Companies transferring data across borders need to navigate the diverse approaches to data in ASEAN’s various jurisdictions. The ASEAN Data Management Framework (“ASEAN DMF”) provides step-by-step guidance to companies regarding data governance structures and safeguards, and the Model Contractual Clauses for Cross Border Data Flows (“ASEAN MCCs”) offer template terms to govern the rights and obligations of parties transferring data across borders.
The ASEAN DMF provides a step-by-step guide, including for data governance structures and safeguards. For example, an ecommerce business can develop clear guidelines to manage the data that it possesses or receives as part of its operations. Names, telephone numbers and addresses as well as invoice amounts and delivery times should be categorised into personal data, business data or other categories as management deems appropriate. Thereafter, management should assess the risk and impact of any breach, and assign appropriate safeguards such as data backups, password protection and/or access control, depending on the sensitivity of the data. Safeguards should strike a balance between achieving a suitable level of protection, and over-protection which may hinder use for business purposes.
The ASEAN MCCs, which were approved in January 2021 by the Association of Southeast Asian Nations Digital Ministers’ Meeting (“ADGMIN”), are template terms for businesses transferring personal data across borders.
There are two types of MCCs: ‘Controller-to-Processor’ (“C2P MCC”) and ‘Controller-to-Controller’ (“C2C MCC”).
A C2P MCC is used when a “Data Importer” (a party receiving data from a party in another jurisdiction) is contracted solely to process data, or to provide a related service using the data. Under the C2P MCC, the “Data Importer” is obliged to, inter alia, (i) process data solely in accordance with the “Data Exporter’s” instructions and for specific purposes (ii) limit further disclose or transfer data to third parties; and (iii) if disclosure to third parties is required, obtain the consent of the “Data Exporter”.
A C2C MCC is used when a “Data Importer” will process the transferred data for its own purposes and will assume authority, control and responsibility for the imported data. Under the C2C MCC, the “Data Importer” and “Data Exporter” must determine the potential risk of data breaches, undertake to implement suitable security measures, and administer controls and security safeguards relating to the storage and processing of transferred data.
Singapore’s Personal Data Protection Commission (“PDPC”) has provided additional guidance regarding the use and modification of MCCs. For example, as Singapore’s Personal Data Protection Act (“PDPA”) covers data regarding both living and deceased persons, the PDPC recommends that the definition of “data subject” in an MCC include deceased persons.
Nicholas Lee contributed this update.