DENNY RAHMANSYAH AND AGUNG KURNIAWAN SIHOMBING After almost a decade of discussion, Indonesia finally passed its personal data protection law in September 2022. Law No. 27 of 2022 dated 17 October 2022, regarding Personal Data Protection (PDP Law) becomes Indonesia’s umbrella regulation for personal data protection, both in electronic and non-electronic form. The PDP Law also applies extraterritorially to any personal data processing that has an impact in Indonesia and/or affects Indonesian citizens outside of Indonesia’s jurisdiction. Consisting of 16 chapters and 76 articles, the PDP Law regulates the main principles of personal data protection, the rights of personal data subjects, and the obligations of Personal Data Controllers (Data Controller) and Personal Data Processors (Data Processor). It also regulates sanctions (administrative and criminal) for violations of the law. Despite being a comprehensive regulation, most of the provisions of the PDP Law require implementing regulations to be fully implemented. The PDP Law provides a two-year transitional period, beginning 17 October 2022, for Data Controllers, Data Processors, and other parties involved in data processing activities to adjust their data processing practices to the requirements under the PDP Law. One of the provisions in the new law that lacks clarity concerns cross-border data transfers, an issue of great importance in the digital age. Noting the lack of clarity in the PDP Law, this article will provide a brief overview of the current practice applicable under MOCI Reg. 20/2016 and offer a comparison with the General Data Protection Regulation (GDPR) of the European Union (EU), which was referred to heavily during the drafting of the PDP Law. Personal Data Under The PDP Law...