ASEAN Model Contractual Clauses: Low and ambiguous data privacy standards

Graham Greenleaf takes a critical look at this Southeast Asian voluntary standard which gives no enforceable rights to data subjects.

The Association of Southeast Asian Nations (ASEAN) Model Contractual Clauses (‘ASEAN MCCs’)(1) are contractual terms and conditions that may be voluntarily included by companies in binding legal agreements for the cross-border transfer of personal data. The ASEAN Digital Ministers endorsed them in January 2021.

ASEAN has ten “ASEAN Member States” (AMS), of which six have data privacy laws: Singapore, Malaysia, Thailand (not yet in force), Indonesia (undergoing reform), Vietnam (new decree in process), and the Philippines. Brunei has a draft Bill under consultation. The remaining three, Myanmar, Cambodia, and Laos, have no significant data privacy laws. The data privacy standards set by the seven laws, including their requirements for personal data exports, are not at all uniform.(2) Therefore, unlike in the EU where the GDPR sets a common standard that data exports must meet, including for Standard Contractual Clauses (SCCs) (GDPR, art. 46(2)(c) and (d)), it is a more challenging exercise to develop such clauses for transfers within and from AMS.

Continue reading

International Report subscribers please login to access the full article.

If you wish to subscribe please see our subscription information.