Introduction
On 22 January 2021, the Association of Southeast Asian Nations (ASEAN) Digital Ministers' Meeting recently approved the Model Contractual Clauses for Cross Border Data Flows (the MCCs)1, which are a set of recommended template contractual provisions organizations can voluntarily choose to incorporate as part of their legal arrangements in relation cross-border transfers of personal data in the ASEAN region. The MCCs are designed to ensure that personal data transferred from one ASEAN jurisdiction to another will continue to be processed in accordance with the data protection laws that apply to the first ASEAN jurisdiction.
The purposes of the MCCs align with those of other international frameworks on data transfer template clauses, such as the European Union’s (EU) current version of the Standard Contractual Clauses (the SCCs). In comparison, the SCCs are a legal mechanism set out in the EU’s General Data Protection Regulation (GDPR) aimed to ensure the lawful and secure transfer of personal data from the European Economic Area (EEA) to non-EEA jurisdictions.
This current version of the SCCs, however, is undergoing significant changes. In November 2020, the European Commission (the EC) published a new set of draft Standard Contractual Clauses for transferring personal data2 for public consultation following the Court of Justice of the European Union’s (CJEU) decision in Schrems II3. In that case, the CJEU determined that, among other things, this current version of the SCCs were valid as a mechanism for data transfers provided they are subject to the adoption of additional safeguards. As such, these new SCCs are intended not only to modernize the current version, but also to address the CJEU’s decision and have these additional safeguards "built-in." Once approved, this new set of SCCs will replace the current version of the SCCs.
In this article, we do not provide a comprehensive analysis of the new SCCs, but instead focus on key points of comparison between the SCCs and the MCCs.
The MCCs and the new draft SCCs
MCCs
The MCCs are comprised of two models, one which relates to the transfers of personal data between data controllers (whereby the transferor and the transferee will separately control their own processing of the data) and one which relates to the transfers by a data controller to a data processor (whereby the data processor will only process the data in accordance with the data controller's instructions (and not for its own separate purposes). Accordingly, the two versions of provisions under the MCCs address transfers of personal data from a data controller only, but not transfers from a data processor. The current SCCs are similarly comprised of two different versions that reflect these transfer scenarios, but the new SCCs also address transfers by data processors.
The MCCs are a voluntary set of provisions organizations can choose to incorporate as part of their legal arrangements for data transfers. A key concept to bear in mind, however, is that the application of the MCCs does not ensure compliance with all data protection regulations across the ASEAN region, and that amendments or additions may be required to address specific requirements that apply in certain ASEAN jurisdictions. Also, as the MCCs are voluntary, organizations may choose to use other methods to achieving compliant data transfers instead of the MCCs.
SCCs
The SCCs are one of the mechanisms that organizations can utilize under the GDPR for cross-border data transfers. Whilst they are only one of various mechanisms that organizations can use, given their ease of implementation, they are frequently deployed by organizations to ensure compliance with the GDPR's data transfer requirements.
Like the MCCs, organizations can incorporate the SCCs as part of their legal arrangements and incorporate safeguards in addition to the protections provided under the SCCs. However, in contrast to the MCCs, such additions may not be included if they contradict the provisions of the SCCs or prejudice data subject rights. The rationale for this is that the SCCs are designed to facilitate transfers from controllers and processors established in the EU to controllers and processors in third countries that do not offer an adequate level of protection to ensure that the data remains protected in that third country.
Unlike the current SCCs and the MCCs, the new SCCs adopt a modular approach that allows organizations to tailor the provisions to address four transfer scenarios: (a) controller-to-controller; (b) controller-to-processor; (c) processor-to-processor; and (d) processor-to-controller. The EC has stated that this modular approach is intended to modernize the approach to contracting and to more accurately reflect the contemporary nature of data processing and transfer arrangements. This approach to modernization is reflected in the addition of the new "docking clause" that adds greater flexibility for organizations by allowing more than two parties to adhere to the contract and additional third parties to accede to it as data exporters or data importers, which is useful in reducing the need for multiple agreements for organizations to enter into.
The new SCCs have also been updated in a number of other ways, including to account for the uncertainty regarding the status of the current SCCs following the CJEU's decision in Schrems II to address the impact of a third country's laws on the data controller's or data processor's contractual obligations. For example, there are new obligations relating to the adoption of specific safeguards to address any effects of the laws of the third country on the data importer's compliance with the SCCs and dealing with requests from public authorities in the third country for disclosure of the personal data transferred.
Analysis and impact of the MCCs
In general, the obligations imposed on the data processor under the controller-to-processor MCCs broadly reflect the requirements under existing ASEAN member state privacy laws, such as only processing data in accordance with the data controller's instructions and implementing appropriate security arrangements.
However, some of the provisions in the controller-to-processor MCCs represent "over-compliance" by imposing additional restrictions on data transfers that exceed ASEAN member state local law requirements. For example, the MCCs require, by default, a requirement for the data controller to obtain the data subject's consent to the data transfer. Where such consent is not required under local laws or if such consent is revocable, then agreeing to this requirement could pose challenges for data controllers. Also, the "Additional Terms for Individual Remedies" section provides data subjects with direct rights of enforcement of the clauses against the parties (and sub-processors), which is another concept under the MCCs which does not align with ASEAN member state local laws. ASEAN member state laws do, in many cases, regulate international transfers of personal data, but do not require direct rights of enforcement by data subjects. Accordingly, in practice, the inclusion of these provisions are likely encounter commercial resistance from both data controllers and data processors.
The controller-to-controller MCCs are more straightforward as they broadly align with the approaches taken generally across ASEAN member states, namely that obligations are primarily imposed on data controllers with regard to their engagement of data processors and that there is little regulation of controller-to-controller data transfers. This is reflected in the fact that many of the provisions in the controller-to-controller MCCs are expressed to be optional. Nonetheless, the controller-to-controller MCCs do include certain provisions that would, in practice, create some challenges for data controllers, such as the inclusion of the "Additional Terms for Individual Remedies" section, thus reducing the likelihood of their inclusion in the parties' commercial arrangements.
In light of the "patchwork" nature of privacy laws across the ASEAN region that have varying standards, it is inherently impractical, if not impossible, to have a "one size fits all" set of template data transfer clauses that are fully compliant across the region. Accordingly, the structuring of the MCCs as an opt-in model reflects this practical reality of the ASEAN data protection regime. The MCCs broadly align with the considerations that are prevalent under existing market practice among organizations in the ASEAN region. They represent a significant step towards conforming the regulation of data transfers in ASEAN region and provide a good starting point to help parties identify key issues when transferring personal data across border. As most of the MCC clauses are optional, organizations are given greater flexibility to negotiate practical considerations and risk allocations.
Given the voluntary nature of the MCCs and the built-in default over-compliance, it remains to be seen the extent to which organizations will actually incorporate them, as drafted, into their commercial agreements. It is likely that organizations will continue to agree or negotiate bespoke contractual arrangements to address their requirements for each specific commercial engagement and to comply with the applicable local law requirements for the data transfers rather than seeking to incorporate provisions that are not mandatory in the relevant jurisdictions.
Authored by Mark Parsons and Anthony Liu
