On 1 and 2 February 2024, at the fourth 4th ASEAN Digital Ministers Meeting (ADGMIN) in Singapore, ASEAN[1] unveiled:

We summarise and discuss both the Joint Guide and the ASEAN AI Governance Guide below.

Joint MCC – SCC Guide

To recap, the first part of the Joint MCC – SCC Guide (the Reference Guide) was first published in May 2023. The Reference Guide analysed practical similarities and differences between the ASEAN Model Contractual Clauses (ASEAN MCCs) and the EU Standard Contractual Clauses (EU SCCs).[2] Our previous article on the Reference Guide can be accessed at: European Commission and ASEAN releases Guide to ASEAN Model Contractual Clauses and EU Standard Contractual Clauses | Data Protection Report.

To further assist organisations with implementing practical measures to manage data flows between ASEAN and the EU, the ADGMIN updated the Joint MCC – SCC Guide to include an implementation guide (the Implementation Guide).

The Implementation Guide complements the Reference Guide by identifying non-exhaustive examples of best practices for implementing the relevant clauses for the two types of cross-border data transfer relationships discussed in the Reference Guide:

  • controller-to-controller transfers, involving both the data exporter and importer jointly deciding on the purposes and methods of processing data[3]; and
  • controller-to-processor transfers, where the data importer processes personal data on behalf of the data exporter[4].

Key takeaways

With the addition of the Implementation Guide to further clarify the process of operationalising data transfer clauses, the Joint MCC – SCC Guide is a useful tool for organisations seeking to implement cross-border transfers of personal data within ASEAN and between ASEAN and the EU. Companies can consider implementing these best practices to operationalise the safeguards required under both the ASEAN MCCs and EU SCCs.

However, the Joint MCC – SCC Guide serves only to provide a basic understanding of the applicable general principles – it may not provide sufficiently detailed insights into specific transfer and processing contexts. For example, certain jurisdictions (such as Singapore) may suggest, or even require, modifications to the ASEAN MCCs to ensure compliance with local regulations.[5] Organisations should therefore consider seeking legal advice in the relevant jurisdictions, to ensure that their cross-border data-transfers do not contravene local laws.

ASEAN AI Governance Guide

Summary of key features

The ADGMIN also endorsed the ASEAN AI Governance Guide, acknowledging the importance of providing guidance to encourage the responsible and secure development of emerging technologies.

The ASEAN AI Governance Guide, while not binding, is meant to apply to AI developers and deployers, individuals interested in using or expanding AI systems, as well as policymakers throughout ASEAN. The ASEAN AI Governance Guide addresses topics such as deploying AI technologies in commercial contexts.

The ASEAN AI Governance Guide outlines seven guiding principles for the design, development, and deployment of ethical AI systems:

  1. Transparency and explainability – Deployers should disclose to users how AI systems are implemented. Developers and deployers should also prioritize user understanding by providing straightforward explanations of how the AI system makes decisions.
  1. Fairness and equity – Deployers should prevent AI algorithmic decisions from worsening existing discrimination across demographics (e.g., bias relating to gender and ethnicity) by implementing safeguards, such as human interventions and regular bias testing.
  1. Safety and security – Deployers should conduct security testing, such as vulnerability assessment and penetration testing.
  1. Human-centricity – To ensure people benefit from AI while protecting them from potential harms, developers must actively avoid employing manipulative design techniques (known as dark patterns) e.g. default options that disregard user interests such as like data sharing or tracking online activities.
  1. Privacy and data governance – Deployers must respect data protection throughout AI development and deployment by complying with relevant data protection legislation when collecting, storing, generating, and deleting data in the AI system lifecycle.
  1. Accountability and integrity – Organisations should establish clear reporting structures, defining roles and responsibilities throughout the AI system lifecycle. AI systems must also be developed with integrity, and any errors or unethical outcomes should be documented and corrected to prevent harm to users upon deployment.
  1. Robustness and reliability – AI systems must remain resilient to unforeseen data inputs, avoid exhibiting dangerous behaviour, and consistently perform as intended. Deployers should conduct thorough testing before deployment to guarantee consistent outcomes across various situations.

