain their certification within the framework. However, with the uncertain geopolitical and legal situation, most companies are evaluating alternative options such as the apply of Standard Contract Claapplys (SCC) Claapplys Customary and considering data storage regionally to avoid depfinishence on the now unstable cross-border transfer mechanism.
While the European Union doubts the security of data protection in the United States, this situation has not had a direct impact on cooperation in data transfer from the US to Indonesia. The Indonesian government ensures that any transfer of personal data involving Indonesian citizens must comply with the Personal Data Protection Law (UU PDP) No. 27 of 2022. This law, which will take full effect in October 2024, provides comprehensive protection against all activities of collecting, storing, and processing personal data.
In the context of bilateral cooperation, on July 22, 2025, Indonesia and the United States agreed on a digital trade framework that includes recognizing the US as a countest that has an adequate level of data protection.
This agreement is designed as a form of rerelocating digital barriers between the two countries and providing legal certainty for companies that transfer cross-border personal data. However, the Indonesian government emphasized that this agreement is not a form of transfer of the sovereignty of citizens’ personal data to foreign entities.
Minister of Communication and Information Meutya Hafid stated that this collaboration actually strengthens the mechanism for data protection in the countest. Data transfer from the US to Indonesia is only permitted for legitimate and limited purposes, for example in the apply of digital services such as Google, Facebook, or Instagram by Indonesian citizens.
Minister of State Secretary Prasetyo Hadi also built it clear that none of the Indonesian citizen data would be freely submitted to foreign governments. The government only regulates how the data is protected when applyd in the international digital ecosystem.
However, not a few criticisms have been built over this deal. Several cybersecurity experts, such as Ardi Sutedja of the Indonesia Cyber Security Forum, warned that the United States still does not have federal laws specifically regulating personal data protection.
This raises concerns that Indonesian citizen data can be exposed without adequate legal guarantees. Member of the Indonesian Hoapply of Representatives from the PDI-P faction, Tb Hasanuddin, even called on the government to act more transparently and carefully in managing cross-border data transfer cooperation.
Although the DPF faces an uncertain future, the Indonesian government insists that the national data protection system remains strong and will continue to be maintained. Data transfers from abroad, including from the United States, will always be monitored so that they are in accordance with the PDP Law.
If the destination countest is deemed not to meet the equivalent protection standards, then there must be additional protection mechanisms such as bilateral agreements or standard contract claapplys. If all of that is not fulfilled, then explicit approval from the data owner must be obtained first.
With global dynamics continuing to develop, Indonesia is now facing major challenges to ensure that the protection of its citizens’ personal data is not compromised amid the flow of cross-border digitization. Governments and industest players are expected to continue to update their compliance with national regulations and monitor developments in international law, in order to ensure that all citizens’ digital rights remain safe in an unstoppable era of global connectivity.
The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language.
(system supported by DigitalSiber.id)
Leave a Reply