Government Approves Legislative Dossier
On February 7, 2023, the Vietnamese government issued Resolution No. 13/NQ-CP (“Resolution 13”) to approve the latest version of the draft Personal Data Protection Decree (“Draft PDPD”)—a draft which has not yet been made public.
Similar to Resolution No. 27/NQ-CP issued in March 2022 approving the previous version of the Draft PDPD (“Resolution 27”), Resolution 13 stipulates the different cases where data subjects’ consent is exempted for processing personal data. Most of these lawful bases are similar to those under Resolution 27—except for the fourth case, which is brand new—with some changes for better clarity.
According to Article 1 of Resolution 13, personal data can be processed without consent in the following five cases:
(1) The processing is to protect the life and health of the data subject or others in an emergency situation. Data Controllers, Data Processors, Parties Controlling and Processing Personal Data, and Third Parties are responsible for proving this case;
Remarks: Vietnamese law, including the prior published version of the Draft PDPD, has never used the terms “data controller”, “data processor,” and “parties controlling and processing personal data.” The inclusion of these terms suggests that the latest version of the Draft PDPD has adopted the GDPR-like concepts of “data controller” and “data processor.” However, until the latest version of the Draft PDPD can be assessed, it is uncertain how these concepts are defined and whether they are fully in line with GDPR definitions.
(2) The disclosure of personal data is in accordance with the law;
(3) The processing of data is performed by competent state agencies in the event of a state of emergency related to national defense, national security, social order and safety, major disaster, or dangerous epidemic; when there is a threat to security and national defense but not to the extent that a state of emergency must be declared; or when the processing is to prevent and combat riots and terrorism, crime, and law violations in accordance with law;
Remarks: This expands the list of situations where the data subject’s consent is exempted compared to a similar criterion in Resolution 27, which simply mentioned “national defense and security requirements.”
(4) The processing is to fulfill the contractual obligations of the data subject with relevant agencies, organizations, and individuals as prescribed by law;
Remarks: Under current legislation, consent is exempted when personal data is used for signing, modifying, or performing a contract to use information, products, and services in the network environment between the data subject and an IT/e-commerce trader/service provider. This basis for consent exemption is stipulated under the Information Technology Law and Decree 52 on E-Commerce.
This new basis under Resolution 13 has been broadened to include the processing of personal data for performing any types of contracts involving the data subject as a party. These contracts may include employment contracts and contracts for purchase of goods/services outside the IT/e-commerce context.
The Draft PDPD seems to have adopted the lawful basis under Article 6.1(b) of GDPR: “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.” Interestingly, the basis of processing for “legitimate interests of the controller or third party” under the GDPR does not appear in Resolution 13. As the Vietnamese legislator has always refused to adopt this basis into the Vietnamese data protection regime, it is unlikely to be covered by the Draft PDPD.
The wording of this newly added criterion is rather broad and subjective. It is unclear what could be considered necessary to “fulfill the contractual obligations,” and whether this criterion could be interpreted broadly enough to cover “legitimate interests” of the employer/service provider when implementing contractual obligations with data subjects.
If there is no further guidance on this criterion, we believe that it would be open to the authority’s discretion in interpretation and the arguments of the parties on a case-by-case basis.
(5) The processing is to serve the activities of state agencies prescribed by sector-specific laws.
Remarks: Resolution 27 included the criterion “the processing is for competent state agencies’ investigation and handling of law violations,” which has been removed from Resolution 13. It could be argued, however, that this criterion under Resolution 13 is sufficiently broad to cover the same cases.
Review by the National Assembly
Following the issuance of Resolution 13, on February 8, 2023, the National Assembly’s Committee for Defense and Security held a plenary meeting to review and discuss the newly approved Draft PDPD. According to media reports recapping the discussion, most of the delegates attending the meeting believed that this version of the Draft PDPD had been prepared quite thoroughly, with due consideration of opinions contributed by other state agencies and the public during the consultancy phase. However, given the significance of the PDPD, which covers novel issues that have rarely been tested in practice, the Draft PDPD was still subject to extensive comments from the delegates in the meeting, and possible further review by the Committee for Defense and Security.
What’s Next for the Draft PDPD?
Resolution 13 approves the content of the government’s report on the Draft PDPD, the report on collecting and considering opinions of the Standing Committee of the National Assembly, and the content of the latest version of the Draft PDPD; and assigns the Minister of Public Security, on behalf of the government, to report on and consult with the Standing Committee on the Draft PDPD. This means the resolution works as direction and approval of principles for key issues so that the Ministry of Public Security can complete the Draft PDPD for the Standing Committee’s approval before its eventual promulgation.
According to Article 2 of Resolution 13, as the next step, the Minister of Public Security will have to consult the Standing Committee of the National Assembly on the new version of the Draft PDPD. No specific timeline for promulgation has been announced. Following the review session by the Committee for Defense and Security, the Ministry of Public Security will need to consider the opinions of the delegates in the session and update the Draft PDPD accordingly, before submitting it to the Standing Committee.