The Joint Guide to ASEAN Model Contractual Clauses (“MCCs”) and EU Standard Contractual Clauses (“SCCs”) (“Joint Guide”) was recently launched on 24 May 2023. For companies looking to transfer or receive consumer data from overseas partners in these regions, it provides a detailed comparison between the ASEAN MCCs and EU SCCs to aid in contractual negotiations on data transfers.
If your company does business in either or both regions, it may be helpful to incorporate certain model data protection clauses in your contractual arrangements to allow for the transfer of personal data across borders. Through their standardisation and pre-approval, model data protection clauses are “ready-made” and easy-to-implement tools. Both MCCs and SCCs also contain certain optional clauses that can be used where applicable.
This client update1 delves into 7 essential inquiries regarding the distinctions and resemblances between ASEAN MCCs and EU SCCs. We discuss the significance of these differences for your company and provide insights on how you can leverage the Joint Guide.
What are the ASEAN MCCs and how can they help you?
The ASEAN MCCs serve as a foundational set of contract provisions applicable to data exporters and importers across all ASEAN member states. Their primary objective is to offer adaptability within the principles outlined in the ASEAN Framework on Personal Data Protection. The MCCs can be modified to align with business requirements, provided that such amendments remain consistent with the principles of the ASEAN Framework on Personal Data Protection.
For Singapore-based entities, it can be applied in the following scenarios:
When can the ASEAN MCCs be used and why do they matter? | |
To fulfil the Transfer Limitation Obligation under the Personal Data Protection Act (“PDPA”). | Enable transfer of personal data out of Singapore;Section 26 of the PDPA limits the ability of an organisation to do so, except in accordance with requirements prescribed under the PDPA. |
To fulfil the Transfer Limitation Obligation under the PDPA for countries with data protection regimes based on the APEC Privacy Framework or OECD Privacy Guidelines. Businesses may adapt and modify the MCC at their discretion. | Enable transfer of data to APEC’s 21 member economies and OECD’s 38 member countries. |
What are the EU SCCs and how can they help you?
Under the General Data Protection Regulation (“GDPR”), the EU SCCs are standardised and pre-approved model data protection clauses that allow controllers and processors to comply with their obligations under EU data protection law. They can be incorporated by controllers and processors into their contractual arrangements with other parties, for instance commercial partners.
For EU-based entities, it can be applied in the following scenarios:
When can the EU SCCs be used and why do they matter? | |
For both data controllers and processors, implementing the EU SCCs can aid in meeting the obligations outlined in the GDPR and the Data Protection Regulation applicable to EU institutions, bodies, offices and agencies. | Enable transfer of personal data within the EU economic area (“EEA”);The SCCs provide a coherent approach for the relationship between controllers and processors throughout the EEA;It can be used by public and private entities as well as by EU institutions, bodies, offices and agencies. |
To comply with the requirements of the GDPR for transferring personal data to countries outside of the EEA. | Enable transfer of personal data out of the EEA;The SCCs contain specific data protection safeguards to ensure that personal data continues to benefit from a high level of protection when transferred outside the EEA;They can be used by data exporters, without the need to obtain a prior authorisation. |
Purpose of the Joint Guide and future developments
There are two parts to the Joint Guide. At present, the published guide focuses on the similarities and differences between the ASEAN MCCs and the EU SCCs and was endorsed at the 3rd ASEAN Digital Ministers Meeting (ADGMIN) in February 2023.
Going forward, there are plans to release a second guide that will primarily focus on the implementation aspect. This is aimed at providing best practices from companies that meet the requirements of both sets of contractual clauses.
Both guides aim to assist companies that operate in both the ASEAN and EU regions in comprehending the similarities and distinctions between the contractual clauses relevant to each region. This will ultimately aid in ensuring compliance with the respective data protection laws of ASEAN and the EU. Moreover, the guides will simplify the process for companies to fulfill the requirements outlined in the contractual clauses.
This client update is designed to help. In it, we look at 7 key questions on the ASEAN MCCs and the EU SCCs that may potentially be relevant to multinational organisations and set out our general comments in respect of these questions.
7 key questions regarding the ASEAN MCCs and EU SCCs
- Can the ASEAN MCCs and EU SCCs be modified or supplemented with additional clauses to suit the needs of different commercial contracts?
With regards to the ASEAN MCCs, contractual parties may vary the clauses as long as these amendments do not undermine the ASEAN Principles on Data Protection and are consistent with existing ASEAN member state laws.
With regards to the EU SCCs, these may not be altered. As long as the parties do not change the text of the SCCs, they can be relied on as a transfer instrument without having to obtain authorisation from a national data protection authority as they are standardised and pre-approved.
Our Comments. While the EU SCCs cannot be altered, additional clauses may be added insofar as providing safeguards as long as these clauses do not contradict the EU SCCs or prejudice the rights of individuals. It is crucial to exercise caution when making modifications to the ASEAN MCCs and adding supplementary clauses to the EU SCCs in order to maintain validity and prevent any potential contradictions. Clyde & Co will be available to provide assistance and guidance in this regard.
- What is the applicable law that will govern the ASEAN MCCs and EU SCCs?
For the ASEAN MCCs, parties may select the applicable law according to which the contract will be interpreted and are advised to use the laws of one of the countries involved in the data transfer.
For the EU SCCs, parties are required to select the law of one of the EU countries that provides for third-party beneficiary rights as applicable law. If the data importer is a processor, this should, in principle, be the law of the country where the data exporter is established.
