The Vietnamese government is currently developing a new draft Data Law (“Draft Law”) to establish a comprehensive legal framework for data activities within the country. Open for public consultation, this Draft Law addresses various aspects of data handling and governance, notably introducing regulations for conducting business with data for the first time. This article provides an overview of the Draft Law's key provisions and their potential implications for businesses and individuals. Unlike personal data legislation, this Draft Law's broad coverage encompasses not only personal data but also other organizational and business data.
Regulation of the Data Economy
The draft law introduces regulations for the provision of data-related products and services, a sector that has long been unregulated in Vietnam. This move is crucial in addressing the rampant illegal sale of personal data, a pressing issue in the country. The new regulations cover various aspects of the data economy, including data brokerage, data analysis, and data marketplaces. Data businesses will be required to register with authorities and adhere to specific requirements to ensure data protection and security. This development is expected to create a more secure and transparent data market, making ground for data reliability, fostering innovation and economic growth while safeguarding individuals’ rights and interests in the context of a data-driven society -economy shortly.
Enhanced Definitions and Regulations for Data Processing Activities
A significant improvement in the draft law compared to previous data-related regulations, such as the Law on Cybersecurity and the Personal Data Protection Decree, is the introduction of more precise definitions for various data processing activities. These activities include data sharing, coordination, analysis, verification, authentication, disclosure, access, retrieval, encryption, decryption, copying, transmission, transfer, withdrawal, deletion, and destruction. The Draft Law addresses the lack of clarity in previous regulations, which led to potential ambiguities and inconsistencies in interpretation. By providing specific definitions, the Draft Law aims to ensure greater transparency and consistency in regulating data handling practices.
Stringent Regulations for Cross-Border Data Transfers
Cross-border data transfers are subject to stricter regulations under the draft law, particularly for "core data" and "important data." Core data is defined as data that has a high coverage across sectors, groups, and regions and can directly affect political security if used or shared illegally. This includes data related to important national security areas, the lifeblood of the national economy, the important livelihoods of people, major public interests, and other data specified by national agencies. Important data is defined as data in sectors, groups, or areas that can directly endanger national security, economic activities, social stability, and public health and safety if leaked, falsified, or destroyed. These categories of data will require approval from relevant authorities, such as the Prime Minister's Office or the Ministry of Public Security, following a data security assessment. This measure is designed to mitigate risks to national security and public interests while maintaining the free flow of data across borders.
Clearer Regulation of Government Access to Data
The draft law seeks to clarify the circumstances under which government agencies can access data held by organizations and individuals. Such access will be limited to "special cases," such as public emergencies or when data is crucial for fulfilling specific public tasks. The law also outlines the responsibilities of government agencies in handling such data, including the obligation to use it only for the stated purpose, implement necessary technical and organizational measures, and destroy it when no longer needed. These provisions aim to strike a balance between the government's legitimate need for data and individuals' rights to privacy and data protection in the context of a data-driven society - economy shortly.
Conclusion
Vietnam's Draft Data Law marks a significant milestone in establishing a comprehensive legal framework for data activities. It aims to foster a thriving data-driven economy while ensuring robust data protection and security. The public consultation phase is vital to refining the law, aligning it with global best practices and addressing Vietnam's unique context.
For businesses navigating this evolving landscape, KPMG's legal experts offer invaluable guidance. With their deep understanding of Vietnamese law and extensive experience in data protection and privacy, KPMG can help businesses understand the implications of the draft law, develop comprehensive compliance strategies, and implement measures to ensure data security and privacy and lawful methods to approach reliable data. This proactive approach will enable businesses to not only comply with the new regulations but also leverage the opportunities presented by Vietnam's growing data economy.
Bui Thi Thanh Ngoc, Partner
KPMG Law in Vietnam
Tran Bao Trung, Associate Director
KPMG Law in Vietnam