Search for:

In brief

The ASEAN Model Contractual Clauses (“ASEAN MCCs“) are contractual terms and conditions that may be voluntarily adopted by companies as a legal basis for the cross-border transfer of data. The ASEAN MCCs are primarily designed for transfers of personal data between ASEAN nations, but can also be adapted with appropriate modifications for data transfers between businesses within Singapore or transfers to countries outside the Association of Southeast Asian Nations (ASEAN).

While the adoption of the ASEAN MCCs is voluntary, it will fulfil the transfer limitation obligation under the Singapore Personal Data Protection Act (PDPA), and it is encouraged by the Personal Data Protection Commission of Singapore (PDPC). 

This is a welcome development. Practically, it increases time and cost efficiency for businesses in the form of reduced compliance and negotiation costs. At the same time, businesses should be mindful not to blindly adopt the ASEAN MCCs and to tailor the ASEAN MCCs according to the context and countries involved.


Contents

  1. Key takeaways
  2. Background
  3. Practical implications for businesses

Key takeaways

  • The ASEAN MCCs are designed to provide guidance and baseline considerations for cross-border transfers of data that are compliant with ASEAN member states’ laws.
  • The adoption of the ASEAN MCCs is voluntary. Parties are free to use any other valid data-transfer mechanisms recognized within ASEAN.
  • Parties may adapt and modify the ASEAN MCCs at their discretion to the specific context of the agreement.
  • The Singapore PDPC has published “Guidance For Use of ASEAN Model Contractual Clauses For Cross Border Data Flows In Singapore,” which lists four key clarifications and amendments on how the ASEAN MCCs should be tailored to suit Singapore’s PDPA.

Background

On 22 January 2021, the ASEAN digital ministers’ meeting approved, among others, the adoption of the ASEAN MCCs. 

A controller or a processor from an ASEAN member state (AMS) may transfer personal data to another AMS only if it has implemented the necessary safeguards as required by AMS laws. The ASEAN MCCs are designed to provide such safeguards for cross-border transfers of data that are compliant with AMS laws. They set out baseline responsibilities, necessary personal data-protection measures, and obligations of the parties to safeguard the data of data subjects.

The ASEAN MCCs embody fundamental principles of data protection including:

  • Lawful/Legal basis for collection, use and disclosure
  • Baseline data protection clauses
  • Data breach notification

The ASEAN MCCs provide two modules for use in two common transfer scenarios, based on the relationship between the parties.

  • The first module contemplates Controller-to-Processor Transfer. It is intended for data transfers from an organization to an intermediary processing data on behalf of the transferring organization, and onward transfers to downstream data processors. Common examples are data transfers between an e-commerce platform and delivery or logistics service providers, and data transfers between an employer and a company providing payroll administration services.
  • The second module contemplates Controller-to-Controller Transfer. It is intended for data transfers from one organization to another organization receiving the transferred data for its own purposes. Examples of common business relationships that undertake this type of data transfer include the sale of advertising databases and cross-border data licensing.

The contractual provisions may be modified according to the nature of the relationship with the other party or the purpose of the contemplated transfer of data.

The adoption of the ASEAN MCCs is voluntary. Parties are free to use any other valid data-transfer mechanisms recognized within ASEAN. For compliance with Singapore’s PDPA, this can include binding corporate rules and certifications under the Asia Pacific Economic Cooperation Cross Border Privacy Rules System and the Asia Pacific Economic Cooperation Privacy Recognition for Processors System.

Practical implications for businesses

Practically, the launch of the ASEAN MCCs aids businesses, in particular, small and medium enterprises, by reducing negotiation and compliance costs. It also increases time efficiency while maintaining personal data protection when data is transferred across borders.

While the ASEAN MCCs were primarily designed for intra-ASEAN data transfers, businesses can also adapt the ASEAN MCCs with appropriate modifications at their discretion for transfers between businesses within Singapore, or transfers to countries outside ASEAN, especially for countries with data-protection regimes based on the APEC Privacy Framework or OECD Privacy Guidelines.

However, parties should not blindly adopt the ASEAN MCCs. In fact, it is crucial to note that the adoption of the ASEAN MCCs does not guarantee compliance with national data-protection laws. The ASEAN MCCs contain optional clauses that may be adapted to suit specific national law requirements. In this regard, the Singapore PDPC has published “Guidance For Use of ASEAN Model Contractual Clauses for Cross Border Data Flows In Singapore,” which lists four key clarifications and amendments on how the ASEAN MCCs should be tailored to suit Singapore’s PDPA. Parties are also not precluded from adding clauses, by written agreement, as appropriate for their commercial or business arrangements so long as they do not contradict the MCCs.

*****

For further information and to discuss what this development might mean for you, please get in touch with your usual Baker McKenzie contact.

LOGO_Wong&Leow_Singapore

Baker McKenzie Wong & Leow is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a “partner” means a person who is a partner or equivalent in such a law firm. Similarly, reference to an “office” means an office of any such law firm. This may qualify as “Attorney Advertising” requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Author

Andy Leck is the managing principal of Baker McKenzie.Wong & Leow. Mr. Leck is recognised by the world’s leading industry and legal publications as a leader in his field. Asian Legal Business notes that he “always gives good, quick advice, [is] client-focused and has strong technical knowledge for his areas of practice”. Alongside his current role as managing principal, Mr. Leck has held several leadership positions in the Firm and externally as a leading IP practitioner. He currently serves on the International Trademark Association's Board of Directors and is a member of the Singapore Copyright Tribunal.

Author

Ren Jun is an associate principal of Baker & McKenzie.Wong & Leow. Ren Jun extensively represents local and international intellectual property-intensive clients in both contentious and non-contentious IP matters, such as anti-counterfeiting; civil and criminal litigation; commercial issues; regulatory clearance; and advertising laws. Ren Jun also advises on a wide range of issues relating to the healthcare industries. These include regulatory compliance in respect of drugs, medical devices, clinical trials, health supplements and cosmetics; product liability and recall; and anti-corruption. Ren Jun is currently a member of the Firm's Asia Pacific Healthcare ASEAN Economic Community; Product Liability and Regulatory Sub-Committees.

Author

Arwen is a local principal in the Firm's Intellectual Property and Technology (IPTech) Practice Group in Singapore. She is a member of the Law Society of Scotland, and has been admitted to practice in Scotland since 2004. Arwen worked as an intellectual property and technology lawyer in the UK and Europe before relocating to Asia in 2014 and has since worked in both Singapore and Hong Kong, advising on matters across both Asia Pacific and Europe. Arwen is recognised in Legal 500 (2020) as "commercial, pragmatic and personable" for the TMT sector.

Author

Abe is a principal in our Singapore office. His main areas of practice include patents, trade secrets, copyright, and transactional IP for international and domestic clients. With over eleven years of legal experience as a lawyer and over ten years of technical experience as an engineer in the US and Canada, Abe is able to provide commercially oriented legal and technology-specific advice on a wide range of IP issues. Before joining our Singapore office in 2016, Abe was a lawyer in our Baker McKenzie offices in the US (where he passed the US patent bar examination and qualified as a US Registered Patent Attorney (limited recognition)) and Thailand.