ARTICLE
12 November 2024

Revisions To Vietnam's Data Protection Laws Are Coming

RV
Russin & Vecchi

Contributor

Russin & Vecchi was founded in Asia over 60 years ago. We have offices in Ho Chi Minh City and Hanoi. We work with global clients and with international law firms. From entry strategy to operations, we help clients navigate the complex and changing Vietnamese regulatory framework. We deliver creative, compliant, and practical solutions.
The regulatory framework for data privacy is mostly contained in Decree No. 13/2023/ND-CP ("Decree 13"). After slightly over one year of rather lenient implementation...
Vietnam Privacy

The regulatory framework for data privacy is mostly contained in Decree No. 13/2023/ND-CP ("Decree 13"). After slightly over one year of rather lenient implementation, the Government is now programing a significant upgrade -- to elevate it to a superior statute in the legislative hierarchy.

On September 24, 2024, the Ministry of Public Security released the first draft of the new Law on Personal Data Protection ("DraftLPDP") for public comment. The Draft LPDP will be open for public feedback until November 24, 2024--a relatively short period of time. The draft law when enacted, will mark a significant step toward creating a comprehensive framework for personal data protection.

There are 68 articles across seven chapters in the Draft LPDP. In a nutshell, the Draft LPDP will not only creates a more stringent framework than Decree 13, but also widens its outreach to areas like marketing services, big data processing, AI, cloud computing, employment, financial, health care and insurance. It is expected that once the Draft LPDP is finalized and becomes effective, Decree 13 will have to be adjusted to reflect the finalized law on personal data protection.

Compared to Decree 13, the Draft LPDP proposes the following key differences:

  • Expanded scope: Adding to the scope of Decree 13, the Draft LPDP now seeks to regulate entities and individuals processing the personal data of foreigners within Vietnam. This wide-ranging scope ensures that the new regime will cover all processing activities within Vietnam for onshore Vietnamese and foreign data subjects, as well as offshore Vietnamese data subjects.
  • Strict consent requirements: Consent continues to serve as the primary legal basis for processing personal data. The Draft LPDP makes it clear that a person can act on behalf of a data subject in relation to that person's personal data as long as the data subject has given consent and appropriate authorization. The Draft LPDP does not change the concept that it will not recognize "legitimate interest" as a legal basis to ignore the need for consent.
  • New and revised definitions: Sensitive personal data will now cover land use rights information. There are new concepts, such as a "personal data protection expert", "personal data protection reputation rating", "anonymization of personal data", "use of personal data for marketing" and "targeted or behavioral advertisements using personal data".
  • Data Protection Impact Assessment and Offshore Data Transfer Impact Assessment: The Draft LPDP continues to mandate the preparation, submission and maintenance of impact assessments. Importantly, the Draft LPDP enlarges the requirement, in that these impact assessments must be updated every 6 months (if there is any change). Upon a major change such changes will be listed in the Draft LPDP. It is not clear whether an update is required if there's no change to a company's data practices.
  • Appointment of data protection officer: The Draft LPDP goes beyond Decree 13, which only requires the appointment of a data protection officer/department/unit if sensitive personal data is involved. The Draft LPDP, if adopted in its current form, would mandate the creation of a data protection department for processing both basic personal data and sensitive personal data. The Draft LPDP also requires that companies have at least one "personal data protection expert" in that department. Detailed information on qualifications and recruitment of such "personal data protection expert" is also provided.
  • Compliance rating system: The Draft LPDP introduces a personal data protection rating system for businesses, which is based on compliance. Companies can be rated "high credibility" or "trusted" based on their personal data protection practices, and the rating can enhance market reputation. The Draft LPDP also contains provisions in relation to which an entity can be licensed to provide rating services, and the qualifications and licenses involved.
  • Offshore transfer of data: In addition to circumstances already provided in Decree 13, the Draft LPDP expands circumstances whereby personal data may be provided offshore.
  • Provisions for processing personal data in specific sectors: There are special provisions in relation to dealing with personal data in financial, banking, credit, and credit information activities.

These are the major differences between the Draft LPDP and the existing Decree 13. This is only the first draft and changes are expected as comments are received and as drafts evolve. However, from this draft, it seems clear that the obligations provided under Decree 13, including the obligations to prepare, submit and maintain impact assessments and the obligation to appoint a data protection department/officer, are not likely to be diluted.

Public comments are solicited. The Draft LPDP aims at an effective date of January 1, 2026. Companies should continue to monitor their personal data practices and stay tuned with Vietnam's evolving data protection paradigm.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More