Our Comments. For both the ASEAN MCCs and EU SCCs, the parties have to indicate which law will govern the application of the clauses. For the SCCs, the law chosen has to be that of an EU member country and this choice is subject to specific conditions. A comprehensive assessment should be conducted to evaluate the appropriateness of the governing jurisdiction for your contractual requirements, as selecting an unsuitable jurisdiction may have unfavorable consequences.
- Is the transferred data required to be accurate under the ASEAN MCCs and EU SCCs?
For the ASEAN MCCs, data accuracy is not a requirement for adoption of the model clauses. However, both parties may agree to an optional clause whereby only the data exporter has to ensure the accuracy of the data.
For the EU SCCs, both the data exporter and the data importer are required to ensure that the personal data is accurate and up to date. The obligations include notifying each other if they become aware of any inaccurate or outdated data, and erasure or rectification of such data without delay
Our Comments. Adding an optional clause for the ASEAN MCCs could be advantageous, particularly when the accuracy of specific data components is crucial from a commercial perspective for processing and generating accurate results.
- Is it mandatory to specify and limit the purposes of processing under the ASEAN MCCs and EU SCCs?
Both contractual parties are required to describe the purpose of the transfer and subsequent processing in an annex to the clauses under the ASEAN MCCs and EU SCCs. However, while it is a mandatory clause under the EU SCCs, it is optional under the ASEAN MCCs for the data importer to commit to the principle of processing the data only for those purposes.
Our Comments. For the EU SCCs, while purpose limitation is mandatory, there can be certain exceptions whereby the data importer may still process the data if (i) it obtains the individual’s consent, (ii) the processing is necessary to establish, exercise or defend legal claims (e.g., in judicial proceedings) or (iii) this is necessary to protect the vital interests of an individual. These principles are derived from the legal bases to justify collection, handling, and/or storage of people’s personal data under the GDPR. Clyde and Co can help evaluate whether your business’s contractual requirements can leverage on these exceptions.
- What are the security and confidentiality requirements under the ASEAN MCCs and EU SCCs?
For both the ASEAN MCCs and the EU SCCs, the parties have to put in place appropriate measures to ensure security of the data, including protecting it against data breaches. Specific requirements are also included for the notification by the data importer of data breaches. Under the ASEAN MCCs, parties are required to take appropriate steps to determine the level of risk of data breaches and consider the suitable security measures, in order to manage such risk through appropriate controls and security standards. Under the EU SCCs, parties are also required to agree on appropriate technical and organisational measures to ensure the security of personal data.
Our Comments. The definition of an acceptable level of security standard and a reasonable level of control, which avoids negligence, differs in various jurisdictions. In Singapore, the enforcement decisions published by the Personal Data Protection Commission (“PDPC”) and the PDPC guides to data protection practices offer an insight on how the PDPC deems what an acceptable level of security standard should be. It is recommended to seek legal advice to ascertain the appropriate level of security safeguards and measures.
- What are the transparency obligations under the ASEAN MCCs and EU SCCs?
Under the ASEAN MCCs, the data exporter is responsible for ensuring that, where there is no other legal basis for the collection, use, disclosure or transfer of the data, the data subject has been notified of and has given consent to the transfer of his/her personal data. Under the EU SCCs, the GDPR sets out the transparency obligations of the data exporter. The data importer has an obligation to inform data subjects of its identity and contact details, the categories of personal data transferred, their right to obtain a copy of the clauses and intended onward transfers.
Our Comments. Under the EU SCCs, individuals have a right to obtain a copy of the SCCs and contractual parties may redact parts of the clauses if they contain confidential information. However, such redactions are required to be explained to the individual with a meaningful summary, if it would otherwise not be possible to understand the content.
This is a key difference from the ASEAN MCCs, whereby data subject rights are generally dependent on domestic legislation and are provided as optional clauses. If your business operates in both regions and needs to adhere to both the ASEAN MCCs and the EU SCCs, one might wish to consider structuring the optional clauses of the ASEAN MCCs in a manner that aligns with the GDPR requirements. However, it is recommended to seek legal advice for further customisation and refinement. - What are the dispute resolution requirements under the ASEAN MCCs and EU SCCs?
The ASEAN MCCs allow parties to identify an alternative dispute resolution method while the EU SCCs require disputes to be resolved in the courts of an EU country which parties have to specify. In addition, the EU SCCs make reference to the liability of the parties towards each other.
Our Comments. While parties have the freedom to choose the method of dispute resolution under the ASEAN MCCs, parties utilising the ASEAN MCCs should carefully consider utilising dispute resolution venues within the region, especially when data is being exported from an ASEAN member state. In contrast, under the EU SCCs, any disputes arising from the SCCs must be exclusively resolved by the courts of an EU country. It is necessary to specify this requirement in the SCCs since the parties bear liability for damages in the event of a breach of the contractual obligations.
Concluding Words
The Joint Guide demonstrates that the ASEAN MCCs generally offer more flexibility compared to the EU SCCs. However, it is crucial to exercise caution when utilising this flexibility, as making inappropriate modifications to the clauses, governing law, or dispute resolution mechanism could result in unfavorable outcomes for one or both contractual parties involved. On the other hand, the EU SCCs typically impose stricter requirements, primarily derived from the GDPR. Therefore, when companies engage in business activities in both regions and need to comply with both the ASEAN MCCs and EU SCCs, one may consider prioritising the EU SCCs as the primary reference point to meet its mandatory GDPR obligations. Subsequently, it is possible to make necessary adjustments and amendments to the ASEAN MCCs in order to ensure compliance.