Making cross-border data flow easier for Asean businesses: Opinion

For companies operating in Asean, growth is often synonymous with crossing borders – not just to reach customers, but to manage operations.

A business headquartered in Singapore may manage human resources from the city-state while employing staff in Manila, storing transaction records and customer data on a server in Jakarta, and processing payments through a shared service centre in Kuala Lumpur. This regional model seems efficient and sound until it comes up against a growing patchwork of national data protection laws.

Every major Asean economy regulates how personal data can be collected, stored and shared by companies. For businesses, this means a new kind of trade barrier: typically, personal data can no longer move freely across borders unless the receiving party guarantees protection to an equivalent or adequate standard.

For example, a Singaporean company that shares customer or employee data with its Malaysian subsidiary must ensure that its Malaysian office is legally obliged to provide the transferred personal data a standard of protection that is at least comparable to the protection under Singapore’s Personal Data Protection Act.

As personal data protection rules vary across Asean, businesses face higher costs and greater legal risk when navigating these compliance requirements. Across the region, some mechanisms already exist to ease that process.

The Asean Model Contractual Clauses (MCCs), recognised by regulators in Singapore, Malaysia, the Philippines and Thailand, provide standardised terms for the sharing of personal data across national borders between unrelated companies in Asean. While the MCCs are practical for external commercial relationships, such as between a business and its service provider, they are not specifically tailored for data flows within the same corporate group.

The model in Europe

In Europe, companies can enter into binding corporate rules (BCRs) as a legal basis for cross-border data flows. A set of BCRs is a legally enforceable framework that governs how the members of a group of companies handle personal data transfers within themselves across borders. It binds all group members to a shared set of duties, including measures to ensure data security.

In addition to BCRs, a group of companies can have a group data protection policy that contains the operational standards and safeguards that the group should adhere to. While such a policy sets out what the group’s data protection practices are, BCRs ensure that these practices are legally binding.

The framework of BCRs is well established under Europe’s General Data Protection Regulation. In contrast, Asean operates without a common cross-border data protection framework, leaving such mechanisms to individual member states.

Different member countries recognise different legal bases for transferring personal data across borders, though countries such as Singapore, Malaysia and Thailand have recognised BCRs as a valid basis for cross-border transfer, albeit each with varying requirements of what the BCRs should contain.

A solution for Asean

For small and medium-sized enterprises (SMEs), which form the backbone of the Asean economy, keeping up with the different data protection rules across the bloc can be a challenge. Some do not have in-house legal teams, or budgets to engage law firms to draft new agreements every time personal data moves between regional offices.

The Intra-Group Agreement for Cross-Border Transfers of Personal Data, a publicly available framework developed by the Asian Business Law Institute, fills an important gap. Intended to help corporate groups manage sharing personal data across borders more seamlessly, it contains a set of template clauses that these companies can use to form their own BCRs.

The tool is designed for groups with shared human resources, finance or IT systems, which may be cloud-based. In such an arrangement, the individual member companies would need to transfer personal data to the entity handling these shared services.

Examples of such personal data include customer records and purchase history for record-keeping or market research, customer contact details for after-sales or call-desk support, and employee contact details and payment information for payroll functions.

The Intra-Group Agreement can aid SMEs in meeting their data protection obligations, giving them greater confidence to expand across borders, knowing that their data practices can keep pace with growth.

As digital trade deepens, the ability to move personal data safely across countries will influence how seamlessly Asean economies connect. Frameworks such as the MCCs and Intra-Group Agreement provide practical scaffolding for businesses, by helping them to meet complex legal obligations while strengthening their data protection practices.

The writers are from the Asian Business Law Institute, a Singapore-based think tank promoting the convergence of Asian business laws. Mark Fisher is executive director and Michelle Chua is senior assistant director.

Source: The Business Times © SPH Media Limited. Permission required for reproduction.

ADV: Business Mandarin for Legal Professionals (Synchronous e-Learning) Drew & Napier, Withers to collaborate on claims against Switzerland over Credit Suisse AT1 losses