The Agreement Is Set — Indonesia's Homework Is Not
Twenty-one rounds of negotiations, more than two years of talks across ten member states, and a climactic session at the 27th ASEAN Economic Community Council meeting in Cebu, Philippines on May 7, 2026: the ASEAN Digital Economy Framework Agreement (DEFA) is targeting a November 2026 signature at the ASEAN Summit. Indonesia's Coordinating Minister for Economic Affairs, Airlangga Hartarto, confirmed the consensus and a BCG study cited in DEFA negotiations projects the framework could expand the regional digital economy from $1 trillion to $2 trillion by 2030.
For Indonesia — the largest economy in ASEAN and the country that initiated the DEFA framework during its 2023 chairmanship — the stakes are not abstract. Under a fully realised DEFA, Indonesia's own digital economy could reach $800 billion, per Airlangga's own projections. The cross-border data flow provisions are central to unlocking that growth: they would harmonise transfer rules, enable trusted data flows, and give businesses a common compliance baseline across Southeast Asia's 680 million people.
There is, however, a significant gap between Indonesia championing DEFA at the negotiating table and Indonesia being ready to operationalise it domestically. That gap is the RPP PDP — the implementing regulation for Indonesia's Personal Data Protection Law — which remains unpublished more than eight months after the law's two-year transition period expired on October 17, 2024.
The PDP Law's Unfinished Architecture
Indonesia's Personal Data Protection Law, Law No. 27 of 2022, established a credible framework for cross-border data transfers. It specifies three transfer mechanisms: an adequacy determination by the Indonesian Data Protection Authority recognising countries with equivalent or higher protection standards; binding instruments, including Standard Contractual Clauses and Binding Corporate Rules approved by the DPA; and, in limited circumstances, data subject consent.
On paper, this architecture is well-designed to interoperate with ASEAN's regional governance toolkit. ASEAN has published Model Contractual Clauses for Cross-Border Data Flows — standardised contractual templates explicitly compatible with member state domestic law — and is rolling out the ASEAN Cross-Border Data Flow Certification (ACCDF), a regional assurance mechanism enabling businesses to demonstrate compliance across borders without navigating ten separate national frameworks.
In practice, none of these instruments can be operationalised in Indonesia without the RPP PDP. As of February 2025, the Ministry of Communications and Digital stated the regulation was in its "fourth harmonisation process" and "expected to be issued in the near future." The last publicly circulated draft dated from August 31, 2023. Without the RPP PDP, there is no published adequacy list, no formal DPA approval process for SCCs or Binding Corporate Rules, no defined standards for Data Protection Officers, and no operational transfer impact assessment procedure. The PDP Law's architecture exists; the operating manual does not.
The Regulator's Legitimate Concern — and Its Limits
The argument for deliberation has genuine merit. Getting cross-border transfer rules wrong is costly, as the Atlantic has demonstrated repeatedly. The EU-US Data Privacy Framework — painstakingly negotiated after two previous arrangements were struck down — now faces a new legal challenge following the US Supreme Court's June 30, 2026 ruling that presidents may remove FTC commissioners without cause, calling into question the independent oversight body the DPF depends on. Privacy advocate Max Schrems has announced plans to challenge the framework in European courts. A regime built on unstable legal foundations creates a compliance trap rather than a compliance path.
Indonesia's regulators are right to want precision. But deliberation that extends past the PDP Law's own legislated two-year transition deadline is no longer a policy choice — it is an unplanned regulatory vacuum. Businesses transferring data into and out of Indonesia are now operating in a grey zone the law itself set a deadline to resolve. That gap falls disproportionately on smaller firms without the legal resources to navigate ambiguity.
ASEAN Has Built the Pipes — Indonesia Needs to Connect
ASEAN has not waited on member states to build the regional governance infrastructure. The ASEAN Business Advisory Council's Trusted Data Corridors initiative is advancing, with the Singapore-Johor-Batam (SJB) corridor serving as a live tri-hub demonstration. Singapore anchors governance and cybersecurity standards; Johor provides hyperscale data centre capacity; Batam's special economic zone incentives attract cross-border digital investment. Nongsa Digital Park in Batam is already functioning as a regional technology hub. Asia-Pacific data centre investment is projected to exceed $60 billion within three years, and the SJB model is positioned to capture a significant share of that.
The SJB corridor works precisely because it accommodates different regulatory maturity levels while maintaining shared governance norms. Indonesia's integration into the ACCDF and ASEAN Model Contractual Clauses system requires only that its domestic law formally recognise these instruments — which the RPP PDP would achieve, had it been published.
What Must Happen Before November
The required steps are executive, not legislative, and achievable within the remaining four months:
- Publish the RPP PDP — the single most consequential step. It establishes adequacy procedures, SCC approval processes, and DPO standards, converting the PDP Law from aspiration into enforcement.
- Constitute and staff the national data protection authority — the DPA's formal establishment is a prerequisite for any adequacy determination or instrument approval work.
- Formally recognise ASEAN MCCs and ACCDF certifications — even as interim ministerial guidance, this gives businesses a cross-border compliance path before DEFA enters into force.
Indonesia has every incentive to move. It designed DEFA. It has the most to gain from its cross-border digital commerce provisions. The RPP PDP is not a barrier to DEFA — it is the domestic prerequisite that makes Indonesian participation in DEFA operational rather than nominal. The gap is administrative, not political, which means it is fixable. The November summit is not just a deadline — for Indonesia, it is a $800 billion argument for getting the paperwork done.