International: ASEAN DMF and MCCs: expectations for national implementation – Part 2
In January 2021, the Association of Southeast Asian Nations ('ASEAN') adopted the Data Management Framework1 ('DMF') and the Model Contractual Clauses for Cross-Border Data Flows2 ('MCCs'), a move that represents a significant advancement towards the harmonisation of standards for ASEAN Member States and beyond. Although ASEAN envisages that businesses will directly adopt these guidelines into their operations, it also set outs some expectations for national authorities to integrate these with national legislation. Following on from Part 1 of this series, this article explores the expectations in relation to implementation at national level and some perspectives from a number of legal experts operating within the ASEAN region, including Cambodia, Indonesia, Malaysia, the Philippines, Singapore, Thailand, and Vietnam.
Active participation required from data protection authorities
According to the Implementing Guidelines of the DMF and MCCs3, the DMF and MCCs are voluntary, baseline standards, the adoption of which does not require Member States to introduce additional regulations or even amend existing regulations.
Nevertheless, Member States are expected to promote their use and designate bodies responsible for coordinating and managing such activities, albeit in accordance with their own timelines.
Member States with data protection authorities (i.e. Malaysia, Philippines, and Singapore), in particular, are urged to actively implement the standards through developing capacity-building programmes. They may also promote the standards by, among other things, providing further guidance to align such standards with national law.
Accordingly, the Personal Data Protection Commission of Singapore ('the Singapore PDPC') was the first to issue its own guidance on the MCCs and has encouraged their use in view of fulfilling the 'Transfer Limitation Obligation' under the Personal Data Protection Act 2012 (No. 26 of 2012) ('the Singapore PDPA')4. Although other data protection authorities in the region are yet to act, many have already expressed their commitment towards national implementation and, more generally, the promotion of the ASEAN framework.
Jay Cohen and Sochanmalisphoung Vannavuth, Partner and Advisor respectively at Tilleke & Gibbins, discuss the opportunities and challenges in implementing the DMF and MCCs in Cambodia.
Since Cambodia does not have any dedicated laws on data protection, there are no regulatory or enforcement authorities that are specifically tasked with handling, overseeing, or implementing personal data protection matters. Consequently, the following governmental bodies may have substantial powers in this realm: the Ministry of Commerce, the Ministry of Post and Telecommunications, and the Ministry of Interior.
After reviewing the DMF and MCCs, we are of the view that these standards broadly align with concepts of data protection that exist under Cambodian laws that implicate data protection issues. Therefore, Cambodian authorities may react positively to the guidelines provided under the DMF and MCCs.
However, implementing these guidelines can be challenging for a developing country such as Cambodia due to the following reasons:
- inadequate data protection and cybercrime regulations;
- lack of technological advancement in information and communication technology;
- lack of technology experts who can effectively deal with advanced computer crimes;
- the high cost of digital data governance; and
- the fact that it may be time-consuming to put these guidelines into place.
Positive and negative implications
Furthermore, we anticipate that the guidelines would provide both positive and negative impacts on businesses. In terms of positive impact, the DMF and MCCs will likely:
increase the cybersecurity of all companies doing business in Cambodia;
- enable businesses to have better data processes and protection and more secure internal data collection infrastructure;
- help businesses gain more credibility and improve their reputations; and
- increase companies' customer base as clients will have stronger trust in companies and be willing to share data, knowing they are doing so in a secure environment.
In terms of negative impact, both data exporters and data importers will be strictly required to abide by the data protection guidelines and properly maintain the data they gather within the remit of the law. Some business owners might not be willing to enforce it, and therefore it may discourage business owners and investors from conducting business. In addition, some businesses might not be able to meet the standard requirements. This could cause serious issues for small and medium-sized companies that do not have adequate resources.
However, with the increase of modern technological advancements and online activities, we are of the view that the positive impacts of the DMF and MCCs would outweigh the negative impacts on the businesses.
Freddy Karyadi, Partner at ABNR, explores the impact of the DMF and MCCs in Indonesia and, in particular, upcoming legislative efforts.
