The ASEAN Model Contractual Clauses (“ASEAN MCCs“) are contractual terms and conditions that may be voluntarily adopted by companies as a legal basis for the cross-border transfer of data. The ASEAN MCCs are primarily designed for transfers of personal data between ASEAN nations, but can also be adapted with appropriate modifications for data transfers between businesses within Singapore or transfers to countries outside the Association of Southeast Asian Nations (ASEAN).
While the adoption of the ASEAN MCCs is voluntary, it will fulfil the transfer limitation obligation under the Singapore Personal Data Protection Act (PDPA), and it is encouraged by the Personal Data Protection Commission of Singapore (PDPC).
This is a welcome development. Practically, it increases time and cost efficiency for businesses in the form of reduced compliance and negotiation costs. At the same time, businesses should be mindful not to blindly adopt the ASEAN MCCs and to tailor the ASEAN MCCs according to the context and countries involved.
- Key takeaways
- Practical implications for businesses
- The ASEAN MCCs are designed to provide guidance and baseline considerations for cross-border transfers of data that are compliant with ASEAN member states’ laws.
- The adoption of the ASEAN MCCs is voluntary. Parties are free to use any other valid data-transfer mechanisms recognized within ASEAN.
- Parties may adapt and modify the ASEAN MCCs at their discretion to the specific context of the agreement.
- The Singapore PDPC has published “Guidance For Use of ASEAN Model Contractual Clauses For Cross Border Data Flows In Singapore,” which lists four key clarifications and amendments on how the ASEAN MCCs should be tailored to suit Singapore’s PDPA.
On 22 January 2021, the ASEAN digital ministers’ meeting approved, among others, the adoption of the ASEAN MCCs.
A controller or a processor from an ASEAN member state (AMS) may transfer personal data to another AMS only if it has implemented the necessary safeguards as required by AMS laws. The ASEAN MCCs are designed to provide such safeguards for cross-border transfers of data that are compliant with AMS laws. They set out baseline responsibilities, necessary personal data-protection measures, and obligations of the parties to safeguard the data of data subjects.
The ASEAN MCCs embody fundamental principles of data protection including:
- Lawful/Legal basis for collection, use and disclosure
- Baseline data protection clauses
- Data breach notification
The ASEAN MCCs provide two modules for use in two common transfer scenarios, based on the relationship between the parties.
- The first module contemplates Controller-to-Processor Transfer. It is intended for data transfers from an organization to an intermediary processing data on behalf of the transferring organization, and onward transfers to downstream data processors. Common examples are data transfers between an e-commerce platform and delivery or logistics service providers, and data transfers between an employer and a company providing payroll administration services.
- The second module contemplates Controller-to-Controller Transfer. It is intended for data transfers from one organization to another organization receiving the transferred data for its own purposes. Examples of common business relationships that undertake this type of data transfer include the sale of advertising databases and cross-border data licensing.
The contractual provisions may be modified according to the nature of the relationship with the other party or the purpose of the contemplated transfer of data.
The adoption of the ASEAN MCCs is voluntary. Parties are free to use any other valid data-transfer mechanisms recognized within ASEAN. For compliance with Singapore’s PDPA, this can include binding corporate rules and certifications under the Asia Pacific Economic Cooperation Cross Border Privacy Rules System and the Asia Pacific Economic Cooperation Privacy Recognition for Processors System.
Practical implications for businesses
Practically, the launch of the ASEAN MCCs aids businesses, in particular, small and medium enterprises, by reducing negotiation and compliance costs. It also increases time efficiency while maintaining personal data protection when data is transferred across borders.
While the ASEAN MCCs were primarily designed for intra-ASEAN data transfers, businesses can also adapt the ASEAN MCCs with appropriate modifications at their discretion for transfers between businesses within Singapore, or transfers to countries outside ASEAN, especially for countries with data-protection regimes based on the APEC Privacy Framework or OECD Privacy Guidelines.
However, parties should not blindly adopt the ASEAN MCCs. In fact, it is crucial to note that the adoption of the ASEAN MCCs does not guarantee compliance with national data-protection laws. The ASEAN MCCs contain optional clauses that may be adapted to suit specific national law requirements. In this regard, the Singapore PDPC has published “Guidance For Use of ASEAN Model Contractual Clauses for Cross Border Data Flows In Singapore,” which lists four key clarifications and amendments on how the ASEAN MCCs should be tailored to suit Singapore’s PDPA. Parties are also not precluded from adding clauses, by written agreement, as appropriate for their commercial or business arrangements so long as they do not contradict the MCCs.
For further information and to discuss what this development might mean for you, please get in touch with your usual Baker McKenzie contact.
Baker McKenzie Wong & Leow is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner or equivalent in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.