To enable international businesses to comply with cross-border personal data transfers and the relevant laws across the European Union (EU) and South-East Asia, on 24 May 2023 the European Commission and the Association of Southeast Asian Nations (ASEAN) published a Reference Guide to ASEAN Model Contractual Clauses (ASEAN MCCs) and EU Standard Contractual Clauses (EU SCCs) (the Reference Guide). This Reference Guide compares the ASEAN MCCs and EU SCCs, highlighting practical similarities and differences.
The Reference Guide is the first of a two-part guide to the ASEAN MCCs and EU SCCs (the Joint Guide). The second part of the Joint Guide (also known as the Implementation Guide), which is currently being considered by EU and ASEAN, will provide best practices which companies could adopt, in order to meet the requirements of both sets of contractual clauses.
The Joint Guide aims to provide practical guidance for businesses operating across these two regions to facilitate compliance with applicable data protection requirements whilst providing for the cross-border transfers of personal data.
Overview of the Reference Guide
Broadly, the Reference Guide comprises three parts:
- General – dealing with practical matters on entering into the ASEAN MCCs / EU SCCs as well as the interpretation of key concepts used in the contractual clauses.
- Obligations for controller-to-controller transfers – relating to the contractual requirements and commitments contemplated under the ASEAN MCCs and EU SCCs for data protection safeguards, data subject rights and compliance, dispute resolution and termination in the context of use of the relevant controller-to-controller transfer modules.
- Obligations for controller-to-processor transfers – this sets out similar considerations as controller-to-controller transfers but in the context of use of the relevant controller-to-processor transfer modules.
The Reference Guide identifies key similarities and differences between the ASEAN MCCs and EU SCCs and provides helpful commentary on the areas where the contractual clauses diverge.
The Reference Guide is a helpful step in the right direction by EU and ASEAN to untangle potential complications of using multiple model clauses for export and to facilitate compliance through interoperability by showing alignment between the EU SCCs and ASEAN MCCs.
That said, the EU SCCs and ASEAN MCCs on their own are not the complete answer to enabling cross-border transfers. Businesses will still need to conduct appropriate data mapping exercises and transfer impact assessments before exporting personal data, especially for outbound transfers of personal data from the EU and put in place appropriate operational safeguards to ensure compliance with data protection regulatory requirements of the relevant jurisdictions.
In this regard, the imminent publication of the Implementation Guide is important as it should provide businesses with guidance on how to practically manage the differences between the EU SCCs and ASEAN MCCs so helping businesses to streamline operations for EU-ASEAN cross border data flows.