Last week I attended the IAPP Global Summit (the IAPP’s annual privacy bash), featuring privacy luminaries as keynote speakers and dozens of privacy-focused sessions. One particularly good session was about the proliferation of standard contractual clauses (SCCs) that permit cross-border data transfers. This session coincided with the Future of Privacy Forum’s release of a report on regional SCCs.
The grandaddy of SCCs, of course, are the SCCs approved under the EU Data Protection Directive and subsequently under the GDPR. Those SCCs were adopted (and adapted) by the UK effective March 21 of last year in the form of a stand-alone International Data Transfer Agreement, along with an International Data Transfer Addendum that piggybacks on the EU SCCs.
Less well publicized, however, is the emergence of other regional and national SCCs. In particular:
- ASEAN Model Contractual Clauses
- Ibero-American Network’s Model Transfer Agreement
- China’s Draft Provisions on Standard Contracts for the Export of Personal Information
SCCs are a natural outgrowth of the increasingly widespread promulgation of national data protection laws. Each country that has adopted legal protections for personal data must face the question: how can protection of that data be maintained once it flows outside national borders?
One answer, of course, is the “adequacy” scheme adopted by the EU. Under GDPR Art. 45, personal data can flow freely from the EU to any country that the European Commission has determined “ensures an adequate level of protection” for personal data. But only a handful of countries have passed this test to date.
Another solution is to require the data recipient (typically a “processor” in GDPR parlance) to provide assurances by contract to protect personal data (i.e., “appropriate safeguards”). Standardized contracts grease the skids in negotiating such protections.
SCC Challenges Outside the EU
The EU, in formulating its SCCs, had a relatively straightforward task, because its data protection laws apply across all 27 EU members.
The task outside the EU is more daunting, because the data protection laws among countries in global regions aren’t uniform and may not even exist.
Among the 10 ASEAN members, for instance, only Malaysia, the Philippines, Singapore, Thailand and (most recently) Indonesia have comprehensive data protection laws. So how did ASEAN deal with the challenge of drafting SCCs that apply region-wide?
Cautiously, as it turns out. The ASEAN Model Contract Clauses (MCCs), approved at a meeting of the ASEAN digital ministers on January 22, 2021, are purely voluntary, in recognition of the different levels of development of ASEAN member states – not to mention the fact that ASEAN has no authority to make the MCCs binding. Unlike the EU SCCs, the ASEAN MCCs are primarily designed for intra-ASEAN flows of personal data. However, they may be used for transfers to non-ASEAN countries, particularly those with legal regimes based upon the principles of the APEC Privacy Framework or the OECD Privacy Guidelines, from which the principles in the ASEAN Framework on Personal Data Protection (2016) are derived. Moreover, unlike the EU SCCs, the ASEAN MCCs may be freely modified – and in fact modifications may be required to reflect national laws. (Singapore has issued guidance in this respect.)
While the MCCs aren’t binding, several ASEAN members (including Singapore) have issued statements indicating that the MCCs are compliant with those members’ national data protection laws.
The Ibero-American Data Protection Network (RIPD) took a similar approach to ASEAN. The mission of the RIPD, an organization consisting of 22 Data Protection Authorities from Spain, Portugal, Mexico, and other countries in Central and South America and the Caribbean, is to promote the development of comprehensive data protection laws throughout Latin America. The drafting of SCCs falls squarely within the scope of that mission.
Last month, the RIPD published a final version of a Model Transfer Agreement (MTA) aimed at addressing the requirements of the Personal Data Protection Standards for the Ibero-American States, which permits transfers of personal data by parties that have entered into contractual commitments providing sufficient data protection guarantees. But like the ASEAN MCCs, the MTA isn’t binding on RIPD member governments.
Since both the ASEAN MCCs and the RIPD MTA are of recent vintage, it remains to be seen whether they will be embraced by businesses within those regions. Certainly the absence of any legal whip behind these regional SCCs will be a limiting factor.
The SCCs Report of the Future of Privacy Forum
In its report on various regional SCC frameworks, the Future of Privacy Forum has done a masterful job of analyzing the terms of the ASEAN MCCs and the RIPD’s MTA against the EU SCCs. Particularly useful is a side-by-side comparison of the frameworks, focusing on key areas such as core party obligations, data subject and third party rights, and responding to government requests.