Jakarta. A cross-border data clause in Indonesia’s new trade pact with the United States is drawing warnings from cybersecurity experts, who say that in an era defined by data and artificial intelligence, the issue extends far beyond commerce into national security and sovereignty.

The data clause is embedded in the Agreement on Reciprocal Trade (ART), which sets rules for cross-border data flows needed for business activities, including e-commerce, digital financial services, cloud computing, and other digital services.

Cybersecurity expert Pratama Persadha, chairman of the Indonesian Cyber Research Institute (CISSReC), warned that for a country with one of the world’s largest digital populations, citizens’ data is a strategic asset.

“Mass profiling of Indonesian consumer behavior by foreign entities, and the possibility of data being used for geopolitical and economic intelligence interests, are real risks,” Pratama said on Monday.

He stressed that in an era where global competition is increasingly driven by data and artificial intelligence (AI), the accumulation and analysis of data represent a source of power.

“The agreement to transfer Indonesian citizens’ data to the US under a trade framework must be viewed as a strategic issue, not merely a technical matter of digital commerce. It touches on data sovereignty, national security and the protection of citizens’ privacy rights,” he said.

Pratama noted that the US technology ecosystem is globally dominant, with companies such as Amazon Web Services, Google LLC, Microsoft Corporation and Meta Platforms controlling major cloud infrastructure, search engines, social media platforms and data centers.

“When Indonesian citizens’ data is processed or stored under infrastructure subject to US jurisdiction, it may fall under US regulations, including instruments such as the USA Patriot Act and the Cloud Act, which allow US law enforcement to request access to data managed by companies based there, even if the data is physically stored outside the US,” he said.

From a reciprocity standpoint, he questioned whether Indonesia would enjoy equal rights. “The issue is not only whether Indonesia allows data transfers, but whether there is an equivalent mechanism in return. Does Indonesia have the same access rights to US citizens’ data processed by entities operating here?” Pratama said.

He also asked whether safeguards exist to prevent unilateral access by foreign authorities without transparent and accountable legal mechanisms. “Equality in a digital agreement is not measured solely by investment opportunities or ease of doing business, but by how risks and control over data are distributed,” he added.

Still, Pratama acknowledged potential economic gains. Clear rules on data transfers could boost investor confidence and strengthen Indonesia’s position as a regional digital economy hub. “Investment in data centers, cloud infrastructure and digital services could increase, in line with Indonesia’s national digital transformation agenda and integration into global data-driven value chains,” he said.

To mitigate risks, he urged the government to ensure several concrete safeguards: derivative agreements setting protection standards equal to or higher than domestic rules; mandatory breach notifications and regular security audits; adequacy assessments before transfers; stronger cross-border supervisory capacity; and data localization for strategic categories such as population, health, defense and critical infrastructure data.

Public transparency, he added, is essential. “Citizens have the right to know what types of data can be transferred, for what purposes, and how they are protected. Without transparency, public trust in digital transformation can erode. In many past data breaches in Indonesia, the core issue was not only technical failure, but weak accountability and crisis communication,” he said.

The government, however, insists the agreement does not compromise sovereignty. Haryo Limanseto, spokesperson for the Coordinating Ministry for Economic Affairs, said data transfers under the ART remain subject to Indonesia’s Personal Data Protection Law and apply only to business-related data used in digital systems.

“There is no surrender of data sovereignty. The government ensures that both physical and digital data transfers, including via cloud transmission and cables, are conducted within a framework of secure and reliable data governance, without sacrificing citizens’ rights,” Haryo said.

He added that regulatory certainty on cross-border data flows would help attract global technology firms seeking predictable frameworks for data processing.

“With credible governance, Indonesia can attract investment in data centers, cloud infrastructure and other digital services,” he said.