Based on a press release issued by the Ministry of Communication and Information ('Kominfo') on 22 January 20215, the Minister of Communication and Information highlighted that the COVID-19 crisis has driven momentum towards the acceleration of digital transformation. The Minister further stated that cooperation between ASEAN Member States is important to overcome the pandemic and recover the economy quickly. In doing this, the Minister emphasised the important aspects of data security and sovereignty, data governance, as well as cooperation and discussion related to cross-border data flows that fulfil the principles of reciprocity, lawfulness, fairness, and transparency.
In light of the above spirit, it can be concluded that Kominfo, as the relevant authority for data protection in Indonesia, will fully support the DMF and MCCs. In order to be fully implemented at national level, the regulation in DMF and MCCs will need to be incorporated into laws and regulations in Indonesia. Otherwise, such standards will only be used as guidance that is not mandatory for business actors in terms of compliance.
Potential inclusion in Personal Data Protection Act
To date, Indonesia does not have a general law governing personal data protection, except for the protection of personal data being used in electronic systems, which is governed under Kominfo Regulation No. 20 of 2016 on Personal Data Protection in Electronic Systems. Other than this, provisions regarding data protection, specifically on personal data, are regulated separately in various sectoral regulations, which are not as detailed as regulated under the DMF.
Nevertheless, the Government of Indonesia is currently in the process of discussing a draft of the Personal Data Protection Act ('the PDP Bill'). There is a possibility that the Government will include the regulations of DMF and MCCs in the PDP Bill as well.
If the guidelines are incorporated into the PDP Bill and become law, business actors must honour the guidelines in managing and storing their users' personal data, and non-compliance may result in the imposition of sanctions by the relevant authority. In this case, users will feel more secure in giving their personal data to the business actors. With the fast development of technology (and under the COVID-19 situation in which people are urged to work and carry out their activities remotely), digital activity has undoubtedly become more and more important. Furthermore, once ASEAN Member States implement the same level of data protection, there will be no fright to share users' data while doing international business amongst the business actors. This will ultimately create efficiency and open business opportunities for development.
Ridzuan Razif, Legal Associate at Mohamed Ridza & Co, delves into the interplay between the DMF and MCCs and the Personal Data Protection Act 2010 ('the Malaysia PDPA'), highlighting some initial concerns.
On 21 January 2021, the Ministry of Communications and Multimedia Malaysia ('MCMM') expressed Malaysia's assertion in providing support to realise initiatives under ASEAN Digital Data Governance Framework6 to ensure safe cross-border data flows and enhance cybersecurity to create a trusted ecosystem for ASEAN e-commerce.
As part of the effort, CyberSecurity Malaysia ('CSM') has set up a local cybersecurity professional certification scheme known as the 'Global Accreditation Cybersecurity Education Scheme' or 'Global ACE' which Malaysia wants to propose to ASEAN Member States in helping to create world-class cybersecurity personnel.
Some concerns and risks with adopting the ASEAN framework
The Malaysia PDPA is the main legislation in governing and regulating the processing of personal data in commercial transactions and provides for matters connected and incidental to the protection of personal data, supported by its subsidiary legislations which have been enacted thereunder.
We can foresee there would be concerns in some data transfer contexts which are likely to occur if these guidelines were to sync up with current data protection laws in Malaysia due to practicality and compatibility. For instance, under Clause 4 of the controller-to-controller MCCs, controllers are required to mutually agree that the parties have taken appropriate steps to determine the level of potential risk of data breaches involved in transferring the relevant data and, accordingly, to implement appropriate controls and security standards. Furthermore, the controller-to-controller clauses also stipulate terms that prescribe direct rights of enforcement for data subjects. Therefore, this would attract commercial resistance to the use of the MCCs because Malaysian laws do not require these rights of enforcement.
