As the calendar turns to July 1, 2023, a new chapter in data privacy legislation will open in Vietnam. Decree No. 13/2023/ND-CP concerning personal data protection, henceforth referred to as "Decree 13," commences operation. This pivotal piece of legislation bears relevance for agencies, organizations, and individuals spanning the globe who are engaged in the processing of personal data within Vietnam.

During the construction of Decree 13, lawmakers did not operate in isolation. Instead, they meticulously examined international standards and legislations to secure a robust foundation for this decree. Their study encompassed the Council of Europe's Convention on the Protection of Individuals regarding Automatic Processing of Personal Data, United Nations' guidelines for regulation of computerized personal data files, U.S personal information Protection Act, and the well-renowned European General Data Protection Regulation.

Nonetheless, it is essential to understand that Decree 13 does not mirror these international standards verbatim. It introduces unique provisions which are inherently distinct. Consequently, organizations operating in Vietnam might find their data processing activities aligned with one or more international standards, but this doesn't guarantee compliance with Decree 13.

This critical realization urges both domestic and foreign organizations engaged in personal data processing in Vietnam to promptly familiarize themselves with this new decree. Proactive efforts to comprehend and adapt to the changes imposed by Decree 13 are imperative to ensure legal compliance.

In the forthcoming sections of this article, we endeavor to shed light on key elements of Decree 13. We aim to highlight areas that call for greater specific guidance, providing a balanced examination and assessment of this significant legal shift. Stay tuned as we delve deeper into understanding the ramifications of this landmark legislation.

1. The Debate over Derived Data

Decree 13 categorically outlines what constitutes 'personal data'. It is described as any information tied to a specific individual, enabling their identification. Such data spans various elements, including the individual's name, birth date, gender, nationality, online activity history, and even their image.

However, a burgeoning debate that has emerged in the wake of Decree 13 centers around the status of synthesized information or models drawn from personal data. This subset of data, typically used for aggregated information or predictive behavioral modeling, is not directly tied to a specific individual, leading to contentious views on whether it falls under the umbrella of 'personal data'.

Some stakeholders argue that such information and models don't qualify as 'personal data'. They base their claim on the fact that these data artifacts, though derived from personal data, do not carry identifiable information about a specific individual. Instead, they serve more generalized purposes like information aggregation or behavior prediction at a group level.

In contrast, a contrary viewpoint posits that these synthesized information and models indeed qualify as personal data. Advocates of this perspective underline that these entities are, after all, created from information initially linked to individual subjects.

As Decree 13 is a novel legislative tool in Vietnam, the state's official stance on this matter remains ambiguous. However, the implications of this decision will significantly impact companies operating in Vietnam. If the state authorities categorize synthesized information and models derived from the personal data of Vietnamese individuals as 'personal data', these entities will be obligated to notify and acquire consent from data subjects before utilizing such information and models.

Therefore, the precise interpretation and application of Decree 13 in the context of derived data will be a crucial development to watch.

2. No Longer 'Silent Agreement

In the world of personal data protection, the ubiquitous "Privacy Policies" are foundational for most companies' interactions with their customers. Traditionally, many companies have adopted a tacit agreement approach, wherein customers' use of their services or products is interpreted as an endorsement of the company's privacy policies. This mechanism implies the customers' consent to the company storing and processing their personal data. However, Decree 13 revolutionizes this convention.

Under the new legislative framework established by Decree 13, personal data processing necessitates explicit consent from the data subject. This consent can't be assumed or inferred – it needs to be actively expressed. Decree 13 offers examples of what constitutes active expression of consent, including written consent, verbal agreement, ticking a consent box, utilizing a text message consent syntax, or choosing technical consent settings.

Further underlining this crucial change, Decree 13 unequivocally states that silence or non-response can no longer be misconstrued as consent. This stance introduces a significant shift in how companies must approach data privacy practices, requiring them to rethink and reshape their processes for obtaining consent.

In light of these changes, companies must overhaul their strategies for consent collection to ensure they adhere to the principles enshrined in Decree 13. Mere use of services or products will no longer be accepted as an endorsement of privacy policies. Henceforth, an active, unambiguous expression of consent is the new norm.

3. Untangling the Nuances of Consent Format and Verification

Decree 13 introduces rigorous stipulations concerning the format and proof of a data subject's consent. According to the decree, the consent needs to be in a printable, copyable text format. This can be achieved electronically or through any other verifiable means. A further onus is placed on the data controller and/or processor to be able to substantiate the data subject's consent in case of disputes.

However, these mandates raise several important questions that are yet to be clearly addressed by the state authorities. The specific criteria for storing and validating the data subject's consent remain ambiguous. What form of evidence will be deemed adequate to satisfy these requirements?

Moreover, a seemingly contradictory provision within Decree 13 has sparked further discussion. The decree states that consent can be expressed verbally, but how does this align with the need for consent to be in a printable, copyable format?

These aspects underline the complex nuances that are part and parcel of implementing a comprehensive legislation like Decree 13. As we navigate this new landscape of data protection, clarity on these critical issues will be essential for organizations striving to stay compliant with the decree's mandates. We eagerly await further guidance from the state authorities to elucidate these intricate aspects of Decree 13.