The ASEAN AI Governance Guide also outlines four key components of an AI governance framework, which are identical to the Singapore’s Model AI Governance Framework[6] last updated in January 2020:

  1. Internal governance structures and measures – Deployers should set up (or adapt existing) internal governance structure and measures to incorporate values, risks and responsibilities relating to algorithmic decision-making.
  1. Determining the level of human involvement in AI-augmented decision-making – Organisations should apply the methodology in the ASEAN AI Governance Guide to define their risk appetite for AI use, determine acceptable risks, and identify the appropriate level of human involvement in AI-augmented decision-making.
  1. Operations management – Developers and deployers should review and study the considerations for developing, selecting, and maintaining AI models, including data management.
  1. Stakeholder interaction and communication – The ASEAN AI Governance Guide also includes strategies for deployers to effectively communicate with their respective stakeholders on when AI issued in their offerings, information on the type of AI system used, the intended purpose of the AI system, and how the AI system affects the decision-making process in relation to users.

Additionally, the ASEAN AI Governance Guide also contains national and regional-level recommendations for policymakers to consider when drafting AI legislation in their jurisdictions. For example, national-level recommendations include initiatives such as upskilling the workforce to cultivate a pool of AI-trained graduates. The regional-level recommendations, such as adapting the ASEAN AI Governance Guide to address governance of generative AI, are similar to Singapore’s draft Model AI Governance Framework for Generative AI (Singapore GenAI Framework) released in January 2024, which we have written about.[7]

The ASEAN AI Governance Guide also explores real-world use cases of organisations in ASEAN, such as Singapore’s Ministry of Education and the Smart Nation Group, which have implemented AI governance measures.

Key takeaways

The ASEAN AI Governance Guide provides actionable recommendations for organisations to implement ethical AI practices, such as defining risk appetite, establishing internal governance structures, and managing stakeholder interactions. This pragmatic approach facilitates the adoption of responsible AI practices in the region and provides organisations with a reference point to consider when implementing AI governance structures in ASEAN, in the absence of any defined AI legislation or regulations in the region.

The ASEAN AI Governance Guide also represents a light-touch and flexible approach, having regard to the varying levels of digital development, regulatory maturity and enforcement effectiveness across ASEAN, which gives rise to different policy concerns and considerations.

By aligning closely with Singapore’s framework, the ASEAN AI Governance Guide also establishes a consistent approach to AI governance across the region, fostering interoperability and harmonisation.

The release of the Joint Guide and the ASEAN AI Governance Guide are significant steps toward aligning standards for cross-border data transfers and for AI technology in ASEAN. These guides provide helpful frameworks and practical recommendations to ensure responsible and secure AI development and data handling practices, but they must always be read alongside local laws and guidance which may include additional specific restrictions or requirements.

We would like to thank our trainee Judeeta Sibs, practice trainee at Ascendant Legal LLC, for her contribution to this post.

[1] The Association for Association of Southeast Asian Nations (ASEAN) consists of: Brunei Darussalam, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, and Vietnam

[2] Both the ASEAN MCCs and the EU SCCs facilitate compliance with applicable data protection requirements in relation to cross-border transfers of personal data.

[3] The Implementation Guide provides examples on operationalising some of the controller-to-controller transfer clauses in the Reference Guide across the following 12 key areas:

(a) specifying the purpose of the transfer and purpose limitation;

(b) ensuring data accuracy;

(c) minimizing data, limiting storage;

(d) maintaining security and confidentiality;

(e) handling sensitive data;

(f) managing onward transfers;

(g) ensuring transparency;

(h) respecting the rights of individuals;

(i) addressing responsibility/accountability;

(j) the ability to comply; and

(k) managing government access to data.

[4] The Implementation Guide provides examples to operationalising some of the controller-to-processor clauses in the Reference Guide in the following nine key areas:

(a) specifying the purpose of the transfer and purpose limitation;

(b) ensuring data accuracy;

(c) implementing storage limitation and return procedures;

(d) maintaining security and confidentiality;

(e) handling sensitive data;

(f) managing sub-processing;

(g) ensuring transparency;

(h) respecting the rights of individuals; and

(i) managing government access to data.

[5] The Personal Data Protection Commission of Singapore has issued a guidance note for the ASEAN MCCs, outlining recommended amendments for compliance with Singapore’s data privacy laws. See: Singapore-Guidance-for-Use-of-ASEAN-MCCs—010921.pdf (pdpc.gov.sg)

[6] See our summary of the second edition of the Model AI Governance Framework here: https://www.dataprotectionreport.com/2020/02/singapore-updates-its-model-artificial-intelligence-governance-framework/

[7] See our summary on the draft Model AI Governance Framework here: https://www.dataprotectionreport.com/2024/02/singapore-proposes-governance-framework-for-generative-ai/