Indonesia: Lawsuit challenging constitutionality of cross-border data transfers without public consent or parliamentary approval was filed at constitutional court (Case No. 137/PUU-XXIII/2025)

On 26 August 2025, a lawsuit relating to the constitutionality of cross-border data transfers without public consent or parliamentary approval was filed at the Constitutional Court. The appellant challenged Article 56 of the 2022 Personal Data Protection Law. Article 56 of the Law regulates the transfer of personal data outside of Indonesia, permitting such transfers only if the destination country offers an equivalent or higher level of data protection, the data controller provides binding and adequate safeguards, or the data subject provides consent. The Law also requires data controllers to ensure that these conditions are met before allowing personal data to be transferred abroad. The appellant argued that allowing cross-border data transfers without public consent or parliamentary approval violates constitutional rights under the Constitution of Indonesia, specifically Article 28G (1), which guarantees the right to personal protection, and Article 1(2), which affirms that sovereignty belongs to the people. The appellant highlighted past data leaks, risks linked to artificial intelligence, and transfers to the United States that could increase the chances of loss of sovereignty. The appellant requested the Court to reinterpret the law to require either the consent of the data subject or an international agreement ratified by Parliament.