Nevertheless, in light of technological advancement and the digital revolution, these guidelines would provide businesses in providing trust, transparency, and accountability to their business partners and clients, complying with data protection standards and regulations of other foreign clients, and building keenness to take up new digital opportunities from foreign companies. Citizens can also be assured that their personal data are protected. Hence, this would boost up the citizen's confidence and involvement in the digital economy. This is simply because the trust held in data governance practices is essential to public confidence and for continued growth.
Malaysia PDPA falls short of international standards
It is fair to say that the Malaysia PDPA merely serves a basic level of data protection in safeguarding the users' data privacy and that users are actually at risk of being exposed to some ambiguity in the legislation, particularly in respect of the users' consent.
By looking into several data breaches and leakages cases, including recent data leaks of personal details in the telecommunications sector, health sector, and transport sector, we can note that the Malaysia PDPA somewhat lags behind and fails to provide solid protection to the data users, such as a clear definition of consent and compliance. This would trigger a lot of issues in the future, whereby the data collector might simply interpret the definition of such terms and misuse the users' data at their convenience. Consequently, the data users would be in the deadlock position, where they are not able to refuse of sharing their personal data with the data collector with no consequences.
Regulatory reform recommended
To conclude, there must be substantial adjustments and modifications to be made to the existing laws in order for Malaysia to implement these guidelines and be more in line with regional and international standards. For example, ASEAN Member States should refer and learn to adopt the practice of the EU General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), whereby it introduces higher standards, stricter laws, and tougher sanctions with extraterritorial application, while also imposing stricter measures than the personal data protection laws in ASEAN countries for requesting and providing consent.
As being part of the ASEAN community, which trades closely with each other in the region, it is very crucial for businesses to adhere to these two guidelines. ASEAN Member States should therefore review their own data protection laws and develop a similar regulatory framework to protect their citizens and enable local businesses to operate regionally through mutual recognition. Along the way, the ASEAN countries will be able to adapt to the DMF and MCCs.
Mary Thel Mundin, Partner at Gatmaytan Yap Patacsil Gutierrez & Protacio, reviews the enforceability of the ASEAN framework under Philippine law.
The National Privacy Commission ('NPC') and other relevant authorities will likely welcome the guidance provided in the DMF and MCCs, as these appear to be aligned with the principles under Philippine data protection laws. It is possible that they may, later on, officially endorse these standards as recommended guidelines for data protection measures to be adopted by entities by issuing the relevant regulations. They may also use these guidelines as a baseline to determine what constitutes industry best practices.
As for implementation at national level, since we understand that these guidelines are designed to provide voluntary and non-binding guidance, we think that the DMF and MCCs are not likely to be strictly implemented or enforced until they are adopted or incorporated by the NPC or Philippine legislature as a domestic law or regulation. We also note that industry best practices are only one of many considerations of the NPC in determining the level of data security appropriate to a personal information controller ('PIC') or processor ('PIP').
Consequently, the DMF and MCCs may be considered merely recommendatory, and the adoption and usage of these guidelines may be entirely optional and not enforceable. Furthermore, if there is anything in the standards that is inconsistent with existing Philippine data protection laws, the latter will prevail.
Comparing the DMF and MCCs with Philippine data protection law
In terms of the DMF, we note that Philippine data protection laws currently only apply to personal data. In contrast, the DMF contemplates all data collected by businesses. The provisions under the DMF which apply to data that is not personal data would therefore not interact with existing Philippine data protection laws.
The MCCs: controller-to-controller transfers
In terms of the MCCs, the NPC recently issued NPC Circular No. 2020-03, regulating data sharing agreements between private PICs. The Circular enumerates specific clauses which are required to be provided in every agreement.
On the other hand, the MCC introduces clauses that highlight the inter-jurisdictional nature of the data sharing agreements envisioned (i.e. choice of law stipulations, the effect of inconsistency with the applicable ASEAN Member State law) and clauses on termination of contract, which are not mandatory under the Circular.
The MCCs: controller-to-processor transfers
While no specific regulation has yet been issued with respect controller-to-processor transfers, Philippine data protection laws already provide that parties to data sharing must use contractual or other reasonable means to ensure that proper safeguards are in place.
