In April 2019, the Ministry of Public Security (MPS) started developing an omnibus data protection decree as a sub-legislation to the Cybersecurity Law. This reflects the Government’s goal of developing a comprehensive legal framework regarding data protection that is in line with international standards. On 27 December 2019, the MPS published the first version of the draft Decree on Personal Data Protection (Draft Decree).
The Draft Decree consists of six (6) chapters, mostly in skeletal form, as the specific contents of each chapter have not been drafted.
I. General concept of personal data in Vietnam
Chapter I introduces the general provisions regarding personal data in Vietnam and defines different relevant terms and principles in the data privacy context.
In particular, Personal Data is defined as data about information in the form of symbols, [alphabetic] letters, numbers, images, sounds or other similar forms that belongs to an individual. This definition is more general and broad in scope than the definition under sectoral laws and regulations such as the Law on Cyber Information Security or Decree No. 52/2013/ND-CP on E-commerce.
Among the legal terms defined for the first time in Vietnam is sensitive personal data, which is defined to include, among others, political and religious beliefs, ethnicity or race, healthcare status, genetic information, biometric data, gender and/or sex life, and criminal records.
Personal Data Processor is also introduced and defined as a legal entity or a natural person, [or] a branch of a foreign company or state authority or local authority that processes personal data.
Main Personal Data Processor and Authorized Personal Data Processor are distinguished. Specifically, the Main Personal Data Processor gives authorization in accordance with the laws and is similar to a data controller under the European Union’s General Data Protection Regulation (GDPR), and the Authorized Personal Data Processor is authorized by the Main Personal Data Processor to process personal data on its behalf, similar to a data processor under the GDPR.
The Draft Decree also sets out the following seven (07) principles of personal data protection:
- Principle of Lawfulness: Personal data shall be collected legally
- Principle of Purpose: Personal data shall be collected for the purposes that have been consented or registered
- Principle of Simplification: Personal data shall only be collected if it is necessary to serve for a pre-determined purpose
- Principle of Restricted Use: Personal data shall only be used when consented by the data subjects or competent authorities
- Principle of Data Quality: Personal data shall be updated, sufficient and necessary to serve the purpose of processing such data
- Principle of Security: Security measures shall be applied to protect personal data
- Principle of Individuality: Data subjects shall be notified of all activities pertaining to their personal data
II. Rights and obligations of personal data processors
While the Draft Decree has not expanded on the articles providing the rights of data subjects, the Draft Decree provides that Personal Data Processors are entitled to determine the following:
- purposes of personal data processing
- types of personal data that need to be processed
- procedures and methods for personal data processing
- allowed transfer of personal data to third party
In terms of obligations, Personal Data Processors must:
- immediately delete or close personal data that is unnecessary, unless otherwise regulated by law
- ensure [compliance with] the principle of data quality and update [the same] if necessary
- ensure that controversial personal data is closed until proved [otherwise]
- notify [relevant] third party of amendments to information with regard to personal data or personal data that is not technically feasible
Under Article 4 of the Draft Decree, offshore Personal Data Processors may be required to appoint a representative in Vietnam.
Article 27 of the Draft Decree also requires that the act of transferring personal data overseas must be registered with competent authorities. However, this provision is still an outline.
We expect the final draft of the Draft Decree to expand on the above in more detail.
III. Vietnamese organizations and enterprises to coordinate with authorities to deter, prevent and handle violations of cross-border service providers
Requirements and conditions on personal data disclosure are set out under Article 8 of the Draft Decree. Clause 1 of this Article provides an exception to consent for disclosure of personal data. Specifically, consent is not required if the disclosure is to the media for the purpose of journalism where there is an enormous public interest, and the disclosure is in accordance with the ethical principles of journalism. That said, data disclosure in such instance cannot cause significant damage to the rights of the data subject. However, the Draft Decree does not define what constitutes “enormous public interest” or “significant damage.”
Article 8 further provides that data subjects have the right to require the person disclosing their personal data to end such disclosure, unless the disclosure is conducted according to law. The person disclosing [such] personal data is not required to end the disclosure of personal data if such person cannot control the devices carrying such personal data. At any time, data subjects have the right to request the person processing [their] personal data to cease the disclosure unless otherwise regulated by law and [the disclosure cessation] is technically feasible and does not cause unreasonably high costs.
IV. Areas to be developed
As mentioned, a number of provisions remain in skeletal form and the Government is currently reviewing comments from the public on the Draft Decree. The next versions of the Draft Decree would likely expand on the following:
- scope of activities pertaining to personal data
- rights and obligations of data subjects
- measures to protect personal data
- data processing registration, including registering to process sensitive personal data and registering to transfer personal data of Vietnamese nationals to another jurisdiction
- competent authorities responsible for personal information protection