On May 23, 2023, the European Commission together with ASEAN (the Association of Southeast Asian Nations) published guidance that identifies commonalities and differences between the EU Standard Contractual Clauses for international data transfers (“SCCs”), and ASEAN’s Model Contractual Clauses (“MCCs”), to assist companies with their efforts to comply with data transfer rules in both regions (see the joint guidance here). The Joint Guide to ASEAN Model Contractual Clauses and EU Standard Contractual Clauses (“Guide”) includes a Reference Guide intended to compare the clauses of the MCCs and the SCCs, and will shortly be complemented by an Implementation Guide providing best practices for companies that plan to use both sets of clauses.
Communalities between the SCCs and MCCs
Standard Contractual Clauses have been used as tools for transferring personal data to data recipients in third countries (outside of the EU) for more than two decades. However, in June 2021 the European Commission adopted an updated version of the SCCs to address some of the concerns raised by the Court of Justice of the EU in the Schrems II-case (see the Commission’s Implementing Decision (EU) 2021/914 here).
Similarly, the Association of Southeast Asian Nations (which brings together Brunei, Cambodia, Indonesia, Myanmar, Laos, Malaysia, Philippines, Singapore, Thailand and Viet Nam) issued the MCCs in January 2021 to provide companies with two sets of clauses to transfer personal data across the Southeast Asian region in accordance with local law requirements (see the MCCs here). The MCCs allow for the transfer of personal data from one ASEAN country to another, as well as from one ASEAN country to a non-ASEAN country.
The MCCs and SCCs are standardized contractual safeguards that companies can implement so that they can share personal data across borders in accordance with legal requirements on data transfers. Because these contractual solutions have already been pre-approved by the relevant regulatory authorities and are easy to put in place, both the SCCs and MCCs have become popular tools for ensuring compliance with data transfer restrictions.
Main differences between the SCCs and MCCs
Although the SCCs and MCCs pursue similar objectives, some of their clauses are substantially different. The Guide compares the SCCs and MCCs, and highlights the following key differences:
- Both the MCCs and SCCs include various modules that can cover different data transfer scenarios: the SCCs offer four different modules (controller-to-controller, controller-to-processor, processor-to-processor, and processor- to-controller); the MCCs only provide two (controller-to-controller and controller-to-processor modules);
- Both the MCCs and SCCs require exporters and importers of personal data to describe the data transfers (i.e., types of personal data transferred, categories of data subjects, purposes of the transfer, etc.), but the SCCs require additional details: parties to the SCCs must also a) specify the technical and organizational security measures that are aimed at protecting the exported personal data; b) list any authorized sub-processors, and b) indicate the competent Supervisory Authority in the EU;
- The MCCs can be edited where needed, whereas the SCCs should not be altered. If the (core) text of the SCCs is modified (beyond selecting the relevant modules and/or options, and completing the annexes), the altered clauses cannot be used as a legal basis for data transfers to third countries – unless they are approved by a Supervisory Authority as ad hoc clauses;
- The SCCs include an optional “docking clause”, which allows the parties to add other parties to their agreement (e.g., if a controller and processor agree that it would be useful to involve an additional (sub)processor. The MCCs currently do not have a similar docking mechanism.
The Guide is considered a concrete step to further reinforce ASEAN’s efforts to strengthen personal data protection in the region. It also reflects the EU’s and ASEAN’s shared commitment to enhancing data governance through the implementation of international best practices. Businesses engaged in cross-border data transfers – in particular between the ASEAN countries and the EU – may find the Guide useful in navigating the data transfer landscape and streamlining their data flows.