On February 9, 2021, Vietnam’s Ministry of Public Security (MPS) released the full text of the Draft Decree on Personal Data Protection (the “Draft”), an ambitious attempt to unify the country’s regulations on personal data protection that are currently scattered throughout various legal documents. With personal data protection becoming such a prominent issue globally in recent years, the Draft is a necessary step in bringing Vietnam’s domestic regulations up to international standards, and offers some welcome additions and changes to the existing regulations.
The effective date for the decree as set out in the Draft is December 1, 2021, so it is important for companies doing business in Vietnam to understand the scope and potential impact of the new regulations, to get a head start on formulating plans for compliance. Below, we take a closer look at some of the more significant contents of the Draft.
1. Categorization of Personal Data into Basic Personal Data and Sensitive Personal Data
The Draft revises and elaborates on the definition of personal data found in existing laws and introduces the new concept of sensitive personal data. Accordingly, personal data is defined as data about individuals or relating to the identification of, or the ability to identify, a particular individual, and includes basic personal data and sensitive personal data.
The Draft provides an inclusive list of basic personal data (such as name, date of birth, phone number, etc.) which expands on the list defined in Decree 52 on E-Commerce and Decree 72 on Internet Services and Online Information, and also moves some of the previous personal data types, such as medical and financial information, to the new category of sensitive personal data. The scope of sensitive personal data as defined in the Draft ranges from specific types of data such as gender, biometrics, criminal records, and location, to very broad concepts such as political and religious views and social relationships.
2. New Principles of Personal Data Protection
The Draft newly introduces eight principles which need to be taken into account for the collection and processing of personal data. They are:
- Lawfulness: Personal data is only collected when necessary in accordance with the law.
- Purpose: Personal data is only processed for the purposes registered or announced.
- Data minimization: Personal data is only collected within the scope necessary to achieve the specified purposes.
- Restricted use: Personal data is only used with the consent of the data subject or with the permission of the competent authority.
- Data quality: Personal data must be up to date and complete to ensure data-processing purposes.
- Security: Protection measures must be applied to personal data in the course of data processing.
- Individuality: Data subjects must be aware of and informed of activities related to the processing of their personal data.
- Confidentiality: Personal data must be kept confidential during data processing.
3. Data Subjects’ Rights
Certain fundamental rights of data subjects have been explicitly or implicitly set out in various existing laws. These include the rights to give or withhold consent to the collection and processing of personal data; to be informed of the purposes of collection and processing; to access one’s own personal data; to request such data to be updated, amended, rectified, deleted, or no longer provided to a third party; and to claim compensation for loss caused by a breach during the provision of personal data. However, the Draft is the first piece of legislation that has systematically listed data subjects’ rights in a single provision.
The Draft also expands some new rights of data subjects, such as the rights to restrict access to personal data; to terminate the disclosure of or access to personal data; and to complain to the new Personal Data Protection Commission (see below) in certain circumstances where personal data is compromised or processed for the wrong purposes, or their rights are breached.
4. Revised Consent Principle and New Regulation on Disclosure of Personal Data Without Consent
The principle of consent is fundamental to data protection law. This key principle from existing laws is retained and elaborated further in the Draft. Generally, the consent principle is that the collection, storage, use, processing, publication, disclosure, and transfer of information and materials related to the private life or personal information of an individual must be consented to by that person, unless consent for such transaction is exempted by law, and the use of such personal information must be consistent with the scope of the consent given. Persons under 15 years of age are not deemed to have the legal capacity to give consent. Therefore, consent must be obtained from their parent or legal guardian.
However, existing data protection laws, except for Decree 52 which requires explicit consent from data subjects, generally do not explicitly regulate whether consent must be affirmative or if implied consent is sufficient. The Draft has now made it clear on this point that consent must be voluntary, based on being fully informed of certain stipulated information, and silence or non-response of data subjects may not be interpreted as consent. This means explicit and affirmative consent is required.
The Draft also provides new regulations on consent, such as that consent could be partial or conditional and could be withdrawn at any time; consent must be capable of being printed or copied in writing; consent is valid throughout the life of the data subject and for 20 years after the data subject’s death for the authorized activities of state agencies unless the data subject decides otherwise; and the burden of proving consent in a dispute rests with the processor.
Similar to existing data protection laws like Decree 52 and the IT Law, the Draft requires that certain information needs to be notified to the data subject before obtaining consent. The exemptions to the consent principle listed in the Draft are different from exemptions stipulated in Decree 52 and the IT Law; such overlap would ideally be cleared up before the Draft is promulgated.
In addition, the Draft provides new regulations on processing of personal data without consent in certain circumstances, such as when required by law; for national security or public order purposes; or as required by law in emergency situations that threaten the life or health of the data subject or public health.
Personal data may also be disclosed to third parties without consent in certain cases, such as to protect the life, health, or freedom of the data subject, or where the disclosure causes no harm to the legitimate rights and interests of data subjects and obtaining consent would be impossible.
