The European Commission and the Association of Southeast Asian Nations (ASEAN) have published a first-of-its-kind guide[1] that identifies the similarities and differences between the ASEAN model contractual clauses (ASEAN MCCs) and the EU standard contractual clauses (EU SCCs).
A second guide will be issued in due course, which will provide best practices for meeting both sets of contractual clauses.
The objective of these guides is to:
-
Help companies that export or import data across the ASEAN and EU regions understand the similarities and differences between the respective contractual clauses
-
Aid these companies in meeting the respective requirements of the contractual clauses
-
Facilitate overall compliance with ASEAN and EU data protection laws as may be applicable
As noted by Didier Reynders, the European Commissioner for Justice,[2] model clauses are a “ready-made, cost-effective solution” that are especially useful for small and medium enterprises (SMEs), and “currently by far the most used instrument for international data transfers” in the EU.
In the first comparative guide, issued on 24 May 2023, specific commonalities and distinctions between the contractual clauses were identified, based on the following areas:
-
Entering into the ASEAN MCCs or EU SCCs:
-
Choosing appropriate modules to be adopted
-
Execution and completion formalities
-
How other contractual commitments between the parties are dealt with
-
Any changes to the contracting parties
-
-
Interpretation of the clauses, and their governing law
-
Data protection safeguards:
-
Lawfulness of the transfer
-
Specifying the purpose of the transfer
-
Data accuracy
-
Data minimisation
-
Storage limitation
-
Security and confidentiality
-
Sensitive personal data
-
Onward transfers
-
-
Data subject rights, including third-party beneficiary rights
-
Accountability by the contracting parties
-
Supervisory authority
-
Government access
-
Termination and survival clauses
-
Dispute resolution
The guide provides the above comparisons for (i) controller-to-controller transfers and (ii) controller-to-processor transfers, to reflect where both sets of contractual clauses are structurally congruent.
Takeaways
MCCs are certainly continuing to gain significant traction globally.
Our team has prepared a detailed side-by-side comparison of the ASEAN MCCs and EU SCCs, together with China’s Standard Contract for Cross-Border Transfers of Personal Information,[3] as well as discussing the Latin American Data Protection Board SCCs and the Council of Europe’s SCCs that are being worked on. We expect to publish this article soon, so do subscribe to keep updated.
[2] See Foreword to the guide, at paragraph 2.