News and developments
A BRIEF RECAP OF VIETNAM’S PERSONAL DATA PROTECTION LAWS
I. Introduction
“Personal data” has attracted considerable attention to itself and has been the subject of many legal debates all over the world.
Too little protection of personal data will facilitate identity theft, fraud, scams, etc., yet too much protection will adversely affect business development, and will also obscure Vietnam from achieving valuable social goals, such as safety, healthcare, scientific research[1]. Where Vietnamese legislation on personal data protection is still in its infancy and seems to follow the EU’s path, with drastic changes definitely coming along, businesses will probably need to bring themselves up-to-date on a regular basis.
Our goal is to update businesses on such legislative development, with the focus on Decree 13/2023 on Personal data protection, issued on 17 April 2023 (“Decree 13/2023) by the Government of Vietnam. It is the latest legal instrument up to the date of this Article, from which businesses can learn what data privacy protection looks like in Vietnam.
II. A brief on how data privacy protection works
Decree 13/2023 has been set to central around how to protect personal data throughout the process through which it is harvested, processed, stored, used, and even erased in cyberspace. Therefore, this Article is going to brief on who are, other than a data subject (as defined below), involved in and caught by Decree 13/2023 and feature what personal data protection thereunder is.
- Who are caught by Decree 13?
Decree 13/2023 is perhaps inspired by and developed from the General Data Protection Regulation of the EU (“GDPR”), though to some extent, it is tailored to fit the context and socio-economic conditions of Vietnam. For this reason, those persons who are regulated under GDPR can also be found in Decree 13/2023, namely:
- “Data subject” refers to the personal data[2] In the context of a business/enterprise, data subject can be employees, job candidates, clients/customers of the enterprise, and business partners; an employer who is an individual can also be deemed as a “data subject” as well. When personal data is being collected, recorded, copied, shared, disclosed, or any similar activities, it is considered “personal data processing”.
- “Personal data controller” refers to an organization or individual that makes a decision on purposes and means of processing personal data (e.g., an enterprise storing personal data lawfully that are collected from their customers).
- “Personal data processor” refers to an organization or individual that processes personal data on behalf of a personal data controller via an agreement (e.g., cloud data storage service provider). A personal data processor can also assume the role of a “personal data controller”, and such a data processor is called a “personal data controller-cum-processor” (e.g., it is enterprises that assume the functions of storing and processing). The concept of this dual-role is distinct from GDPR, but it is unclear why this concept has been introduced into Decree 13/2023.
- What does the personal data protection look like under Decree 13/2023?
Here are some critical traits:
a. Data subjects’ rights
Data subject has right to (i) be informed on personal data processing, (ii) give consent to the processing, (iii) access personal data, (iv) withdraw consent, (v) delete personal data, (vi) restrict the processing, (vii) request to obtain their own personal data, (viii) object to the processing, (ix) file complaints, denunciations and lawsuits, (x) claim damage, and (xi) self-protection.[3]
Decree 13/2023 lays stresses on the consent-mechanism. For businesses, it is essential to seek clear and precise consent from data subjects for any stage at which their personal data is processed. Yet, the way through which the consent can be properly given or taken is not as simple as it seems, not because businesses are incompetent to design a workable system, but because there is no clear-cut compliance standard in Decree 13/2023.
Decree 13/2023 also provides some exceptional cases where data subjects' consent may be not required: (i) in emergencies or required by law, (ii) personal data is collected from audio and video which capture or make record of activities in public places.[4] For (i) the personal data of individuals who are declared missing or deceased, and (ii) the personal data of children, Decree 13/2023 additionally requires consent from their family member(s) when personal data of such subjects is processed.[5]
Again, there should be a set of standards for the consent-mechanism to work, and legislators are expected to set them out in the near future. In the meantime, businesses should be proactive in putting in place an easy-to-access interactive platform for data subjects to interact with businesses whereby the consent-mechanism could ensue. GDPR is what Vietnamese legislators, and regulators as well, are inspired and use as a yardstick, so it is sensible for businesses to get the consent-mechanism, whether in or applicable to Vietnam, aligned with GDPR’s relevant standards.
b. Notification requirement
It is the obligation of the Personal Data Controller and/or the Personal Data Processor to fulfill this requirement once they detect a personal data breach or incident. In this case, they are required to notify, in writing (hard or soft copy), the Ministry of Public Security (Department of Cybersecurity and Hi-tech Crime Prevention) of such a breach or incident within 72 hours (or later if there is a reason).
