[Analytics] Indonesia won’t go with the flow on data
Cross-border data flows have been a priority on the G20 agenda since 2019. This year is no exception. Indonesia, which holds the G20 Presidency in 2022, has promised to promote discussions on cross-border data flows, setting up the Digital Economy Working Group to facilitate a constructive, productive and inclusive dialogue related to data governance. Xirui Li specially for the East Asia Forum.
Though Indonesia has fully committed to enabling cross-border data flows, the extent to which it promotes ‘data free flow with trust’ — an architecture for international cooperation on the flow of data — remains unclear. Consistent with its own approach to data governance, Indonesia is likely to impose additional preconditions on the free flow of data and highlight data sovereignty issues at the G20.
Indonesia is the 16th largest economy in the world with a GDP of US$1.19 trillion in 2021 — and its digital economy is growing rapidly. It is estimated that Indonesia’s internet economy will be worth US$330 billion by 2030. By going digital, Indonesia can achieve an estimated US$150 billion in economic growth by 2025. Realising the great potential of data-based economic growth, Indonesia is paying close attention to the protection of data security and privacy by regulating data flow across its borders.
Although Indonesia is making progress in promoting cross-country data flows, revoking Government Regulation 82 of 2012 (a provision which required economy-wide data localisation) in 2019, it is still often criticised for its remaining data localisation laws.
Justified for the sake of protecting public and national security, Government Regulation 71 of 2019 requires that all public sector data must be managed, stored and processed in Indonesia. Unless the receiving country has the same personal data standards and level of protection as Indonesia, government Regulation 80 of 2019 also forbids the transfer of personal data offshore.
Indonesia has also imposed strict sector-based controls on cross-border data flows. Bank Indonesia and the Financial Services Authority have imposed localisation mandates for businesses in the financial sector. Regulation Number 1/POJK.07/2013 prohibits the transfer of personal data to a third party by financial services providers unless the consumer’s written consent is obtained.
Once the draft Personal Data Protection Bill passes, legislation specifying strict requirements for and conditions on the transmission of personal data outside of the country’s borders, Indonesia will join countries with stringent regulations on personal data protection such as Brazil, China and India. The United Nations has identified Indonesia as a country with a restrictive approach to cross-border data flows due to these laws and regulations.
Indonesia’s domestic approach to regulating data flows prioritises the importance of data to national security over its economic value, so Indonesia is advocating for data sovereignty in the international arena.
Indonesian Minister of Communications and Information Technology Johnny G Plate called for data sovereignty in regulating cross-border data flows at both the 2020 G20 Digital Economy Ministers’ Meeting and the first ASEAN Digital Minister’s Meeting in 2021. Plate also recently underscored the relationship between data security and sovereignty, affirming the geostrategic nature of data.
So even though Indonesia adheres to the concept of ‘data free flow with trust’, a principle on which G20 members have achieved consensus since 2019, it has emphasised defining ‘trust’ rather than seeking ways to allow the default free flow of data.
As it calls for the respect of data sovereignty and security in its G20’s Sherpa Track, Indonesia is advocating four principles for cross-border data flows — lawfulness, fairness, transparency and reciprocity. These four pillars seek to facilitate global data governance and take advantage of digital economic opportunities while protecting national sovereignty and security.
From Indonesia’s vantage point, the last principle is the most important one. Reciprocity means that countries that receive data should have a level of protection equal to, or higher than, the countries from which the data is produced — allowing countries to build trust.
By recognising the importance of data to its economic development, Indonesia is shaping data governance domestically and internationally. Looking forward to the G20, cross-border data flows will certainly emerge as a major theme. But the extent to which Indonesia will promote data free flow remains to be seen.
Indonesia’s efforts to define trust so far seem to indicate its view that national and public security are prerequisites for cross-border data flows. Indonesia may bring the concept of data sovereignty to the G20 during its Presidency while also pushing other G20 members to clarify the circumstances under which data can be transferred freely.
Xirui Li is a PhD candidate at the S Rajaratnam School of International Studies, Nanyang Technological University (NTU), Singapore, and a Research Fellow at the Intellisia Institute, Guangzhou.