On 22 January 2021, it was announced that the Association of Southeast Asian Nations (ASEAN) had approved the new Data Management Framework (DMF) and Model Contractual Clauses for Cross Border Data Flows (MCCs).
ASEAN was established in 1967 with the key aim of improving economic growth and social progress, and collaboration and mutual assistance in South East Asia, amongst other things. There are currently ten member states of ASEAN (AMS), namely Singapore, Brunei, Cambodia, Indonesia, Lao, Malaysia, Myanmar, Philippines, Thailand and Vietnam.
The DMF and MCCs were developed to help harmonise the standards on cross-border data flows and data governance practices across the region. Adoption of the DMF and MCCs is not mandatory. However, AMS are encouraged to promote compliance with the DMF and MCCs by businesses in their respective jurisdictions. To this effect, The Singapore Data Protection Commission immediately issued additional guidance for organisations in Singapore on the use of the MCCs on 22 January 2021. Other AMS are expected to follow suit.
Data Management Framework
The DMF is designed to provide practical guidance for all private sector businesses operating in any AMS, including small- and medium-sized enterprises, and help them implement a data management system based on good management practices and fundamental principles, using a risk-based methodology. The role of DMF is to provide transparency and confidence to both individuals and foreign companies, in the hope of furthering business opportunities, particularly in the digital space.
There are six foundational components of the DMF that cover the entire data life cycle and require companies to take measures as set out below:
Model Contractual Clauses for Cross Border Data Flows
The MCCs are standard contractual terms and conditions that are recommended in agreements relating to the cross-border transfer of personal data between businesses in the region, and which are meant to encapsulate key data protection obligations and reduce negotiation and compliance costs. The MCCs detail the parties’ responsibilities, required personal data protection measures and related obligations. Similar to the standard contractual clauses in the EU, there are two models provided by the MCCs – one that concerns transfers between data controllers, and the other that addresses transfers between a data controller and data processor (which also applies to any onward transfers to sub-processors).
The adoption of the MCCs does not ensure compliance with all data privacy laws across the region, and amendments may need to be made to take into account national requirements. Some of the terms in the MCCs may actually impose higher obligations than what is required under national law, particularly with the AMS that do not currently have a comprehensive data protection law in place. The MCCs confer rights on data subjects to enforce data protection warranties and undertakings against both parties to the MCC. This may not be in line with commercial realities, as many parties will seek to minimise their liabilities to data subjects.
A single model data transfer agreement is the holy grail for multinational companies as it is supposed to ensure predictability and consistency in data management, and is much preferable to a piecemeal approach to data processing arrangements. The MCCs offer this to an extent, but additional wording may need to be added (in appendices) to deal with specific requirements unique to a jurisdiction (e.g., timeline for data breach notifications). The MCCs also do not come with a guarantee that the recipients of the data can actually meet the requirements imposed upon them.
The DMF and MCCs provide a great starting point for companies in the region to help manage and protect their data, and to negotiate cross-border transfer terms. The adoption of the DMF and use of the MCCs will not automatically render a company compliant with all data privacy laws of the AMS. Close attention still needs to be paid to requirements under national data privacy laws and due diligence on the recipients of data will still need to be undertaken.