International: Comparing contractual clauses - ASEAN MCCs v. EU SCCs
On 22 January 2021, the Digital Ministers of the Association of Southeast Asian Nations ('ASEAN') approved the Model Contractual Clauses for Cross-Border Data Flows ('MCCs)1, which are a set of recommended template contractual provisions that organisations can voluntarily choose to incorporate as part of their legal arrangements in relation cross-border transfers of personal data in the ASEAN region. The MCCs are designed to ensure that personal data transferred from one ASEAN jurisdiction to another will continue to be processed in accordance with the data protection laws that apply in the first ASEAN jurisdiction. Mark Parsons, Anthony Liu, and Jacqueline Chan, from Hogan Lovells, discuss how the MCCs compare with European standards as well as their broader impact on the ASEAN region.
Generally, the purposes of the MCCs align with those of other international frameworks on data transfer template clauses, such as the EU's current version of the Standard Contractual Clauses ('SCCs'). In comparison, the SCCs are a legal mechanism set out in the EU's General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') aimed at ensuring the lawful and secure transfer of personal data from the European Economic Area ('EEA') to non-EEA jurisdictions.
This current version of the SCCs, however, is undergoing significant changes. In November 2020, the European Commission ('EC') published a new set of draft SCCs for transferring personal data2 for public consultation, following the Court of Justice of the European Union's ('CJEU') decision in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('Schrems II'). In that case, the CJEU determined that, among other things, the current version of the SCCs was valid as a mechanism for data transfers, provided that they are subject to the adoption of additional safeguards. As such, these new SCCs are intended not only to modernise the current version, but also to address the CJEU's decision and have these additional safeguards 'built-in.' Once approved, this new set of SCCs will replace the current version of the SCCs.
In this article, we do not provide a comprehensive analysis of the new SCCs, but instead focus on key points of comparison between the SCCs and the MCCs.
The MCCs and the new draft SCCs
The MCCs are comprised of two models, one which relates to transfers of personal data between data controllers (whereby the transferor and the transferee will separately control their own processing of the data) and one which relates to the transfers by a data controller to a data processor (whereby the data processor will only process the data in accordance with the data controller's instructions and not for its own separate purposes). Accordingly, the two versions of provisions under the MCCs address transfers of personal data from a data controller only, but not transfers from a data processor. The current SCCs are similarly comprised of two different versions that reflect these transfer scenarios, but the new SCCs also address transfers by data processors.
The MCCs are a voluntary set of provisions that organisations can choose to incorporate as part of their legal arrangements for data transfers. A key concept to bear in mind, however, is that the application of the MCCs does not ensure compliance with all data protection regulations across the ASEAN region, and that amendments or additions may be required to address specific requirements that apply in certain ASEAN jurisdictions. In addition, as the MCCs are voluntary, organisations may choose to use other methods to achieving compliant data transfers instead of the MCCs.
The SCCs are one of the mechanisms that organisations can utilise under the GDPR for cross-border data transfers. Whilst they are only one of various mechanisms that organisations can use, given their ease of implementation, they are frequently deployed by organisations to ensure compliance with the GDPR's data transfer requirements.
Like the MCCs, organisations can incorporate the SCCs as part of their legal arrangements and incorporate safeguards in addition to the protections provided under the SCCs. However, in contrast to the MCCs, such additions may not be included if they contradict the provisions of the SCCs or prejudice data subject rights. The rationale for this is that the SCCs are designed to facilitate transfers from controllers and processors established in the EU to controllers and processors in third countries that do not offer an adequate level of protection to ensure that the data remains protected in that third country.
Unlike the current SCCs and the MCCs, the new SCCs adopt a modular approach that allows organisations to tailor the provisions to address four transfer scenarios: (a) controller-to-controller; (b) controller-to-processor; (c) processor-to-processor; and (d) processor-to-controller. The European Commission has stated that this modular approach is intended to modernise the approach to contracting and to more accurately reflect the contemporary nature of data processing and transfer arrangements. This approach to modernisation is reflected in the addition of the new 'docking clause' that adds greater flexibility for organisations by allowing more than two parties to adhere to the contract and additional third parties to accede to it as data exporters or data importers, which is useful in reducing the need for multiple agreements for organisations to enter into.
The new SCCs have also been updated in a number of other ways, including to account for the uncertainty regarding the status of the current SCCs following the CJEU's decision in Schrems II to address the impact of a third country's laws on the data controller's or data processor's contractual obligations. For example, there are new obligations relating to the adoption of specific safeguards to address any effects of the laws of the third country on the data importer's compliance with the SCCs and dealing with requests from public authorities in the third country for disclosure of the personal data transferred.
Analysis and impact of the MCCs
In general, the obligations imposed on the data processor under the controller-to-processor MCCs broadly reflect the requirements under existing ASEAN Member State privacy laws, such as only processing data in accordance with the data controller's instructions and implementing appropriate security arrangements.
However, some of the provisions in the controller-to-processor MCCs represent 'over-compliance' by imposing additional restrictions on data transfers that exceed local law requirements. For example, the MCCs require, by default, an obligation of the data controller to obtain the data subject's consent to the data transfer. Where such consent is not required under local laws or if such consent is revocable, then agreeing to this obligation could pose challenges for data controllers. In addition, the 'Additional Terms for Individual Remedies' section provides data subjects with direct rights of enforcement of the clauses against the parties (and sub-processors), which is another concept under the MCCs which does not align with local laws. ASEAN Member State laws do, in many cases, regulate international transfers of personal data, but do not require direct rights of enforcement by data subjects. Accordingly, in practice, the inclusion of these provisions will likely encounter commercial resistance from both data controllers and data processors.
The controller-to-controller MCCs are more straightforward, as they broadly align with the approaches taken generally across ASEAN Member States, namely that obligations are primarily imposed on data controllers with regard to their engagement of data processors and that there is little regulation of controller-to-controller data transfers. This is reflected in the fact that many of the provisions in the controller-to-controller MCCs are expressed to be optional. Nonetheless, the controller-to-controller MCCs do include certain provisions that would, in practice, create some challenges for data controllers, such as the inclusion of the 'Additional Terms for Individual Remedies' section, thus reducing the likelihood of their inclusion in the parties' commercial arrangements.
In light of the 'patchwork' nature of privacy laws across the ASEAN region with varying standards, it is inherently impractical, if not impossible, to have a one-size-fits-all set of template data transfer clauses that are fully compliant across the region. Accordingly, the structuring of the MCCs as an opt-in model reflects this practical reality of the ASEAN data protection regime. The MCCs broadly align with the considerations that are prevalent under existing market practice among organisations in the ASEAN region. They represent a significant step towards in harmonising the regulation of data transfers in the ASEAN region and provide a good starting point to help parties identify key issues when conducting cross-border personal data transfers. As most of the MCC clauses are optional, organisations are given greater flexibility to negotiate practical considerations and risk allocations.
Given the voluntary nature of the MCCs and the built-in default over-compliance, it remains to be seen the extent to which organisations will actually incorporate them, as drafted, into their commercial agreements. It is likely that organisations will continue to agree or negotiate bespoke contractual arrangements to address their requirements for each specific commercial engagement and to comply with the applicable local law requirements for the data transfers, rather than seeking to incorporate provisions that are not mandatory in the relevant jurisdictions.