In today’s data-driven society, digital governance is a critical topic in international relations, as it has emerged as one of the most pressing global challenges. With the rising concern over privacy, digital exploitation, and surveillance, the European Union (EU) has led the international community to establish strong data protection frameworks through the General Data Protection Regulation (GDPR). The GDPR, which has been enforced since 2018, not only controls data practices within the EU but also influences the international community’s digital policy due to its strong appeal (Mishova, 2024). This phenomenon is referred to as the “Brussels Effect” by Anu Bradford (2020), which explains how the EU regulatory standards cross boundaries and become worldwide standards.
This study looks at how Indonesia, a Southeast Asian country, used and adopted some GDPR-like ideas to create its Personal Data Protection (PDP) Law, which was passed in 2022 (Pujianti, 2023). This study uses the frameworks of Normative Power Europe (Manners, 2002) and Market Power Europe (Damro, 2012) to examine the political, economic, and institutional factors contributing to Indonesia’s partial alignment with GDPR standards. The main research question is, how does the EU influence digital governance in Indonesia through normative and market mechanisms? In doing so, the study demonstrates how Global South countries selectively internalize international rules despite geopolitical and institutional obstacles.
Ian Manners’ concept of Normative Power Europe (NPE) states that the EU’s power comes not from military or economic coercion, but from its ability to change global norms through persuasion, legitimacy, and example. The GDPR exhibits this normative power by including principles such as individual autonomy, consent, transparency, and human dignity into data protection regulations. According to NPE, when other countries willingly accept these rules, it demonstrates the EU’s soft power and worldwide moral authority. Chad Damro (2012), on the other hand, introduced Market Power Europe (MPE), emphasizing how the EU’s huge internal market serves as a source of external regulatory influence. Given that access to the EU market often requires compliance with EU standards, third countries and multinational firms adopt EU norms in order to remain competitive globally. The GDPR, with its extraterritorial clauses, exemplifies this dynamic by requiring non-EU players to adapt their data practices to maintain market access and legitimacy.
Both concepts contribute to an understanding of the Brussels Effect, a term defined by Bradford (2020) to describe the EU’s unilateral regulatory globalization. This study uses these two complementary viewpoints to investigate how Indonesia’s PDP Law reflects both normative attraction and strategic economic alignment with EU data governance.
GDPR and Indonesia’s PDP Law
The GDPR, enforced on May 25, 2018, is a comprehensive regulation aimed at standardizing data protection across the EU and providing individuals more control over their personal data. Its scope extends beyond the EU through its extraterritorial provision (Article 3), which requires any business managing EU residents’ data, regardless of location, to comply with GDPR (European Union, 2016). The key principles include lawfulness, fairness, purpose limitation, data minimization, permission, and data subject rights.
Indonesia’s Personal Data Protection Law (Law No. 27/2022), enacted on October 17, 2022, is a significant step forward in the country’s digital transformation. The law defines personal and sensitive data, demands explicit user agreement, mandates data controllers to notify breaches, and specifies consequences for noncompliance (Yudhi Prasetyo, Reza Aminy, 2024).
The GDPR’s influence is clear. According to Law in Indonesia—DLA Piper Global Data Protection Laws of the World (2022), it is mentioned that “PDP Law is closely aligned with the international data privacy standards and is largely modeled on the EU’s GDPR.” It is also noted that, in previous informal discussions with officials from the Ministry of Communication and Informatics, the GDPR was consistently cited as a model for personal data protection. This consistent reference helps explain why several provisions from the GDPR have been incorporated into Indonesia’s PDP Draft Law (Carl & Wirabuana, 2020). Moreover, Meutya Hafid, Indonesia’s Minister of Communication and Digital Affairs, emphasized the importance of aligning with global standards by stating that “126 countries already have primary regulations in the field of personal data protection, including ASEAN countries such as Singapore, the Philippines, Malaysia, and Thailand.” She further noted that the drafting of Indonesia’s Personal Data Protection (PDP) Bill would draw on international models, including the European Union’s GDPR (Irman, 2021).
