DFDL Vietnam

After much speculation and planning by the Government, the Draft Law on Personal Data Protection in Vietnam was officially published for public consultation on 24 September 2024.

After much speculation and planning by the Government, the Draft Law on Personal Data Protection in Vietnam was officially published for public consultation on 24 September 2024 (the “Draft Law”). The Draft Law builds on the foundation of Decree No. 13/2023/ND-CP dated 17 April 2024 (“Decree 13”), which is the first comprehensive legal framework for data privacy in Vietnam. Nonetheless, it introduces several new and significant regulations. Below are some key points anticipated to impact businesses once the Draft Law comes into effect.

Extend the scope of application:

Compared to Decree 13, the Draft Law has added an additional subject within its scope: “Agencies, organizations, and individuals collecting and processing personal data of foreigners within the territory of the Socialist Republic of Vietnam.” This clarification addresses previous debates about whether Decree 13 applied to the personal data of foreigners in Vietnam. However, the Draft Law lacks specific provisions outlining the distinct rights and obligations for entities processing personal data of foreigners, potentially creating uniform compliance obligations for both Vietnamese citizens and foreign nationals.

Detailing compliance regulations for specific cases:

Compared to Decree 13, the Draft Law breaks down personal data privacy compliance obligations into specific cases, including notable ones as follows: (i) protection of personal data in marketing activities; (ii) protection of personal data in behavioral or targeted advertising services (e.g. the collection of cookies on websites); (iii) protection of personal data in big data processing; (iv) protection of personal data in artificial intelligence; (v) protection of personal data in cloud computing; (vi) protection of personal data in employee monitoring and recruitment; (vii) protection of personal data in financial, banking, credit, and credit information activities; (viii) protection of personal data related to social networks and media services provided directly to viewers through cyberspace (e.g. OTT services); etc.

Previously, businesses faced challenges applying the general provisions of Decree 13 to these specific contexts. The Draft Law provides more detailed regulations for each field to a certain extent. However, these regulations are still considered general and not detailed enough, which may complicate practical application without additional sub-law guiding documents.

Brand-new regulation on data privacy credit rating:

A significant new provision in the Draft Law compared to Decree 13 introduces data privacy credit ratings, which is expected to increase compliance burdens for businesses. State agencies will license data privacy credit rating organizations operating in Vietnam to rate the data privacy activities/compliance of businesses. When submitting a data processing impact assessment (“DPIA”) and/or cross-border data transfer impact assessment dossier (“TIA”), these dossiers now include an additional component: a “data privacy credit rating document” compared to what was required under Decree 13.

Moreover, one of the newly added measures to protect sensitive personal data is that it “must be credit rated for data privacy.” It remains unclear whether this requirement applies universally to all entities handling sensitive data, and businesses will need to await further drafts of the law for clarification. Additionally, it is anticipated that once the Draft Law comes into official effect, it would take time for those data privacy credit rating organizations to be established and licensed to operate in the market, and the question then arises as to how many data privacy credit rating organizations will be licensed and what their actual operations will look like, which will significantly impact the ease of compliance with the Draft Law of businesses in the future when this regulation taking effect.

Regarding obligation to submit and update DPIA and TIA:

Contrary to expectations, the Draft Law, similar to Decree 13, does not specify any exceptions for not submitting DPIA and TIA. This means that all controllers and processors must submit a DPIA to local regulator, and also, all cross-border transferors must submit a TIA. The Draft Law provides clearer regulations on updating DPIA and TIA compared to Decree 13, stating that the dossiers must be updated every six months if there are any changes. This can be reasonably understood to mean that if there are no changes from what has been submitted to the state agency under the DPIA/TIA, businesses do not need to update the dossiers. Additionally, a potential concern for businesses with this Draft Law is that the DPIA and TIA forms attached to Decree 13 are no longer included in the Draft Law, and it is unclear whether these forms will be revised or updated. Hopefully, future versions of the Draft Law will clarify these issues.

The Draft Law is expected to be enacted in May 2025 and take effect on January 1, 2026. However, there is no grace period for compliance, except for a limited two-year exemption for the obligations to appoint data privacy officer, which is only available for some SMEs and start-up enterprises. Additionally, the Draft Law does not mention any transitional provisions or how Decree 13 will be handled after the official issuance of the Draft Law, nor does it address the retroactive effect of the Draft Law for the past compliance with Decree 13 of businesses. In the coming period, DFDL will provide feedback during the drafting process of the Draft Law to maximize the protection of the interests of businesses in general and DFDL’s clients in particular. Businesses are advised to closely monitor the drafting process of the Draft Law and, and if there are any comments or suggestions that need clarification or proposals to the law-making body, please contact DFDL for support or directly provide feedback to the lawmaker through the link: https://chinhphu.vn/du-thao-vbqppl/du-thao-luat-bao-ve-du-lieu-ca-nhan-6957.

The information provided is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations

Phong Anh Hoang, Partner, Vietnam

Please Login or Register for Free now to view all updates and articles

In addition to free-to-view updates and articles, you can also subscribe to the full Legal Centrix Vietnam Service including access to:

  • Overview notes on the law
  • Thousands of high quality translations of legislation covering all key business areas
  • Legal and tax updates
  • Articles on important legal and tax issues
  • Weekly email alerts
  • Sophisticated web platform and search

Legal Centrix is trusted by top law and accounting firms.

DFDL Vietnam

 

DFDL was established in 1994 and founded on a unique vision: to create an integrated legal, tax and investment advisory firm, with in-depth knowledge of the jurisdictions where we operate to provide tailored, efficient and practical services across our core areas of expertise.

Our integrated and expanding network of 11 offices, including affiliated firms, throughout nine countries in Asia namely:  Bangladesh, Cambodia*, Indonesia*, Lao, Myanmar, Philippines*, Singapore, Thailand and Vietnam. 

DFDL is uniquely positioned to help you access promising international growth opportunities in the world’s most dynamic region.

A team of over 140 advisers provides consulting services in:

  • Banking and Finance
  • Corporate and Mergers and Acquisitions
  • Employment
  • Energy, Mining and Infrastructure
  • Real Estate and Construction
  • Taxation

*DFDL collaborating firms

Click here to view the author's profile

Author

Tags

  • Vietnam
  • Legal Updates
  • Data Protection & Privacy

Related Content

Recent updates

Cookies On
Our Website
We use cookies on our website. To learn more about cookies, how we use them on our site and how to change your cookie settings please click here to view our cookie policy. By continuing to use this site without changing your settings you consent to our use of cookies in accordance with our cookie policy.