Nearly a year after the outline was made public, the Vietnam Ministry of Public Security (MPS) released a detailed draft the Personal Data Protection Decree (Draft PDPD) on 9 February 2021, which immediately attracted the attention of domestic and foreign businesses, as these regulations may materially affect their day-to-day operations. The Draft PDPD comprises 6 chapters, with 30 articles in total, and is currently at the public consultation stage, and the contents are as discussed below.
The Draft PDPD for the first time provides a broad definition of personal data and differentiates sensitive personal data from other types of personal data. The definition of personal data is not limited to identification of a person as in other comparative jurisdictions (e.g., the EU, Japan, Singapore), but “data about individuals or relating to the identification or ability to identify a particular individual” (Draft PDPD, Article 2.1). Such personal data is categorized into basic personal data and sensitive personal data as follows:
- Basic personal data: ordinary information in respect of an individual such as name, date of birth, contact address, nationality; and
- Sensitive personal data: personal data on political and religious views, health, genetics, biometrics, gender status, life choices and sexual orientation, criminals and criminal acts, financial matters, location, social relationships, and other data as provided for by laws.
In general, sensitive personal data processing requires a higher level of protection, which is discussed in II.
The Draft PDPD also introduces the concept of two types of processors, namely:
- personal data processors: “domestic and foreign agencies, organizations and individuals engaged in processing personal data” (Draft PDPD, Article 2.8); and
- third parties: “domestic and foreign agencies, organizations and individuals allowed to receive personal data and engaged in some processing activities other than the personal data processors or data subjects” (Draft PDPD, Article 2.9).
The obligations of personal data processors in respect of protecting personal data shall be stricter than those of third parties.
II. Protection in personal data processing
The main part of the Draft PDPD deals with personal data protection in data processing. In sum, the draft provides three layers of protection for personal data:
1. Data subjects’ exercise of self-protection rights
Data subjects have the following rights in relation to protection of personal data:
(i) Right in relation to consent to the processing of their personal data.
(ii) Right to be informed of the personal data processing at the time of processing or as early as possible.
(iii) Right of rectification and right of access: to request the processor to correct the subject’s personal data, and for the data subject to view and be provided with a copy of their personal data.
(iv) Right to be forgotten and right to restrict processing: to request the processor to terminate the processing of personal data, restrict the right to access personal data, terminate the disclosure of or access to personal data, and delete or close up collected personal data.
(v) Right to file complaints to the Personal Data Protection Commission (PDPC) if the data are breached, used for wrong purpose, or their rights on personal data are violated.
(vi) Right to claim compensation if there is a breach in respect of their personal data.
2. Obligation of data processors to apply protective measures to secure received personal data
The Draft PDPD provides for two main measures which data processors must apply to protect data: consent to data processing and notice of data processing. Regarding consent, it shall be in written form which is printable or copyable, and may be partial or conditional. Silence or non-response shall not be interpreted as consent, and data subjects may withdraw their consent at any time. Regarding notice, the Draft PDPD is silent on the format of the notice, but prescribes certain content (information in respect of processors, types of data, time and purpose of processing, etc.). However, there are circumstances in which consent and/or notice is not compulsory, as shown in the following table:
Further, the Draft PDPD requires data processors to develop internal rules and departments specializing in personal data protection.
3. State’s managing and monitoring of personal data protection
The state’s role in protecting personal data is threefold: (i) statutory registration; (ii) activities of PDPC; and (iii) penalties.
(i) Statutory registration
Sensitive personal data processing and cross-border personal data transfer are required to be approved by PDPC in advance. At present, the draft currently sets a 20-day deadline for PDPC to consider and approve the registration, but is silent on whether the registration is to be made in order to obtain umbrella approval or on a case-by-case basis.
(ii) Activities of PDPC
The commission is to be an independent body of the Government, and chaired by the head of the Department of Cyber Security and Hi-tech Crime Prevention of MPS. The commission has the function of consulting the Government on personal data protection methods and exercising State power in respect of managing personal data protection activities, including but not limited to: rating personal data protection reliability; approving the registration of sensitive personal data protection processing and cross-border data transfer; and applying penalties on personal data protection breach.
(iii) Administrative penalties
The main penalty for personal data protection breaches shall be monetary, with ranges from VND 50 million to 100 million or 5% of sales amount (of breaching data processors in Vietnam) depending on the activity which constitutes a violation. Additional penalties include suspension of data processing for a period of 1 to 3 months, and revocation of the right to use approvals in respect of sensitive personal data processing and cross-border transfer.
III. Cross-border personal data transfer
The focus of the Draft PDPD seems to be placed on the cross-border data transfer procedure. Personal data to be transferred cross-border must meet a set of 4 criteria: (i) the consent of the data subject must be obtained in advance; (ii) the original data must be stored in Vietnam; (iii) personal data protection regulations in the recipient country/territory must be equal to or of a higher level than those of Vietnam; and (iv) PDPC’s approval in writing must have been obtained as discussed in II. If it is not easy to meet the aforementioned criteria, the cross-border data transfer may be eligible if it meets (i) and (iv) and if the data processors commit to protect personal data and to apply personal data measures. Moreover, data processors must develop a cross-border data transfer history system for transfers which have occurred within the past 3 years.
Because it seems that such procedure will create a considerably greater burden for businesses, especially foreign companies, it is undergoing careful consideration and commentary.
MPS expects the PDPD to be effective on 1 December 2021. In Vietnam, however, it is not uncommon for a draft decree which is in the comment stage, such as this Draft PDPD, to be materially changed before it finally becomes public. Delays in the schedule are also common. We will need to continue to pay attention to the status of this draft for some time.