A practical comparison of the EU, China and ASEAN standard contractual clauses

Published: June 2023

  • expand_more

    View contributors

Navigate by topic

Are we witnessing a watershed moment for standard contractual clauses as a mechanism for cross-border data transfers in major jurisdictions across the globe? The People's Republic of China Standard Contract was issued in March 2023; the current form of the EU SCCs have been in effect since June 2021, and the U.K. International Data Transfer Addendum to the EU SCCs since March 2022; and the Association of Southeast Asian Nations published its Model Contractual Clauses in January 2021.

In this article, we compare three sets of standard contractual clauses, namely in China, the EU and the ASEAN, based on their key features. For consistency, we refer to personal data under the three frameworks as encompassing any data or information from which an individual or data subject can be identified, and this is used synonymously with personal and personally identifiable information.

A comparative look at the SCCs for China, the EU and ASEAN

  • expand_more

    Applicability

  • expand_more

    Fixed form

  • expand_more

    Modules

  • expand_more

    Data transfer and personal information protection impact assessments

  • expand_more

    Data breaches

  • expand_more

    Onward transfers

  • expand_more

    Suspension of transfers

  • expand_more

    Filing/retention requirements

  • expand_more

    Governing law and forum

  • expand_more

    Supervisory authority

A global look

On top of the standard contracts mentioned above, other examples exist or are currently being discussed, including at a regional level.

For instance, the Latin American Data Protection Board SCCs were issued in September 2022 with the aim of providing a harmonized framework for organizations within the region to securely transfer personal data to recipients based in other territories that are not considered to provide an equivalent level of personal data protection. It should be noted, as opposed to the EU SCCs, Latin America, has no jointly approved SCCs at a regional level. In fact, some territories have developed specific SCCs based on their national legislation, e.g., Uruguay and Argentina, which must be followed instead. Having said this, the Latin American Data Protection Board SCCs, which can also be validated with a local data protection authority for these purposes, are generally accepted as an adequate safeguard when undertaking these types of transfers.

Further, the Council of Europe is also working on updating its model contractual clauses for the transfer of personal data, which date back to 1992. The latest revised draft of the CoE MCCs was released in March 2023. The revised CoE MCCs provide a framework for transfers of personal data from a party country to a nonparty country under the CoE's Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108+). In their current form, the revised CoE MCCs largely follow the structure of the EU SCCs. For example, they contain provisions relating to purpose limitation, third-party beneficiary rights, transparency, accuracy, data minimization, storage limitation, security, onward transfers, data subjects' rights and a redress mechanism, and impose obligations of the data importer in case of access by public authorities. Like the EU SCCs, the CoE MCCs also offer the possibility to make certain choices, the so-called "options", and require signatories to include details of the data transfers and security measures in the annexes. However, some differences remain. Unlike the EU SCCs, which consist of four different modules, the CoE MCCs are limited to one scenario for both controllers and processors.

Additionally, while the EU SCCs are a standardized tool for data transfers in all EU member states, Convention 108+ parties may decide whether or not to approve the CoE MCCs as their standardized tool. Finally, although the general structure of the EU SCCs and the CoE MCCs is similar, the obligations do not fully overlap. For example, both sets of clauses envisage data breach reporting but differ in the reporting modalities. The revised CoE MCCs are still a work in progress, and the final version may turn out to be more or less similar to the EU SCCs.

Challenges of coping with unharmonized standard contracts

With the development of multiple standards, hoping for one single set is probably a pipe dream, and one that might even not be fully functional, as it will likely lead to a stricter-rule approach). This raises questions about what, if anything, can be done to achieve a greater level of interoperability. Policymakers play a pivotal role in working toward mutual recognition of the currently fragmented patchwork of standard contracts that underpin global data transfers. In their recently published first-of-its-kind guide identifying the similarities and differences between the ASEAN MCCs and the EU SCCs, the European Commission and the ASEAN explained their objective was to aid companies in meeting requirements under both sets of contractual clauses, as well as their data protection laws, more broadly. Hopefully, this will be the first of many guides that offer an approach for interoperability between two otherwise distinct sets of contractual clauses. Without any consensus, multinational corporations with business or operations that straddle more than one of these blocs would need to draft intragroup agreements that include multiple sets of SCCs, built as appendices and with particular attention paid to hierarchy clauses.


Additional IAPP data transfer resources

  • International Data Transfers topic page
    On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to international data transfers.
  • EU Standard Contractual Clauses
    On June 4, 2021, the European Commission released new standard contractual clauses for international data transfers. The IAPP created documents, one for each transfer scenario accommodated by the new SCCs, incorporating only the modules relevant to that scenario into each document.
  • Global data transfer contracts
    This infographic shows the jurisdictions that have taken steps to standardize draft contractual clauses for transferring personal data internationally.
  • Global adequacy capabilities
    This infographic shows the jurisdictions that vest powers in either the data privacy regulator or a government authority to designate other jurisdictions as having “adequate” data privacy standards.


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 2

Submit for CPEs