Under the MCC, there is a general commercial clause that prioritises the application of Member State law, should the contract come into conflict or be inconsistent. Since compliance with the MCC is not mandatory under Philippine data protection laws, and the model contracts expressly recognise that Member State law will prevail (we note that under Philippine law, parties generally have the freedom to contract), it appears that parties are free to incorporate and be bound by any and all of the provisions designated in the MCC, should they so choose (subject to the legality and validity of the provisions under Philippine laws).
Minimal impact owing to uncertainty and lack of enforceability
We believe there will be minimal impact, owing to the lack of enforceability of the DMF and MCCs (i.e. lack of mandatory implementation and penalties associated with non-compliance), and to the subjectivity of evaluating whether or not the standards have been met. Businesses may adopt the DMF and MCCs in order to adhere more closely to best practices, but it is possible that the NPC will focus more on their compliance with the requirements set forth under Philippine data protection laws.
That being said, given the relative similarity of the provisions in the MCC as regards the current regulations of the NPC, we believe that should the NPC release a model outsourcing agreement or model data sharing agreement based on the MCCs, it will not be difficult to transition in using such models as a standard contract in the Philippines.
Lionel Tan, Partner at Rajah & Tann LLP, examines the DMF and MCCs with a positive outlook.
The DMF and MCCs will give businesses a broad framework in order to navigate the complicated issue of ensuring personal data protection and meeting the data transfer obligations within the ASEAN region. It is in recognition of the growth of the digital economy and is an attempt to make it easier for businesses in the ASEAN region to comply with the existing data protection legislation in the various ASEAN countries. There is still a caveat for businesses to obtain independent legal advice in the specific jurisdictions when adapting the DMF or MCCs for their operational requirements. Nevertheless, this initiative will lessen the burden for most businesses.
Furthermore, the MCCs provide a good template for businesses to rely on when their operations require the transfer of personal data out of Singapore. At the very least, the MCCs and its endorsement by the PDPC provide parties with an understanding of what the contractual obligations are between the party transferring the personal data and the recipient organisation. In current practice, some parties may feel that some of the obligations imposed may be too onerous, and there are times when there is a commercial push back in the way certain clauses in data transfer agreements may have been drafted. This leads to delay while parties have to negotiate the data transfer agreements. With the MCCs, this is a good template of contractual clauses that businesses can rely on to fulfil the Transfer Limitation Obligations under the Singapore PDPA. Nevertheless, businesses should remember to take note to comply with the Singapore PDPC's guidance note on the specific amendments that need to be made to the MCCs to comply fully with the Singapore PDPA.
A welcome initiative to influence digitisation
The objective of the DMF and MCCs is to facilitate the various processing of personal data within the ASEAN region. We can foresee that businesses in this region will increasingly adopt digital networks and platforms as part of their commercial process. Such processes would include e-commerce fulfilment, payment applications, data analytics, and artificial intelligence. Hence, the balance between digital acceleration and personal data protection needs to be struck. It is hoped that the DMF and MCCs will influence and steer businesses in ASEAN towards greater and more expeditious digitisation, while assuring data subjects that their personal data is nevertheless reasonably protected.
It is not easy to harmonise the different personal data protection regimes of the various jurisdictions in ASEAN. There will always be different standards and approaches due to differences in legal systems, regulatory approach, and cultural acceptance by the respective population of the amount of personal data being collected and processed. Hence, this immense effort to develop the DMF and MCCs should be commended as an important step towards finding some common ground between the ASEAN countries and will surely be warmly welcomed by the businesses in this region.
Dhiraphol Suwanprateep, Partner at Baker McKenzie in Bangkok, discusses the benefits of the DMF and MCCs in achieving compliance with the upcoming Personal Data Protection Act 2019 ('the Thai PDPA').
As the Personal Data Protection Committee of Thailand ('the Thailand PDPC') has not been established yet, there will not be any action towards the implementation of the DMF and MCCs. However, as the Thai PDPA has broadly adopted principles from the GDPR, the PDPC would likely follow the DMF and MCCs, since these standards follow the same directions as in the GDPR and in view of enhancing the interoperability between ASEAN Member States.
