Vietnam: Vietnam's Personal Data Protection Decree: Recent Developments & What To Expect

The Vietnamese Government issued Resolution No. 27/NQ-CP on 7 March 2022 (Resolution 27) on 7 March 2022 approving the latest version of the highly anticipated Personal Data Protection Decree (Draft PDP Decree). With Resolution 27, the drafting body (Ministry of Public Security (MPS)) will share the Draft PDP Decree with the Standing Committee of the National Assembly (SCNA) for consultation. That said, this approved version remains undisclosed. Resolution 27 also designates the Ministry of Public Security (MPS), the Draft PDP Decree's drafting body, as the authority to develop Personal Data Protection Law. The MPS is to coordinate with the Ministry of Justice in producing Vietnam's Personal Data Protection Law by 2024.

By way of background, the Draft PDP Decree was first released for public consultation in February 2021, and slated to take effect in December 2021. The February 2021 version prompted much feedback from the business community around - among others, requirements on sensitive data processing (Article 20) and cross-border transfer of personal data and data localization (Article 21) - possibly contributing to delay in issuance. Amendments to these provisions in response to previous public comments are expected to have been made in the approved version.

According to Resolution 27, the MPS must consult the SCNA on the Draft PDP Decree. This SCNA consultation is a special process applied to the promulgation of decrees of a quasi-law nature, which appears to be the case with the Draft PDP Decree. Such decrees are those that regulate issues that should be governed by a law within the legislative competence of the National Assembly but a relevant law does not yet exist. While it is unclear whether the SCNA can collect further public opinions on the recently approved version of the PDP Decree, it is noted that Prime Minister's Decision 06¹ provided a fast-approaching deadline of May 2022 for the MPS to submit a final version of the Draft PDP Decree for Government submission for enactment.

As mentioned above, while the approved version has not been made public, Resolution 27 does shed light on the Draft PDP Decree's principles for personal data to be processed without the data subject's consent, which are as follows:

• When the data processing is necessary in response to an emergency that threatens human life, health or safety;
• When the data is disclosed according to laws;
• When the processing is for the purpose of national defense or security;
• When the processing is for investigation into or handling of law violations; or
• When the processing is for other state activities by competent state authorities.

The above-mentioned principles appear to be in line with the Government's goals to exercise greater sovereign control over personal data and enhance cyber information security with the promulgation of the PDP Decree.

Footnote

1. Prime Minister's Decision 06/QD-TTg dated 6 January 2022 approving the project to develop the application of population data, identification and electronic authentication for national digital transformation in the period of 2021-2025, with a vision to 2030.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.