On 22 January 2021 the Association of Southeast Asian Nations (ASEAN) Digital Ministers' Meeting approved the ASEAN Data Management Framework (the DMF) and the Model Contractual Clauses for Cross Border Data Flows (the MCCs). The DMF initiative, led by Singapore, has the objective of developing a regional policy framework for data protection in the ASEAN economy, with a particular focus on the internet, a growth sector for ASEAN that is expected to exceed US$240 billion by 2025. It is clear that the DMF has its primary policy focus on economic development, as was the case with the 2004 APEC Data Privacy Framework, the 2016 ASEAN Framework on Personal Data Protection, and other regional data protection initiatives. The introductory section of the DMF notes expectations that much of ASEAN's projected economic growth will be driven by new and innovative business models and technologies that involve extensive sharing of personal data.
Trust in data governance practices is a key pre-condition to public confidence, and so an essential ingredient for continued growth.
The DMF aims to provide organizations in ASEAN with effective but practical tools for achieving data accountability. It should be noted that the DMF is a "full data lifecycle" framework covering a wide range of data protection issues (not just cross-border transfers), and that the DMF is intended to serve as a framework for processing of both personal and non-personal data.
The focus in this briefing is on the DMF's recommendations in relation to cross border transfers of personal data, including and in particular, the MCCs that have been produced as a template set of contract terms which organizations may wish to use in relation to such transfers.
Overview of the MCCs
The MCCs are a voluntary set of template contract terms which organizations may wish to adopt as part of legally binding contractual arrangements for transfers of personal data within the ASEAN region. ASEAN has not stated that use of the MCCs will ensure compliance with national data protection laws, and in fact the template includes optional clauses that will need to be tailored to specific national law requirements. In its guidance on the MCCs, ASEAN encourages organizations to check for local law guidance and templates and states that the MCCs are intended to help organizations identify issues arising in respect of cross border transfers and help achieve compliance with mandatory requirements. Organizations are free to use other methods to achieving compliant data transfers.
The overall objective of the MCCs is that data transferred from one ASEAN member state to another will continue to be processed in accordance with the data protection requirements of the first member state.
Controller-Controller and Controller-Processor MCCs
In line with other cross-border data transfer templates, such as the European Union's Standard Contractual Clauses (the SCCs), the MCCs distinguish transfers between "data controllers," in which case the transferor and the transferee will separately control their own processing of the data, and transfers by a data controller to a "data processor," which will only process the data in accordance with the data controller's instructions (and not for its own separate business purposes).
The Controller-Processor MCCs focus on undertakings given by the data processor to only process the data in accordance with the data controller's instructions and specific purposes set out in an appendix to the data transfer agreement. Restricting the purposes of processing is an essential feature of the importer's status as a data processor.
The Controller-Processor MCCs also deal with other common requirements of national data protection laws drawing the controller-processor distinction, such as an obligation to put in place reasonable and appropriate security measures, consistent with applicable laws in the exporting jurisdiction and an obligation on the data processor to cease processing the data once instructed to do so by the data controller.
It is fair to say, however, that the Controller-Processor MCCs also include provisions representing "over-compliance": i.e., obligations which are likely to exceed actual national law requirements and impose additional restrictions on transfers that are not found in the law. For example, in seeking to address the participation of ASEAN member states, which may not yet have regulations in place addressing cross border transfers, clause 2.1 sets a default that the data controller exporting the data to have obtained data subject consent to the transfer, a requirement which proves onerous and outright prohibitive of cross border transfers in practice if the consent is revocable. The Additional Terms providing direct rights of enforcement of the clauses against the parties to the agreement (and sub-processors) are another feature of the MCCs that we do not understand to have any basis in ASEAN member state laws and so will very likely encounter commercial resistance from data controllers and data processors alike.
At the same time, template clauses may leave out controls which, as a matter of market practice, data controllers seek to include in their legal terms and conditions with data processors. For example, clause 3.2 entitles the data processor to engage sub-processors on notice to the data controller. This is an area that is typically subject to negotiation between the data controller and the data processor. In many commercial arrangements, data controllers will insist on tighter controls on sub-processing than this – in some cases requiring prior consent or specifically listing in the agreement the designated sub-processors and sub-processing arrangements that are permitted under the arrangements.
The Controller-Controller MCCs are simpler than the Controller-Processor MCCs. The relatively streamlined approach reflects the fact that whilst most ASEAN data protection laws impose specific obligations on "data controllers" in respect of their engagement of third party data processors (and increasingly these laws regulate data processors directly), there is far less regulation of controller-to-controller transfers. It follows that many of the clauses set out in the Controller-Controller MCCs are marked as optional.
We can anticipate that there will be concerns, in some data transfer contexts, at least, with clauses that may attribute joint responsibility to data controllers. Clause 4 of the Controller-Controller MCCs require the controllers to agree that the parties have taken appropriate steps to determine the level of potential risk of data breaches involved in transferring the relevant data and agree and implement appropriate controls and security standards. The Controller-Controller MCCs are also equipped with terms prescribing direct rights of enforcement for data subjects. We can anticipate there will be commercial resistance to the use of the Controller-Controller MCCs, as ASEAN member state laws do not require these rights of enforcement.
The MMCs represent an important step forward to closer alignment of data protection policy in the ASEAN region. The general structure and approach of the MCCs is in line with existing market practice used by organizations to facilitate cross border data transfers in the region. We expect, however, that organizations will continue to use bespoke forms of contract and legal terms that closer track mandatory local law requirements and avoid "over-compliance."
Data protection law continues to be a "patchwork" across ASEAN and the wider Asia-Pacific region, including in respect of the regulation of cross border transfers. We recommend an approach to cross border transfer agreements that mandates a "reasonable high water mark" level of compliance that reflects mandatory requirements in most jurisdictions with comprehensive data protection laws, leaving room for specific treatment of transfers from jurisdictions with requirements exceeding this standard. This contracting structure avoids "over-compliance" and tailors the parties' legal obligations to the specific commercial context.