Sovereignty in the digital era is determined by who controls data.
Three months after President Prabowo Subianto signed a bilateral trade agreement with the United States without parliamentary deliberation, a member of Indonesia's House of Representatives has raised a measured but urgent alarm: the deal's digital provisions may have quietly traded away something more consequential than tariffs. Yulius Setiarto of Commission I argues that in an age when sovereignty is defined by who controls data and algorithms, Indonesia has bound itself to infrastructure it does not own, rules it did not write, and a notification requirement that constrains its freedom to partner with the world on its own terms. The warning is not that commerce is wrong, but that a nation's digital future cannot be bartered away in the fine print of a trade pact.
- A trade agreement already signed by President Prabowo now faces a reckoning — a sitting lawmaker is demanding full reevaluation before its digital provisions take hold.
- Article 3.2 compels Indonesia to enable seamless cross-border data flows while the country remains almost entirely dependent on American-owned digital infrastructure, creating a one-sided exposure of citizens' data.
- Article 3.4 bars Indonesia from demanding access to foreign source code or algorithms, leaving the nation unable to audit systems that shape public information, elections, and critical services.
- A notification clause requires Indonesia to alert Washington before signing digital agreements with other nations — effectively giving the US a veto over Indonesia's independent digital diplomacy.
- Indonesia's data protection agency exists only on paper, its national data center runs on temporary facilities, and the Cyber Security and Resilience Bill remains unfinished — leaving the country legally and technically exposed.
- Setiarto is calling for urgent implementing regulations, cross-institutional oversight bodies, and passage of the cybersecurity bill before the agreement activates — framing inaction as a surrender of digital self-governance.
On May 15th, Yulius Setiarto, a member of Indonesia's House of Representatives serving on Commission I, issued a pointed challenge to a trade agreement his own government had already signed. The deal between Indonesia and the United States, concluded by Presidents Prabowo and Trump in February without parliamentary input, had passed quietly. Now Setiarto was insisting it be looked at again — not because trade itself was the problem, but because the agreement's digital architecture, he argued, was built to serve American technology interests far more than Indonesian ones.
At the center of his concern was Article 3.2, which governs cross-border data flows. Its language promotes digital liberalization and smoother data movement — reasonable-sounding goals. But Setiarto saw a structural imbalance: Indonesia was obligated to ensure data moved freely, while remaining almost entirely dependent on foreign, largely American, digital infrastructure. The result, he argued, was that Indonesian citizens' data would flow outward into systems Indonesia neither controlled nor governed.
Article 3.4 compounded the problem by prohibiting Indonesia from requiring technology companies to disclose source code, algorithms, or proprietary systems as a condition of market access. Without that leverage, Indonesia had no way to audit whether foreign algorithms were biased, vulnerable, or being used to shape public perception. And Article 3.3 required Indonesia to notify the United States before entering digital trade agreements with other countries if American interests might be affected — a vague condition that Setiarto said would effectively constrain Indonesia's ability to pursue independent partnerships with China, India, or any nation Washington viewed as a rival.
Beneath all of this lay a deeper anxiety about sovereignty. Indonesia's legally mandated data protection agency had never been established. Its national data center still operated on temporary infrastructure. Cyberattacks were escalating globally, and Setiarto pointed to real-world precedents — including the 2015 Russian hack of Ukrainian power grids — as evidence that critical systems could be compromised. He noted the irony that President Prabowo had himself warned against foreign proxies destabilizing Indonesia, even as the agreement institutionalized a form of foreign digital control.
Setiarto's demands were concrete: accelerate technical regulations defining which data may cross borders, establish cross-institutional task forces to monitor transfers, give real enforcement power to the Personal Data Protection Law, and pass the Cyber Security and Resilience Bill before the agreement takes effect. The agreement was signed. The window to build safeguards around it, he warned, was closing.
On May 15th, Yulius Setiarto, a member of Indonesia's House of Representatives and part of Commission I, issued a stark warning about a trade agreement his own government had already signed. The Agreement on Reciprocal Trade between Indonesia and the United States, inked by President Prabowo Subianto and President Donald Trump on February 19th, had been executed without parliamentary debate or approval, Setiarto noted. Now, three months later, he was calling for a complete reevaluation—not because the deal was inherently bad, but because its digital provisions, he argued, had been written in a way that served American technology companies far more than Indonesian interests.
At the heart of Setiarto's concern was Article 3.2, which governs how data moves across borders between the two countries. The article promotes what sounds benign enough: digital liberalization, smoother data flows, innovation. But Setiarto, a member of the Indonesian Democratic Party of Struggle, saw something else. The arrangement was unbalanced. It obligated Indonesia to ensure that cross-border data transfers happened smoothly through reliable electronic systems, but it did so while Indonesia remained deeply dependent on foreign digital infrastructure—most of it American. This created what he called a subtle trap. Indonesia's citizens' data would flow freely to the United States, protected by systems Indonesia did not control, governed by rules Indonesia did not write.
