ABSTRACT
This study examines the legal framework governing cross-border transfers of personal data in Indonesia, focusing on the lack of legal certainty and protection for data subjects. The current regulations are weak and liberal, lacking restrictions on the types of data that may be transferred abroad, clear parameters for data transfer requirements, and a dedicated state institution responsible for personal data protection. These shortcomings complicate law enforcement, particularly in personal data breaches involving Indonesian citizens abroad. This article proposes reconstructing the regulatory framework for cross-border data transfers by implementing data localisation requirements, limiting the transfer of sensitive data, and mandating international agreements between countries. Such restructuring aims to protect individuals' right to privacy, recognised as a fundamental human right, from public and private sectors' surveillance while facilitating law enforcement. Strengthening these conditions is essential for enhancing digital rights and ensuring robust personal data protection in Indonesia's rapidly evolving digital economy.
