The rules in respect of personal data protection have been stipulated and scattered in a number of laws of Vietnam such as the Civil Code, the Law on Protection of Consumers’ Rights, the Cybersecurity Law, the Law on Cyber Information Security, etc. Many of the provisions in those laws are unclear and overlapped without any precise and effective mechanism for understanding personal data protection. This lack of clarity has caused the treatment of personal data in Vietnam to become extremely insecure and the data itself vulnerable.
For that reason, the Ministry of Public Security (the “MPS”) has proposed a draft decree on personal data protection. The draft was released on 9 February 2021 (the "Draft Decree") for public comments. There are many important statutory definitions in relation to personal data that have been given, such as the separation of personal data into basic personal data and sensitive personal data for which a data processor is required to adapt protection requirements for processing. The Draft Decree provides more complete regulations on mechanisms of personal data protection, as well as a proposal to establish a Personal Data Protection Committee (the “PDP Committee”) which would be an independent body under the government of Vietnam.
The Draft Decree requires a data owner’s consent prior to processing and disclosing such data except in the following cases:
- If specified by law;
- For the sake of national security, social order and safety;
- If specified by law to be an emergency, a threat to life or seriously affecting the health of that data owner or public health;
- For the purpose of investigation and handling an act in violation of laws;
- In compliance with the regulations in international agreements or treaties to which Vietnam is a member specifying the processing of personal data without such data owner's consent; or
- For scientific research or statistics in encrypted form which is to be de-identified and replaced with a code.
A data owner's consent will be considered effective provided that such consent is given voluntarily and is clearly informed of: the type of personal data processed, the purpose of processing, the objects to be processed and shared, the conditions for transferring or sharing personal data to third parties, and the data owner’s rights related to the processing of his or her personal data. In addition, such consent must be presented in a form that is capable of being printed or reproduced in writing. A data owner's silence or non-response to a personal data processor's request for permission to process data is not considered sufficient to be considered consent.
For children under the age of 16, this consent must be given by their parent or guardian prior to processing any personal data of that child.
For sensitive personal data, in addition to the request for the data owner’s consent, a personal data processor must register with the PDP Committee before proceeding.
In addition to consent, personal data processors must notify the data owners of any changes to the contents of their consent, except for the following cases:
- The data owner has fully agreed with the contents and activities of processing personal data;
- The processing of personal data is required by laws, international agreements, international treaties;
- The processing of personal data does not affect the rights and interests of that data owner and notification on such processing to that data owner is impossible; and
- For the purpose of scientific research or statistics.
The Draft Decree is the first statutory instrument in Vietnam to specifically regulate the cross-border transfer of personal data of Vietnamese citizens. Prior to transferring such data outside of the territory of Vietnam a personal data processor is required to comply with the following conditions:
- Obtain the data owner’s consent;
- Retain the original personal data in Vietnam;
- Provide a written document proving the country/territory/area of destination has a regulation on personal data protection at the same or higher level than the regulations in Vietnam; and
- Obtain the written consent of the PDP Committee.
Notwithstanding the aforementioned conditions, personal data may be transferred out of the territory of Vietnam in the following cases:
- The data owner’s consent for such transfer;
- A written consent of the PDP Committee;
- A personal data processor's commitment on personal data protection; and
- A personal data processor's commitment on applying the personal data protection measures.
In executing the cross-border transfer of personal data, the data processor must set up a system for recording the history of data transfers within for three years which may be inspected and assessed every year by the PDP Committee.
In comparison with Decree No. 15/2020/ND-CP of the Government dated 3 February 2020 stipulating the administrative sanctions against violating acts in the sectors of postal services, telecommunications, radio frequencies, information technology and electronic transactions, monetary penalties for similar acts as proposed in the Draft Decree is two to five times higher. There is also a monetary fine of 5% of the total revenue of the violating processor in Vietnam for repeated offences in exceeding the prescribed number of time.
Finally, the Draft Decree proposes to establish important supporting tools for enhancing personal data protection such as building and operating a national information portal for personal data protection, publishing a list of agencies and organizations processing personal data, and issuing a standard for assessing the reliability of personal data protection of agencies and organizations involved in personal data processing activities.
The Draft Decree is now in the stage of collection of public opinion for consideration for the two months following its publication.