On April 8, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted comments in response to the Ministry of Public Security (“MPS”) of Vietnam’s Draft Decree on Personal Data Protection (“Draft Decree”).
The Draft Decree was published on the MPS website on February 9, 2021 and the deadline to submit comments was April 9, 2021. If enacted, it would establish the first comprehensive data protection and privacy law for Vietnam. The Draft Decree borrows concepts and definitions from a variety of global privacy laws and frameworks, but also deviates from global norms in several ways. It covers many data protection topics often seen in comprehensive privacy laws such as (1) rights of data subjects; (2) restrictions and conditions for processing personal data; (3) children’s privacy; and (4) cross-border data transfers.
In its comments, CIPL focused its recommendations and proposed modifications primarily on the ways in which the Draft Decree deviated from global norms. Specifically, CIPL made several significant recommendations, including that the MPS should:
- Overhaul the section on cross-border data transfers by replacing its existing requirements, which currently requires consent, data localization, an adequacy assessment and ex ante regulatory approval, with a comprehensive set of globally recognized cross-border data transfer mechanisms such as contracts, corporate rules and bilateral arrangements;
- Ensure that the law is not so heavily reliant on consent that it undermines legitimate, necessary and beneficial processing activities by adding additional bases for processing, such as a legitimate interest basis;
- Reconsider the proposed ex ante registration requirement for processing sensitive personal data and replace it with a risk-based approach that includes impact assessments;
- Clearly distinguish between data controllers and data processors in the law and define duties for each; and
- Enable automated decision-making for purposes beyond the Draft Decree’s current scope, which limits its use to processing done in the performance of a contract.
CIPL’s comments also touched on several other important topics such as (1) urging the MPS to clearly define when its rules for processing children’s data would apply; (2) ensuring that data breach notifications are only required when the breach is likely to result in significant harm to a data subject; and (3) extending the date of effectiveness to provide organizations with sufficient time to come into compliance with the law.