With the Industrial revolution 4.0 underway, personal data has become a valuable asset across various sectors including e-commerce, healthcare, security and education. The high rate of internet usage in Vietnam calls for a comprehensive legal framework regarding data protection that is in line with international standards. In April 2019, the Ministry of Public Security (“MPS”) started developing a Draft Decree on Personal Data Protection as a sub-legislation to the Cybersecurity Law (“Draft Decree”) in response to this legislative need.

On 27 December 2019, the MPS published the first version of the Draft Decree. The Draft Decree consists of 06 chapters, but remains mostly as an outline since the specific contents of each chapter have not been drafted.  The following is a summary of the key contents introduced under the Draft Decree.

  1. Definition of Personal Data

The Draft Decree outlines several key definitions related to personal data protection. “Personal data” is defined as information in the form of symbols, letters, numbers, images, sounds or other similar forms that belongs to an individual. This definition is broader than the current “personal information” defined under the Law on Cyber-information Secutiry and Decree No. 52/2013/ND-CP on E-commerce (“Decree 52”). The Draft Decree also introduces the concept of “sensitive personal data” for the first time in Vietnam.  This data includes political and religious beliefs, ethnicity or race, healthcare status, genetic information, biometric data (e.g. fingerprints, hand prints, iris images and genetic data), gender, sex life and criminal records.

  1. Data Processor

Under this Draft Decree, parties relating to the conduct of personal data processing inculdes:

(i) Personal data processor: a legal entity or a natural person, a branch of a foreign company or a state or local authority that processes personal data;

(ii) Main personal data processor: personal data processor that has the right to authorize other processors to act on their behalf in accordance with the law;

(iii) Authorized personal data processor: the personal data processor authorized by the main personal data processor in accordance with the laws;

(iv) Data subject: the person whose personal data reflects; and

(v) Third party: a legal entity or natural person, branch of a foreign company or a state or local authority other than personal data processor and data subject.

This choice of classification is different from that of the European Union’s General Data Protection Regulation (“GDPR”), which has “controller” as someone who determines the purposes and means of the processing of personal data; and “processor” as someone who processes personal data on behalf of the controller, instead of “main parsonal data processor” and “authorized personal data processor”.  Our LBN on the GDPR can be found here.

The Draft Decree provides that data processors” are entitled to determine:

(i) Purposes of personal data processing;

(ii) Types of personal data that need to be processed;

(iii) Procedures and methods for personal data processing; and

(iv) Allowed transfers of personal data to third party.

In terms of obligations, data processors must:

(i) Immediately delete or close personal data that is unnecessary, unless otherwise regulated;

(ii) Ensure compliance with the principle of data quality and update if necessary;

(iii) Ensure that controversial personal data is closed until proved; and

(iv) Notify third party of any modifications to information with regard to personal data or personal data that is not technically feasible.

  1. Principles on Data Protection

The Draft Decree sets out the following 07 principles in regard of personal data protection:

(i) Principle of Lawfulness: personal data shall be collected legally;

(ii) Principle of Purpose: personal data shall be collected for the purposes that have been consented or registered;

(iii) Principle of Simplification: personal data shall only be collected if it is necessary to serve for a predetermined purpose;

(iv) Principle of Restricted Use: personal data shall only be used when consented by the data subjects or competent authorities;

(v) Principle of Data Quality: personal data shall be updated, sufficient and necessary to serve the purpose of processing such data;

(vi) Principle of Security: security measures shall be applied to protect personal data; and

(vii) Principle of Individuality: data subjects shall be notified of all activities pertaining to their personal data.

  1. Data processing registration

Under Article 4 of the Draft Decree, overseas personal data processors may be required to appoint a representative in Vietnam. Article 27 of the Draft Decree also requires that the act of transferring personal data overseas must be registered with competent authorities. However, this provision is still an outline. We expect the final draft of the Draft Decree to expand on this provision in more detail.

  1. Discolsure of personal data

Article 8 of the Draft Decree provides an exception to consent for disclosure of personal data. Specifically, consent is not required if the disclosure is to the media for the purpose of journalism where there is a compelling public interest, and the disclosure is in accordance with the ethical principles of journalism. That said, data disclosure in such instance cannot cause significant damage to the rights of the data subject. However, the Draft Decree does not specify what constitutes “compelling public interest” or “significant damage”. Article 8 further provides that data subjects have the right to require the person disclosing their personal data to end such disclosure, unless the disclosure is conducted in accordance with the law. The person disclosing such personal data is not required to end the disclosure of personal data if such person cannot control the devices carrying such personal data. At any time, data subjects have the right to request the person processing their personal data to cease the disclosure unless otherwise regulated by law and the disclosure cessation is technically feasible and does not cause unreasonably high costs. However, whether “ending” such disclosure means mere discontinuance of the disclosure or requires active retrieving or rectifying such disclose is not clear under the Draft Decree.

  1. Public recording

According to the Draft Decree, public recording, e.g. sound record, image record, etc. is deemed to have the default consent of the data subjects. Though the authorities or entities that collect data in this situation are obliged to notify data subjects so that they understand that they are being recorded, this notification obligation does not apply in case of serving “public purposes”. What serves as “public purposes” yet remains unclear.

Conclusion:

At present, the draft version only includes limited amount of content with the names of articles. The next versions of the Draft Decree would likely expand on the scope of activities pertaining to personal data, rights and obligations of data subjects, measures to protect personal data, data processing registration, etc. The draft proposal and outline on the protection of personal information has attracted widescale attention from the general public. It is indeed an essential response to the rapid development of information technology and in line with the government’s attention to this area of law. The Draft Decree is available for public consultation and MPS will consider relevant comments from the public while moving the draft forward. The MPS is expected to submit to the Government the Draft Decree in this 2020.


DISCLAIMER

This LBN newsletter are NOT legal advice. Readers are advised to retain a qualified lawyer, should they wish to seek legal advice. VCI Legal are certainly among those and happy to be retained, yet VCI Legal is not to be hold responsible should any reader choose to interpret/apply the regulations after reading this LBN without engaging a qualified lawyer.