From the panel on ‘Not-so-standard Contractual Clauses: Comparing Global Data Transfer Tools’ at the IAPP Global Privacy Summit 2023.

1. Thank you for the opportunity for me to share about the Model Contractual Clauses (MCCs) that we introduced in Southeast Asia.


2. Perhaps, we ought to begin with an introduction to the Association of Southeast Asian Nations, ASEAN. We are an association of ten countries in — as the name implies — South East Asia. ASEAN was established in 1961. It covers a geographical area of 4.5 million square kilometres with a total population of over 650 million, which is about 8.5% of the global population. The GDP of the region is 3.3 trillion, which is about 3.5% of global GDP.


3. It is an area of diverse maturity for data protection laws. There are three member states with general data protection laws and where data protection authorities have been established — Malaysia, Singapore & Philippines.Two member states have recently enacted data protection laws – Thailand & Indonesia — and they are in the process of establishing their data protection authorities. The remaining countries in ASEAN are in various stages of adopting general data protection laws, or may still be still be relying on sectoral regulation for protecting personal data. This gives a sense of the kind of landscape and operating environment within ASEAN.


4. The ASEAN MCCs are part of an effort to establish a baseline of data protection within, and across, ASEAN. It is an effort that commenced in 2016 when ASEAN came together and adopted the ASEAN Framework on Personal Data Protection, a set of principles that have been modelled closely after the OECD Privacy Guidelines and the APEC Privacy Framework.


5. Having established and adopted the ASEAN principles, ASEAN endorsed the ASEAN Framework on Digital Data Governance. Within this Framework, there are four components. One of the components is the establishment of the ASEAN Data Protection and Privacy Forum for regulators and policy makers to come together to exchange ideas and develop best practices. The next two components are important to this discussion. First, the ASEAN Data Management Framework (DMF) and second, the ASEAN Cross Border Data Flows Mechanism.


6. It is important to understand why and how the DMF interfaces with the MCCs. The DMF is intended to help companies identify the right level of protection for their data repositories and data assets. It provides recommendations concerning the technical measures for different levels of protection. It takes a holistic approach to data governance throughout the lifecycle of data. It establishes best practices that covers not only technical measures, but also process safeguards, and other forms of governance controls. These measures and controls help to protect personal data at rest and personal data in transit, and ensure that access to personal data is authorised.


7. The second component is the ASEAN Cross Border Data Flows Mechanisms. There are many different types of transfer mechanisms. The first transfer mechanism we focused on was to develop a set of model contractual clauses. This is because contractual clauses is the most commonly used transfer mechanism, especially for business-to-business transfers. The MCCs are not intended to be used in isolation, but to be used in conjunction with the technical measures, process safeguards, and the other forms of governance controls which are recommended in the DMF. These two measures are intended to work hand in glove; some of the obligations established within the MCCs can be easily implemented through the best practices set forth in the DMF.


8. So, why do we need MCCs in ASEAN? In an area where there is such diversity in data protection maturity, the export of personal data is not straightforward. Countries with data protection laws like Singapore and Philippines have a requirement that companies exporting data must ensure that the recipient company can protect personal data to an equivalent or comparable standard of protection. But what if the recipient company is in a country where there is no general data protection law? What we are trying to do here is establish an ASEAN-wide standard, so that companies, especially those in countries without data protection laws, will not be confused. We are also trying to ensure that there is no fragmentation – if every single ASEAN member state were to issue their own standard contractual clauses, this would create confusion within ASEAN. Uncertainty, whether due to unfamiliarity with contractual clauses, or due to the presence of too many contractual clauses, can result in unintended barriers to cross border trade.


9. Contracts enable assurance that the recipient company, even one situated in a country without a general data protection law, will be able to make promises to protect data to the same standard. It is a transfer mechanism that is commonly adopted. By using contracts, we are able to establish a common baseline throughout ASEAN, despite the different maturity levels in terms of data protection laws.


10. For countries such as Singapore and Philippines where data protection regulators are well established, we have issued regulatory guidance to provide certainty. If companies in our countries use the MCCs, they will meet the transfer limitation requirements under our respective domestic data protection laws. Such concerted efforts reduce confusion in the market and fosters regulatory convergence.


11. I end by drawing a link to what I said earlier about the DMF. The common baseline goes beyond legal obligations. Companies that are located in countries that do not have data protection laws may not have a set of domestic data protection standards that they can reference. Contractual promises will be empty if companies do not know how to implement measures to meet them. This is why the ASEAN DMF is a crucial counterfoil to the ASEAN MCCs. The technical measures, process safeguards, and other forms of governance controls that are recommended in the DMF help companies meet their contractual obligations under the MCCs.