The notification shall be made according to Form No. 03 in the appendix of Decree 13/2023.
c. Compliance assessment
Businesses are required to make and archive dossiers which are subject to competent authorities’ check/assessment. There are two kinds of dossiers mandatory for businesses’ preparation and archive, namely: (i) Dossier for assessment of impact of personal data processing, and (ii) Dossier for assessment of impact of outbound transfer of personal data (applicable where personal data is transferred abroad). These Dossiers must be always ready and available to submit within 60 days from the date on which personal data is processed, and whenever required by competent authorities.[6]
Noticeably, businesses may transfer Vietnamese citizens’ personal data abroad provided that they have (i) established Dossier on Assessment of impact of outbound transfer of personal data, and (ii) notified the Ministry of Public Security (Department of Cybersecurity and Hi-tech Crime Prevention) of their data transfer and contact details of the organization or individual in charge of such transfer in writing after the personal data is successfully transferred.[7]
d. On-site data protection officer (“DPO”)
Contact information of DPO will be put in the assessment dossiers submitted to competent authorities as said in item (c) above.
Decree 13/2023 does not require DPO must be an employee though, but if it is the case, businesses will need to have at least one employee assuming the role of a DPO.
- What are consequences for non-compliance?
Besides technical risks such as data leakage and identity theft, and monetary risks like ransomware, non-compliance with data privacy regulations may also confront businesses. However, at present, there are no administrative sanctions and penalties for non-compliance with Decree 13/2023 which has been set forth, while they are still kept under discussion and consideration.
Given that Vietnamese legislators have a tendency to adopt the GDPR-based model, there is a likelihood that the administrative sanctions to be designed can bear some similarity to those of GDPR as well.
III. Conclusion:
It is predicted that Vietnamese legislators will continue to attempt to adopt principles of GDPR in strengthening their legal frameworks to secure and safeguard personal data privacy. This means that businesses that have familiarized themselves with GDPR could find it not too difficult to comply with the personal data protection regime in Vietnam.
Even so, the emergence of artificial intelligence, commonly known as AI, poses new challenges to data protection. As AI works based on how data is imported, processed, and generated, to give out results upon users’ demands, this causes concerns surrounding whether personal data is used to “feed” AI machines without data subjects’ knowledge, and if so, how personal data protection laws will address such concerns. Perhaps Vietnamese lawmakers have already commenced their research for drafting and updating legal documents to control AI along with personal data as an attempt to narrow the gap between the laws and the technology, which promises significant changes to Vietnam’s personal data protection laws in the future.
Authors: Nguyen Duc Hieu, Pham Thanh Mai, Do Phuong Khoa
Footnotes
[1] Orly Lobel, “The Problem With Too Much Data Privacy“ (Time, 2022) <https://time.com/6224484/data-privacy-problem/>, accessed on 26 March 2024.
[2] “Personal data”, which is defined as “electronic information in the form of symbols, letters, numbers, images, sounds, or equivalence associated with an individual or used to identify an individual.” Decree 13/2023 categorizes “personal data” into 02 subsets as Articles 9 and 10 of GDPR do: “general personal data” (e.g., name, date & place of birth, phone number, ID number, etc.) and “sensitive personal data” (e.g., health information, biometric & biological information, criminal records, bank-related information, and personal location).
[3] Article 9 of Decree 13/2023
[4] Articles 17 and 18 of Decree 13/2023
[5] Articles 19 and 20 of Decree 13/2023
[6] Articles 24 and 25 of Decree 13/2023
[7] Article 25 of Decree 13/2023