Government Regulation No. 71 of 2019 on the Implementation of Electronic Systems and Transactions classifies electronic system operators into two categories: public electronic system operators and private electronic system operators. Public electronic system operators must process and store personal data only in Indonesia. In contrast, private electronic system operators (such as a cloud service provider) may process and store personal data offshore. However, under Law No. 27 of 2022 on Personal Data Protection ("PDP Law"), the data controller/electronic system operator may transfer personal data to other data controllers and/or data processors outside the jurisdiction of Indonesia if any of the following can be fulfilled:

1. The country of domicile of the data controller and/or the data processor that receives the transfer of personal data has a personal data protection level that is equal to or higher than those that are regulated under this law.
2. The data controller must ensure that there is adequate and binding personal data protection.
3. The data controller must obtain the data subject's approval.

As such, based on the current PDP Law, the data controllers can still rely on the data subject's consent to an offshore data transfer. There is no strict requirement with respect to the country of the recipient having the same level of data protection as Indonesia, as this requirement can be waived if the data subject has consented to the offshore data transfer.