The very first unified regulation on personal data protection in Vietnam is expected to follow GDPR standards
Companies that collect, process and store personal data in Vietnam should pay close attention to the development of the local legal framework for data protection, which may have significant changes this year. In September 2020, the Vietnamese Government officially approved the proposal to draft a Decree on Personal Data Protection and tasked the Ministry of Public Security (MPS) to prepare the draft Decree for the Government’s review by the first quarter of 2021.
The EU has strong supported this legislative proposal. The draft Personal Data Protection Decree (the “Decree”) will be developed within the framework of the project "EU Justice and Legal Empowerment Program in Vietnam” (EU JULE), as announced in a consultation workshop on personal data protection on cyberspace held by the MPS, the Ministry of Justice (MOJ) and the United Nations in early December 2020. In this workshop, the MPS and MOJ collected relevant opinions, legal and practical insights from telecommunications and Internet companies, and opinions from local and foreign data experts to draft of the Decree.
The MPS has also revealed that the Decree is developed so that Vietnam can meet international standards of personal data protection, including the GDPR standard. The EU’s GDPR is widely influential and its reach can certainly affect Vietnam. One of the reasons is that the GDPR is applicable to any company that interacts or conducts business with EU citizens. The GDPR provisions provide a good model for Vietnam to follow, especially over individuals’ control of their personal data. For example, under the GDPR, data subjects have the rights to access, erase, change their own data that is under the possession of a company. Data processing is subject to record-keeping obligations and to the consent of the data subjects, i.e., data subjects would have a say about how their data is used.
Currently, without a unified data regulation, Vietnamese public and private entities do not have a standardised process in storing and processing personal data. This poses a serious threat to personal rights and the growth of a digital economy. There are concerns that biometrics, financial or even medical data may have been collected, used, processed, or transferred without consent. Therefore, calls have grown for a regulation governing such matters and the Vietnamese Government has addressed those calls accordingly.
Within the ASEAN region, only four (i.e., Malaysia, Singapore, Philippines, and Thailand) out of ten countries have unified data regulations. If Vietnam manages to roll out its own data regulation this year, it will be fifth country in the ASEAN region to do so.