The problem deepened when Setiarto examined Article 3.4, which prohibited Indonesia from requiring technology companies to hand over source code, algorithms, or proprietary knowledge as a condition of doing business in the country. While such a rule might attract investors and stimulate digital growth, Setiarto argued, it left Indonesia blind to how foreign algorithms might be biased, how they might fail, or how they might be weaponized. Without the ability to audit these systems, Indonesia had no way to protect itself from algorithmic harm or cybersecurity risks.
Then there was Article 3.3, which required Indonesia to notify the United States before signing digital trade agreements with any other country—if those agreements might affect American interests. The vagueness of that condition troubled Setiarto. It meant Indonesia's hands were tied. If the country wanted to deepen digital cooperation with China, or India, or any nation the United States deemed a competitor, it would first have to clear it with Washington. This, he said, would cripple Indonesia's ability to pursue its own strategic partnerships.
Setiarto's deepest worry, though, was about sovereignty itself. In the digital age, he argued, sovereignty is determined by who controls data. Indonesia did not control its own data. The country's digital infrastructure was foreign-owned. Its data protection agency, mandated by law, had never been established. Its national data center still ran on temporary facilities. Meanwhile, cyberattacks were no longer theoretical—they were real and escalating. He pointed to Russia's 2015 hack of Ukrainian power plants as proof that critical infrastructure could be compromised. The tensions between the United States and Iran, he noted, could easily spill over into Indonesian networks.
What made this worse was that foreign control over data and algorithms could be weaponized in subtler ways. Whoever controlled the algorithms controlled what people saw, what they believed, how they voted. This was not paranoia, Setiarto suggested—it was the logical endpoint of allowing foreign entities to govern your digital ecosystem. President Prabowo himself had warned about foreign proxies destabilizing the nation. Yet here was a trade agreement that essentially institutionalized foreign control.
Setiarto's prescription was specific and urgent. Before the agreement took effect, the government needed to accelerate the technical regulations defining which data could cross borders and which could not. It needed to establish cross-institutional task forces to monitor every data transfer. It needed to finally implement the Personal Data Protection Law with real teeth. And it needed to pass the Cyber Security and Resilience Bill—a piece of legislation still in discussion—to create a legal foundation for protecting vital infrastructure and ensuring that Indonesia's digital ecosystem could recover from attacks without collapsing into dependence on foreign rescue.
Without these steps, Setiarto warned, Indonesia would be signing away not just a trade advantage but the ability to govern itself in the digital realm. The agreement was already signed. The question now was whether the government would act before it was too late.
Citas Notables
The arrangement is unbalanced. It benefits US technology companies more, while risking harm to national interests.— Yulius Setiarto, Indonesian House member
Cyberattacks are no longer just a potential threat, but a real threat that must be anticipated as a matter of sovereignty.— Yulius Setiarto
La Conversación del Hearth Otra perspectiva de la historia
When you say the agreement was signed without parliamentary approval, does that mean it's not legally binding until the legislature votes?
That's the tension Setiarto is highlighting. The president signed it, but the House never debated or approved it. Technically, it may be binding under international law, but domestically, there's a legitimacy problem—and a practical one. The House can still push back, demand changes, or refuse to implement it.
But the real issue isn't the process. It's the content. What specifically makes Article 3.2 so dangerous?
It requires Indonesia to keep data flowing freely across borders while Indonesia has no control over the infrastructure that data travels through. Imagine your mail carrier is someone else's employee, working in someone else's building, following someone else's rules. You're obligated to keep sending letters, but you can't inspect the building or fire the carrier.
So the problem is asymmetry. The US gets access to Indonesian data, but Indonesia can't demand the same transparency in return.
Exactly. And it's worse than that. Indonesia can't even require US tech companies to show their source code or algorithms. So if an algorithm discriminates against Indonesians, or if it's been hacked, Indonesia has no legal right to know.
What about Article 3.3, the one requiring Indonesia to notify the US before signing deals with other countries?
That's the sovereignty trap. It sounds like a courtesy—just a notification requirement. But the phrase "if it affects US interests" is so broad it could mean almost anything. It gives the US a veto over Indonesia's digital partnerships without ever saying the word veto.
Is Setiarto arguing the agreement should be torn up, or just renegotiated?
He's calling for a reevaluation before it takes effect. He's not saying it's irredeemable, but he's saying Indonesia needs to build protections first—legal frameworks, infrastructure, oversight mechanisms—so that when data does flow, Indonesia isn't completely exposed.
And those protections don't exist yet?
Not really. The data protection agency hasn't been established. The national data center is temporary. The cybersecurity bill is still being discussed. Indonesia is being asked to open its doors while the house is still under construction.