4. The Principles of Informed Consent in Personal Data Processing

In the realm of personal data protection, consent isn't just about saying 'yes' or 'no'. Decree 13 heralds a more nuanced approach to consent, emphasising the principle of 'informed consent'. Simply agreeing to a company's Privacy Policy does not confer the company with unfettered rights to process a customer's personal data.

According to Decree 13, consent is rendered valid only when the data subject has a complete understanding of:

(i) The purpose of processing personal data;

(ii) The type of personal data that will be processed;

(iii) The organization that will be handling the personal data; and

(iv) The rights and obligations of the data subject.

In addition to these pillars of informed consent, Decree 13 mandates the data controller and processor to notify the data subject about:

(v) Information on other organizations or individuals connected with the processing purpose;

(vi) Potential undesirable outcomes and damages; and

(vii) The timeline, explicitly outlining the start and end of data processing.

In effect, if a company's Privacy Policy and notifications fail to comprehensively address these seven elements, any obtained consent is invalidated. This nuanced interpretation of consent places a greater responsibility on organizations to ensure transparency and understanding before personal data processing takes place. It also empowers data subjects by demanding their full knowledge and understanding before they give their consent.

5. Navigating the Scope of Notification for Data Processing Purposes

The customary practice for companies when articulating privacy policies has been to provide broad, overarching reasons for processing personal data. Yet, the advent of Decree 13 calls this approach into question. The decree asserts that consent from data subjects is deemed valid only when they comprehend crucial aspects of data processing, including the purpose of processing their personal data.

As Decree 13 is still in its early days of implementation, uncertainty exists regarding the authorities' stance on the specificity of notifying the purpose. Will a generalized statement of intent, such as 'research and development', suffice? Or will authorities require more specific detailing, such as 'researching and developing models to assess and predict human behavior and habits to share with partners'?

Decree 13 certainly advocates for a more informed, detailed approach to consent and data processing. But the precise level of detail required when communicating the purpose of processing personal data remains unclear. This area is ripe for clarification as the interpretation and enforcement of Decree 13 unfolds, and organizations will need to pay close attention to forthcoming guidance.

6. Illuminating the 'Right to Know' and the 'Right to be Forgotten'

Decree 13 recognizes and enforces more than just the right to consent. Two other pivotal rights, specifically the 'Right to Know' and the 'Right to be Forgotten', are firmly anchored in its text, defining the expanded horizon of personal data rights in Vietnam.

The 'Right to Know' encompasses a range of sub-rights for the data subject. These include:

  • The right to be informed about the processing activities involving their personal data;
  • The right to access their own personal data;
  • The right to rectify or request amendments to their personal data; and
  • The right to request a copy of their personal data.

Simultaneously, the 'Right to be Forgotten' establishes a new set of entitlements for the data subject, including:

  • The right to erase or request erasure of their personal data;
  • The right to request restriction on the processing of their personal data; and
  • The right to prevent or limit the disclosure of their personal data for advertising or marketing purposes.

These rights usher in a new era of personal data protection in Vietnam. Data subjects now possess significant control over their personal data, from understanding how their information is being used to requesting its removal altogether. It's a clear testament to the broader global shift toward empowering individuals in the digital sphere and protecting their personal data rights.

7. Impact on Cloud Storage and International Data Transfers

Decree 13 brings about substantial changes to how data is handled across borders, with specific focus on entities transferring data abroad. Under its mandate, any entity looking to transfer personal data overseas must conduct an impact assessment on such transfers and strictly follow the designated legal procedures. This provision has significant implications for a vast number of companies operating in Vietnam, both domestic and international.

An interesting aspect to consider is the ubiquitous use of foreign cloud computing services, such as those provided by Amazon, Google, and Microsoft, which are utilized extensively by numerous domestic companies in Vietnam. This often includes the storage of their customers' personal data. Given Decree 13's stipulation, these practices now come under the scanner, requiring the companies to re-evaluate their current data management strategies.

The intersection of cloud computing and international data transfers under Decree 13 illustrates the complex, multi-layered challenges of data governance in the digital age. Navigating these regulations will require both legal and technological acuity, as companies must strike a balance between leveraging global digital infrastructure and complying with local data protection laws. As we move forward, detailed guidance on how to practically comply with these provisions will be eagerly awaited by many organizations.

8. The Call for Designated Personal Data Protection Personnel

A key aspect of Decree 13's framework for data protection is the mandate for all agencies, organizations, and businesses engaged in personal data processing to appoint dedicated personnel or department for data protection. This signifies the importance and necessity of internal expertise in managing and protecting personal data.

However, Decree 13 has yet to provide specific guidelines on the scope of responsibilities, requirements, and standards for these data protection roles. The legal and business community awaits additional instructions from authorities to understand and implement this aspect of the decree fully.

In the interim, companies can look towards the European Union's General Data Protection Regulation (GDPR) for guidance. The GDPR provides a robust framework for the role of a Data Protection Officer (DPO), outlining their tasks, competencies, and position within an organization. You can access this resource at [GDPR EU Data Protection Officer Guidance](https://gdpr.eu/data-protection-officer/).

Although it's clear that Decree 13 takes strides in bolstering personal data protection in Vietnam, the lack of clear directives for implementing certain provisions underlines the need for ongoing dialogue and clarification. The appointment and role of personal data protection personnel is one such area where further instruction will be eagerly anticipated.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.