Analysis: Evidence of the Brussels Effect in Indonesia
Normative Influence: The GDPR’s appeal as a rights-based, globally acknowledged data framework inspired both the language of the PDP Law and the broader discourse on digital rights in Indonesia. SAFEnet and the Institute for Policy Research and Advocacy (ELSAM) urged politicians to take a legal approach based on user rights, citing direct parallels to GDPR terminology (ELSAM, n.d.). Their policy papers, which were submitted to the government and distributed throughout public consultations, emphasized the need for enforced consent, surveillance protection, and public transparency, all of which are basic GDPR principles. In legislative meetings, the Ministry of Communication and Information (Kominfo) officials stated that GDPR was a “reference point” for enhancing Indonesia’s credibility in global digital governance (Gultom et al., 2021). This suggests that European regulatory norms are being internalized voluntarily in order to promote legitimacy, rather than through compulsion.
Market Influence: Indonesia’s digital economy is rapidly expanding, estimated to be worth $70 billion in 2021 and $146 billion by 2025 (Ekon, 2022). Aligning with GDPR-like norms is critical for Indonesian technology companies seeking cross-border data transfers, particularly with European customers. As Indonesia negotiates a Comprehensive Economic Partnership Agreement (IEU-CEPA) with the EU, regulatory convergence on data is an important topic. Indonesian data processing businesses, such as Telkom and PrivyID, have stated that they are ready to meet GDPR regulations in order to obtain access to EU digital markets. This lends support to Damro’s MPE concept: the EU’s economic clout incentivizes foreign parties to freely embrace its laws.
Legal Harmonization and Institutional Adaptation: While Indonesia’s PDP Law incorporates several GDPR-like standards, full harmonization with the EU framework has not yet been achieved. A major point of divergence is the absence of an independent data protection authority. In contrast to the GDPR, which mandates the establishment of an impartial supervisory body to ensure accountability and prevent political interference (Article 52), Indonesia’s PDP Law initially placed enforcement responsibilities under the Ministry of Communication and Information Technology (Kominfo). This raised concerns about potential conflicts of interest and the lack of institutional independence. Recognizing this shortcoming, the Indonesian government moved forward in 2024 by drafting a presidential regulation to establish an independent supervisory body known as the Personal Data Protection Agency (PDP Agency) (Admin, 2024). Designed to operate directly under the President rather than any ministry, the PDP Agency is tasked with overseeing the implementation of the PDP Law. Its responsibilities include policy formulation, compliance supervision, enforcement of administrative sanctions, and dispute resolution. This development signals Indonesia’s intent to align more closely with GDPR standards and strengthen the credibility of its data governance regime (Fitrianggraeni & Jovenia, 2025).
Challenges to the Brussels Effect
Despite the strong GDPR influence, Indonesia’s regulatory landscape remains hybrid. Other worldwide models, such as South Korea’s Personal Information Protection Act (PIPA) and China’s Personal Information Protection Law (PIPL), are also useful references, particularly in terms of data localization and state access. Furthermore, Indonesia’s strategic balance with China, the United States, and the European Union complicates full convergence (Indonesia Data Localization: Everything You Must Know, 2024). China’s investments in cloud infrastructure, along with the dominance of US-based platforms such as Meta and Google, make a full commitment to EU-style regulations problematic. Institutional capacity is another restriction. Enforcement remains fragmented, and data literacy among public officials and the broader public continues to evolve. This makes full compliance with sophisticated GDPR-like criteria an ongoing problem.
Conclusion
Indonesia’s PDP Law exemplifies how the Brussels Effect works in practice: EU regulatory principles are selectively adopted based on normative appeal, economic incentives, and international credibility. While Indonesia has not fully complied with the GDPR, essential features of the PDP Law demonstrate both Normative Power Europe and Market Power Europe in action. This case adds to the growing literature on global regulatory diffusion by demonstrating the many ways in which developing countries navigate external influence while achieving digital sovereignty.
