By Desarack Teso | April 29, 2021, 1.30PM
The time is ripe for Member States of the Association of Southeast Asian Nations (ASEAN) to take initiative to promote the adoption of cloud computing in the public sector. Just as the current unprecedented time requires more digital innovation, creative policymaking is required as well.
The Framework on Digital Data Governance that was agreed to in 2018 could be a potential platform. Under this framework, the Member States approved the Data Management Framework (DMF) and the Model Contractual Clauses for Cross Border Data Flows (MCCs) in January 2021. This came on the heels of ASEAN’s signing of the Regional Comprehensive Economic Partnership Agreement (RCEP) with major economies – Australia, China, Japan, Korea and New Zealand – in November 2020.
These multilateral instruments will no doubt help to facilitate cross border data flow and promote data protection, but they do not apply to the public sector.
Chapter 12 on Electronic Commerce commits the signatories not only to promote cross-border data flow, but also to refrain from requiring computing facilities (e.g., servers, data centers) to be located locally as a condition to conduct business in its territory. However, these commitments do not apply to a “financial institution” or a “public entity.”
Data Management Framework
The DMF, which was previously called the ASEAN Data Classification Framework, recognizes that companies need to develop data governance structure and appropriate data protection safeguards based on the purpose of data use throughout the data lifecycle (e.g., data in transit, data at rest). The DMF sets out voluntary and practical guidance for private sector businesses operating in ASEAN to enable them to build their own policies and procedures using a risk-based data management methodology.\
Model Contractual Clauses for Cross Border Data Flows
The MCCs are voluntary, baseline contractual terms and conditions that may be included in a binding commercial contract between businesses that are transferring personal data to each other across borders. Similar to the EU GDPR’s standard contractual clauses (SCCs) concept, the MCCs could potentially provide a legal basis for the cross-border transfer of data within ASEAN. The ASEAN MCCs provide two modules based upon the nature of the relationships (i.e., Controller-to-Processor Transfer, Controller-to-Controller).
Time is Now for Cloud-First Policy for Public Sector
RCEP, DMF and MCCs provide a great starting point to enhance trust and confidence for private sector companies to use cloud and digital technologies to ensure business and operation continuity amidst the current global pandemic, as well as to avail themselves of new innovation and business opportunities in the post-pandemic era.
As for the public sector, ASEAN Member States such as Malaysia, the Philippines and Singapore that adopted variations of a cloud-first policy and/or strategy before the pandemic should find themselves in a better position to ensure the continuity of government operations and service delivery to their citizens. The Philippines, which was the first Member State to adopt a cloud-first policy in 2017 (and later amended in 2020 in response to the pandemic), requires public sector organizations to adopt cloud computing as the preferred ICT deployment strategy unless they can present “adequate, reasonable and well-reasoned justifications” against the cloud option.
At the ASEAN Leaders’ Meeting held on 24 April 2021, the Member States expressed commitment to support the timely realization of the region’s 2021 deliverables around three strategic priorities of Recovery, Digitization and Sustainability. The time has never been more ripe for ASEAN leaders to initiate a meaningful discussion on a cloud-first policy as one deliverable to advance each of these priorities.