For the time being, it is undoubted that data is on its own way to becoming the most valuable resource of the digital and technology era. In recent years, the Vietnamese government has attempted to overhaul its framework to regulate the use and exploitation of data with the focus mostly paid on critical aspects of data, namely personal data. This article articulates how personal data is being treated in Vietnam and the prospect of Vietnam's personal data regulating framework. 

1. Overview of Data Privacy Framework in Vietnam

At present, Vietnam does not have a unified legal framework regulating data privacy-related issues, and that data privacy is protected/regulated under the perspective of personal data/personal information. "Personal information" is the most prevalent term being used in the Vietnamese legal framework when it comes to "Data privacy" or "personal data protection". That being said, Vietnamese laws do not employ consistent definitions of what information constitutes personal information. Instead, such definitions vary under different sectoral and sub-legislations. Considering the ineffectiveness of Vietnam's prevailing data privacy regulations, earlier this year (i.e. February 2021), the Ministry of Public Security ("MPS") proposed to promulgate the first comprehensive legislation of Vietnam prescribing personal information protection which is under the form of a Governmental Decree (hereinafter referred to as the Draft Decree on Personal Data Protection or "Draft PDPD").

2. Initial Drafting Stage

Dated back in April this year, the MPS released the first full-text version of the Draft PDPD ("April Version") for public consultation and comments. In general, the PDPD adopts a GDPR-type framework, which is similar to GDPR in a whirlwind of ways, including the broad definition of personal data, data subject’s rights, concept of Data Protection Officer, extraterritorial applicability, and potentially harsh penalties for non-compliance.

Key regulations under the Draft PDPD includes:

  • Broad definition of personal data. Personal data is any data about an individual or is related to the identification or ability to identify a particular individual.
  • Vietnam will establish a Personal Data Protection Commission, which is the supervisory authority of the PDPD.
  • Personal data comprises (i) basic personal data and (ii) sensitive personal data.
  • The concept of data processor is introduced.
  • Potentially harsh penalties (up to 5% of the total revenue of the violator in Vietnam) can be imposed on any non-compliance with the PDPD.
  • The PDPD provides for obligations of the data processor with regard to the personal data after the data subject’s death.
  • Companies must establish a department supervising personal data protection and a data protection officer.

Most notably, the Draft PDPD prescribes restrictions on the cross-border transfer of personal data. In general, a cross-border transfer can only be performed if all of the following four conditions are fulfilled: (i) the data subject has agreed to the transfer of the data; (ii) original personal data is stored in Vietnam; (iii) the country of recipient imposes the same or higher level of data protection (a document proving such sameness is required); and (iv) the Personal Data Protection Commission agrees to the transfer in writing.

3. Hints and Prospect

In September 2021, the MPS submitted their revised Draft PDPD to the Ministry of Justice ("MOJ") for internal appraisal. Unlike other standard drafting processes, the revised Draft PDPD ("September Version") was kept strictly confidential during this drafting stage. 

Currently, the Government seems to take the final steps before officially approving the Draft PDPD by the end of this month or January 2022. Thus, the PDPD's effective date may not be in December this year as envisaged. Due to the complexity of novel policies under the Draft PDPD, it is likely that the Drafting Board will propose a transitional/grace period (i.e. from at least six months to one year from the date of approval) to set out a roadmap for the implementation of specific issues under PDPD.

However, as the Draft PDPD contains provisions that can limit the data subject's right (i.e. process personal data without data subjects' consent), the Government may wish to consult the opinion of the National Assembly Standing Committee ("NASC") to ensure full compliance with the Law on the Promulgation of Legal Documents. If this is the case, it may take months to complete this process. Thus, the effective date of the PDPD may be delayed further.

Notwithstanding the inaccessibility of the Draft PDPD's September Version, there is an important legislative movement that can provide hints as to the major substance of the latest Draft PDPD. In particular, in late September 2021, the MPS released the Draft Decree on Penalties for Administrative Violations in Cybersecurity (“Draft PAVCD”) to gather public opinion.

Among other proposals regarding penalties, sanctioning levels, and remedial measures to handle administrative violations in cybersecurity, the Draft PAVCD also suggests sanctions for violations against the protection of personal data which will help competent authorities to enforce the Draft PDPD. Since the proposed administrative sanctions depend heavily on the substantive obligations prescribed under the Draft PDPD, the Draft PAVCD may offer crucial insights into how the Draft PDPD had been updated after the public consultation earlier this year. In particular, the Draft PDPD's September Version may have supplemented more subjects involved in the processing of personal data such as Personal Data Controller and Personal Data Controlling and Processing Entity. Also, the main overseeing authority of the Draft PDPD will likely be the Department of Cybersecurity and Hi-tech Crime Prevention under the MPS. The Personal Data Protection Commission under the Draft PDPD's April Version may no longer be established. Noticeably, the cross-border data transfer requirements appear to be simplified with a notification procedure and post-inspection being introduced in place of the pre-check mechanism (i.e. an approval process).

Due to the uncertainty as to the effective date of the PDPD, businesses may take a wait-and-see approach at least in early 2022 (i.e. first quarter) and prepare a PDPD compliance program in mid-2022. As per our observation, the promulgation of the PDPD will pave the way for the enactment of an exhaustive law on personal data protection in Vietnam in the years to come.

(Co-authored with Tuan-Linh Nguyen)