Currently, the Thai PDPA is not yet effective until 1 June 2021, and there is currently no sub-regulation or official guideline relevant to the cross-border transfers of personal data (e.g. adequate data protection standard). As the DMFs and MCCs mostly implement the same principles as the Thai PDPA, the further sub-regulations and guidelines to be established in the future would likely be tailored to the concepts of the DMF and MCCs, except where it is inconsistent with the Thai PDPA (e.g. the definition of personal data under the PDPA also includes the personal data of the deceased person).
As the Thai PDPA is not in force, some businesses might not be prepared for full compliance with the PDPA yet. Thus, the DMF and MCCs might assist the organisations and businesses to mitigate the risks for processing of personal data and would help save time and internal resources for compliance with the Thai PDPA.
In addition, the DMF and MCCs do not create any negative impacts for the organisations and businesses which are subjected to the Thai PDPA. As the DMF only provides best practices and is not legally binding, it would be beneficial for organisations and businesses to tailor such standards to fit their business needs. In terms of the MCCs, which may create legally binding agreements, it would help organisations to conduct cross-border transfers in compliance with the MCCs. Notably, organisations are able to amend the clauses, as long as they do not contradict applicable data protection laws, and to provide the commercial terms and conditions in accordance with mutual agreement between parties.
Viet Le Ton, Associate at Russin & Vecchi, considers the DMF and MCCs in view of existing and upcoming regulations.
In our view, the implementation of the DMF and MCCs is not a priority of the Government of Vietnam, because the Government has only recently approved the Ministry of Public Security's ('MPS') proposal to draft a decree on personal data protection. It will be the first unified regulation on personal data protection in Vietnam. The first draft of the decree is set to be available for the Government's review during the first quarter of 2021. According to the MPS' proposal, one of the main purposes of the decree is for Vietnam to become compatible with the data protection regulations of other countries and regions, including the GDPR. We expect that the DMF and MCCs will be considered in the drafting of the decree.
Nevertheless, the progress of the draft decree will not be totally predictable. There will be comments from the Government, from other Ministries, and, we expect, from the public. It may take several months for the decree to be finalised.
Finally, we see no direct interaction between the DMF and MCCs and the cybersecurity laws of Vietnam. We do not see any specific impact to organisations and businesses when the DMF and MCCs are implemented. However, because the DMF and MCCs are recognised by the Government, organisations and businesses may implement the DMF and MCCs as forms of 'appropriate measures' for the protection of personal data under Vietnamese law.
Karan Chao Privacy Analyst
Comments provided by:
Freddy Karyadi Partner
Ridzuan Razif Legal Associate
Mohamed Ridza & Co, Kuala Lumpur
Mary Thel Mundin Partner
Gatmaytan Yap Patacsil Gutierrez & Protacio, Makati
Lionel Tan Partner
Rajah & Tann LLP, Singapore
Dhiraphol Suwanprateep Partner
Baker McKenzie, Bangkok
Viet Le Ton Associate
Russin & Vecchi, Hanoi
1. Available at: https://asean.org/storage/2-ASEAN-Data-Management-Framework_Final.pdf
2. Available at: https://asean.org/storage/3-ASEAN-Model-Contractual-Clauses-for-Cross-Border-Data-Flows_Final.pdf
3. Available at: https://asean.org/storage/1-Implementing-Guidelines-for-ASEAN-Data-Management-Framework-and-Cross-Border-Data-Flows_Final.pdf
4. Available at: https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Singapore-Guidance-for-Use-of-ASEAN-MCCs.pdf?la=en
5. Available at (in Indonesian): https://www.kominfo.go.id/content/detail/32259/siaran-pers-no-20hmkominfo012021-tentang-kolaborasi-untuk-percepatan-transformasi-digital/0/siaran_pers
6. Available at: https://asean.org/storage/2012/05/6B-ASEAN-Framework-on-Digital-Data-Governance_Endorsed.pdf