5. Personal Data Retention
Generally, in existing data protection laws, personal data retention by controllers and/or processors is regulated for a certain period as stipulated by law or as agreed upon by the parties. In the Draft, data retention must stop, and the data must be deleted or destroyed, in the following cases:
- When the purposes of processing personal data are not in line with the registered or notified purposes.
- When retention is no longer necessary to the operation of the data processor.
- 20 years after the death of the data subject, unless the data subject decides otherwise.
6. Personal Data Protection Measures
Following the provisions in existing personal data protection laws, the Draft requires processors to apply administrative, technical, and physical measures to protect personal data, and also introduces some new requirements, such as de-identification and encryption of information, making a list of equipment and software for processing personal data, designating a specialized department in charge of personal data protection, appointing personnel in charge of personal data protection, and reporting this information to the Personal Data Protection Commission (PDPC).
The requirement of designating a specialized department to be in charge of personal data protection seems to be cumbersome, especially for SMEs which have to process personal data of their employees but whose services and operations are not related to data processing itself.
7. New Regulation on Registration for Processing of Sensitive Data
Under the Draft, sensitive personal data must be registered with the PDPC prior to processing. Processors need to prepare an application meeting stipulated requirements and submit it to the PDPC for registration approval. The PDPC will process the application within 20 working days from the date of receipt of a valid application. This requirement would be very burdensome for companies. (For further analysis, please see our previous article.)
8. New Regulation on Cross-Border Transfer of Data
Before transferring Vietnamese citizens’ personal data out of Vietnam, the processor must fulfill four stipulated conditions, one of which is that the original data must be stored in Vietnam. This so-called data localization requirement attracted a great deal of criticism when Vietnam developed its Cybersecurity Law several years ago.
So far, the data localization requirement stipulated in Article 26.3 of the Cybersecurity Law still awaits further guidance from the government. A draft decree to guide the implementation of certain articles of the Cybersecurity Law (see previous article) has narrowed down the broad wording. It is unclear how the data localization requirement will be adopted and implemented if both draft decrees are promulgated. In addition, the data transferor must build a system to store its data transfer history for three years.
Obviously, the new regulation on cross-border transfer of data could create a barrier to trade and flow of data, increase costs for businesses, and have a negative impact on the development of digital economy of Vietnam. (For further analysis, please see our previous article.)
9. Establishment of Personal Data Protection Commission
The Draft establishes a new Personal Data Protection Commission (PDPC) and sets out its functions and responsibilities. Among other functions, the PDPC can request the Director of the Department of Cyber Security and High-Tech Crime Prevention and Control, under the MPS, to carry out inspection and examination of personal data protection in an agency or organization up to twice a year, or when there is evidence of violations of personal data protection. These twice-yearly inspections, if conducted, could be burdensome and disruptive for companies.
In addition, the PDPC will evaluate and rate the reliability of personal data protection of agencies and organizations and publish this information on the National Personal Data Protection Portal.
10. New Administrative Sanctions for Violations
The Draft provides relatively high penalties for personal data protection violations. For example, fines of up to VND 100 million (approx. USD 4,300) could be imposed for violations of regulations on registration for processing of sensitive personal data; or violations of regulations on cross-border transfer of personal data. A fine of up to 5% of the violator’s revenue in Vietnam could even be imposed for certain repeated violations.
It should be noted that Decree 15/2020/ND-CP on penalties for administrative violations in the fields of postal services, telecommunications, radio frequency, information technology, and electronic transactions also provides various penalties for violations of personal data protection. It is unclear how these provisions will be treated, or whether they would be invalidated, when this Draft is promulgated. If they are invalidated, the penalties stipulated in the Draft should be comprehensive enough to cover all possible violations.
11. New Regulation on Data Processing for Research and Statistical Purposes
The Draft has a new provision for data processing for research and statistical purposes, under which consent from data subjects is not required, as long as the personal data is de-identified and/or encrypted and the processors apply data protection measures and fulfill stipulated conditions. Personal data processing results for research or statistical purposes may not be synthesized into personally identifiable information of a specific data subject.
12. New Regulation on Automated Data Processing
The Draft also has a new provision on automated data processing, applicable only in the process of participating in or carrying out a contract, provided that the data subjects are informed and have consented to the automated data processing before execution.
The Draft is open for public consultation until April 9, 2021, and is expected to face resistance from domestic and international business associations, particularly with regard to the registration and data localization requirements, which many view as overly burdensome and unrealistic in practice. In addition, before the decree is finally promulgated, questions will need to be answered as to what will happen to existing regulations on personal data protection, some of which conflict with provisions of the Draft.
As a result, further amendments are likely to be made before the decree is finalized, though it is uncertain to what degree they will affect the content of the Draft. Given these challenges, the aggressive goal of an effective date of December 1, 2021, may prove to be infeasible. We will continue to monitor the progress of the Draft and provide updates to our clients.