International: ASEAN forges ahead with data management framework and cross-border contractual clauses - Part 1
Having established cooperation in the realm of data governance as a priority since 2015, the Association of Southeast Asian Nations ('ASEAN') has finally issued its first set of guidelines: the Data Management Framework1 ('DMF') and the Model Contractual Clauses for Cross-Border Data Flows2 ('MCCs'). According to ASEAN, these two initiatives represent harmonised standards for data management and cross-border transfers between ASEAN Member States.
These standards will ultimately support organisations in consolidating accountability and trust with consumers and business partners, while also enabling them to comply with data protection regulations and leverage new digital opportunities. Considering this, Part 1 of this series provides a brief overview of the DMF and MCCs, while Part 2 will discuss the expectations for national implementation and perspectives from across the ASEAN region.
Building on the ASEAN framework
In 2018, ASEAN published its Framework on Digital Data Governance4. This Framework outlined strategic priorities which would form the basis of policy and regulation development across the ASEAN region. In addition, it called for the establishment of the following initiatives:
a data classification framework;
- a mechanism for cross-border data flows; and
- forums for digital innovation and data protection as well as privacy.
In furtherance of the first two initiatives, in January 2021, the digital ministers of ASEAN adopted the DMF and MCCs.
On one hand, the DMF provides step-by-step guidance for businesses to put in place an effective system to manage data throughout its lifecycle. In doing so, the DMF addresses the ongoing growth of the digital economy and the increasing reliance on emerging technologies.
On the other hand, the MCCs fall within the broader category of cross-border data flow mechanisms and are voluntary standards based on best practices and fundamental privacy principles. They set out contractual terms and conditions that may be implemented by organisations as a legal basis for cross-border data transfers. As such, the MCCs offer a 'baseline' of data protection measures, thereby paving the way for ASEAN businesses to work with partners within and beyond the region.
A risk-based approach to data management
Knowing the value and purpose of data
The DMF is targeted towards private sector businesses and is intended to apply to all business-related information, including both personal data and business transactional data. It provides non-binding guidance on developing data management practices in accordance with three important factors: business needs; the value and purposes of data; and corresponding risks.
It guides organisations through a number of 'foundational components' which are considered essential towards an effective data management programme. The end result is the establishment of cost-effective technical, procedural, and physical controls which ensures the confidentiality, integrity, and availability of information to an appropriate level.
Understanding the value of information and classifying such information accordingly is therefore an inherent condition under the DMF.
In this regard, the DMF requires organisations to establish the following six components:
|1. Governance and oversight||
Organisations should involve all employees in their data management programme and determine their roles and responsibilities within the system. The DMF highlights three types of functions:
|2. Policies and procedures||Policies and procedural documents support an organisation's data governance programme. As part of its corporate policies, such documents also represent a clear commitment to good data management within the organisation, demonstrating accountability as well as reinforcing transparency with internal and external stakeholders.|
|3. Data inventory||
Organisations are not only expected to map data in its control and possession, but also categorise such data in accordance with the wider context, namely:
The DMF also sets out overarching considerations that can assist businesses in categorisation and assessing risks – for example, the nature of services provided, the applicable regulatory landscape, and customer expectations.
|4. Impact and risk assessments||Organisations should conduct impact risk assessments to assign different risk profiles depending on how datasets are categorised. To this end, organisations should consider the three parameters of confidentiality, integrity, and availability as well as the accompanying financial, strategic, operational, and compliance risks.|
|5. Protection controls||Organisations should adopt risk-based controls to mitigate and manage the identified risks. Although the DMF does not prescribe any controls for this purpose, it refers to existing international standards such as those developed by the International Standards Organization and the National Institute of Standards and Technology.|
|6. Continual monitoring and improvement||Organisations should consider a number of key activities, including monitoring compliance, reviewing categorisation of data and associated controls, and updating policies and procedures.|
Contractual clauses as a legal basis for cross-border data transfers
While the MCCs are voluntary and do not preclude the use of other data transfer mechanisms (e.g. codes of conduct, binding corporate rules), these contractual clauses allow organisations to transfer data across borders in a manner that complies with the existing legal and regulatory restrictions in ASEAN Member States. Once implemented into contractual agreements, these clauses make clear the responsibilities and obligations of the 'data exporter' and the 'data importer.'
According to ASEAN, the MCCs can be divided into two modules: controller-to-controller transfers and controller-to-processor transfers. In addition, the obligations are drafted to embody the following fundamental privacy principles:
- the data exporter warrants that the data is transferred in accordance with the applicable national laws and that, where necessary, they have obtained consent from the data subject;
- the data importer agrees to process to the data in accordance with minimum data protection obligations (e.g. purpose limitation, accuracy, data security, etc.); and
- the data importer is required to notify the relevant authorities and the data exporter if it becomes aware of any data breaches.
Furthermore, the MCCs also provide additional terms for individual remedies in which the parties can confer the rights contained in the law of an ASEAN Member State on the data subjects concerned and agree on the party against whom data subjects can enforce their rights.
Controller-to-processor clauses: key characteristics
In sum, the DMF and MCCs symbolises a substantial effort from ASEAN to harmonise data management standards and contractual clauses for cross-border data transfers. Indeed, ASEAN will continue to promote their implementation through capacity-building programmes and, more importantly, finalise the Certification Mechanism for Cross-Border Data Transfers by the end of 2021.
Notably, ASEAN highlighted that these initiatives aim to 'raise the digital competitiveness of the ASEAN region by establishing a trusted, transparent, and accountable environment for doing business, and build ASEAN's readiness to take up new digital opportunities. This will prepare ASEAN to work with other regional and global partners on creating interoperable data management and cross-border data flows standards globally.'5 These goals ultimately align with ASEAN's broader ambitions to establish itself as a 'leading digital community and economic bloc, powered by secure and transformative digital services, technologies, and ecosystem'6.
Nevertheless, the utility of the DMF and MCCs remains to be seen and will depend on implementation by the relevant authorities at national level in each Member State as well as the receptiveness of the private sector.
Karan Chao Privacy Analyst
1. Available at: https://asean.org/storage/2-ASEAN-Data-Management-Framework_Final.pdf
2. Available at: https://asean.org/storage/3-ASEAN-Model-Contractual-Clauses-for-Cross-Border-Data-Flows_Final.pdf
3. Available at: https://asean.org/storage/2012/05/10-ASEAN-Framework-on-PDP.pdf
4. Available at: https://asean.org/storage/2012/05/6B-ASEAN-Framework-on-Digital-Data-Governance_Endorsed.pdf
5. See Joint Media Statement of the 1st ASEAN Digital Ministers' Meeting and Related Meetings dated 22 January 2021, available at: https://asean.org/storage/16-ADOPTED_Joint_Media_Statement_of_the_1st_ADGMIN_cleraed.pdf
6. See ASEAN Digital Masterplan 2025, available at: https://asean.org/storage/ASEAN-Digital-Masterplan-2025.pdf