After a protracted period of deliberation, the Vietnamese government ultimately passed the country’s “historic,” first-ever Personal Data Protection Decree (“PDPD”) on April 17, 2023, as Decree No. 13/2023/ND-CP. The PDPD is a landmark legal instrument that integrates all of Vietnam’s disparate data protection legislation, with the potential to bring them closer to the EU’s General Data Protection Regulation (“GDPR”) requirements. (The PDPD, however, will not replace these existing regulations but will concurrently exist with them.) Scheduled to take effect on July 1, 2023, with basically no grace period (save in limited cases), the PDPD will apply to both domestic and foreign individuals/entities that directly engage in or relate to personal data processing activities in Vietnam.
As the PDPD continues to be a magnet for public attention, we take a closer look at its key provisions and some initial implications for businesses below.
1. Definition and Classification of Personal Data
The PDPD defines personal data as information on an electronic medium in the form of symbols, letters, numbers, photos, sounds, or the like that is associated with or helps to identify a specific individual. Information that helps to identify a specific individual is further clarified as information generated from an individual’s activities that, when combined with other data and stored information, can identify a particular person.
Personal data is split into two different categories—basic personal data and sensitive personal data. Basic personal data includes name, date of birth, gender, nationality, personal photos, phone number, identification number, marriage status, history of one’s cyberspace activities, and so on. Sensitive personal data, on the other hand, is more private and, if violated, will jeopardize a person’s legitimate rights and interests. Accordingly, sensitive personal data comprises, among other things, political and religious views, health status and private life information as recorded in medical records, racial or ethnic origin, sexual orientation, criminal records, customer information of credit institutions/foreign bank branches/payment intermediary service providers, or location data.
2. New Concepts of Regulated Parties
The PDPD divides regulated parties into four categories: (i) personal data controller (“Controller”); (ii) personal data processor (“Processor”); (iii) personal data controller-processor (“Controller-Processor”); and (iv) third party. Accordingly, the Controller is an entity or individual that determines the purposes and means of personal data processing (i.e., the “why” and “how” of the processing), whereas the Processor is an entity or individual that conducts the processing of personal data on behalf of the Controller via an agreement. A Controller-Processor is an individual or entity that performs both the Controller and Processor roles concurrently. As for the third party, any organization or individual other than the data subject, Controller, Processor, or Controller-Processor that is permitted to process personal data will fall under this category.
In general, the PDPD imposes different obligations toward each of the regulated parties, thus it is critical that enterprises understand and identify their roles correctly. Even though certain organizational and technical requirements apply equally to all parties, the responsibilities of the Controller and the Controller-Processor (as set out under Articles 38 and 40) will be the most onerous.
3. Principles for the Processing of Personal Data
The PDPD introduces eight principles for the processing of personal data under Article 3. Closely modeled on those under the GDPR, these eight basic tenets include: (i) the processing is in accordance with the law (lawfulness); (ii) data subjects must be informed of every activity involving the processing (transparency); (iii) personal data shall be processed only for the purposes registered and announced in relation to the processing (purpose limitation); (iv) personal data collected must be relevant and confined to the extent and purposes of the processing (data minimization); (v) personal data must be updated and supplemented in accordance with the processing’s purposes (accuracy); (vi) personal data must be subject to protection and security measures during the processing (integrity, confidentiality and security); (vii) personal data shall be kept only for a term appropriate with the processing’s purposes (storage limitation); and (viii) the Controller and Controller-Processor must comply with the above principles and demonstrate their compliance (accountability).
Interestingly, the PDPD (as well as its earlier drafts) does not recognize the principle of “legitimate interests,” which is recognized by the GDPR.
The above principles are extremely important to keep in mind, as they will play a key role in guiding businesses’ compliance procedures.
4. Consent Requirement and Exceptions
The PDPD maintains a consent-centric approach, and sets out that consent must be voluntarily made based on the data subject’s full understanding of (i) the purpose of the personal data processing; (ii) the type of personal data to be processed; (iii) the entities authorized to process personal data; and (iv) the data subject’s rights. In addition, Article 11 stipulates that consent must be expressed clearly and specifically in writing, by voice, by ticking the consent box, by text message, by selecting consent technical settings, or via another action which demonstrates the same. Moreover, consent must be expressed in a format that can be printed out or reproduced in writing, including in electronic or verifiable formats.
Importantly, the PDPD also explicitly points out that silence or non-response by the data subject is not construed as consent.
Furthermore, consent must be made for a single purpose. That is to say, multiple purposes need to be demonstrated in a way that data subjects can give consent to one or more of them. Additionally, the data subjects may also opt to provide a partial or conditional consent.
Regardless of the foregoing, Article 17 states that the processing of personal data without consent is permissible in the following circumstances:
- In urgent cases where it is necessary to immediately process relevant personal data to protect the life or health of the data subject or others;
- Where the public disclosure of personal data is in accordance with the law;
- When the processing of data is done by competent state agencies in the event of a state of emergency on national defense, security, social order and safety, major disaster, or dangerous epidemic; or when there is a risk that threatens security and national defense but not to the extent where it is necessary to declare a state of emergency; or to prevent and combat riots, terrorism, crimes and violations of the law;
- To fulfill the contractual obligations of the data subject with relevant agencies, organizations and individuals as prescribed by law; or
- To serve the activities of state agencies as prescribed by sector-specific laws.
5. Processing of Basic Personal Data and Sensitive Personal Data
The PDPD sets out that every party processing personal data must apply managerial and technical measures to protect personal data (Articles 26-28). However, it does not indicate which management and technical measures could be considered sufficient. Further, these parties must develop and implement personal data protection policies, as well as explicitly express what must be done to meet the criteria of the PDPD. (Articles 27.2).
Based on the wording of Article 28 on the protection of sensitive personal data, the standards for processing sensitive personal data appear to be a bit stricter than those for basic personal data. More specifically, the protection of sensitive personal data would necessitate (i) all of the managerial and technical measures required for the protection of basic personal data, plus (ii) the appointment of a Data Protection Officer (“DPO”) and an internal personal data protection department (“DPD”) (information on the DPD and the DPO should be notified to the authority), and (iii) notification to data subjects that their sensitive personal data is processed except in specified cases.
It is required that (i) when obtaining consent from the data subject, the data subjects must be informed that the data to be processed is sensitive personal data (Article 11.8); and (ii) the data subjects must be notified that their sensitive personal data will be processed (Article 28.3). However, it is unclear how these two requirements are different, or how they should be combined.
Regardless of the above distinctions, Article 24 implies that the necessity to appoint a DPO and a DPD may nevertheless also apply to the processing of basic personal data. This is because, according to Article 24, information on the DPO and DPD must always be included in the Data Protection Impact Assessment Profile (“DPIA Profile”), which Controllers/Processors/Controller-Processors (regardless of the type) have to establish and keep available. Since once copy of the DPIA Profile must be submitted to the authority, this essentially means that information on the DPO and DPD is also reported to the authority. As a result, it appears that the ramifications of distinguishing between basic personal data and sensitive personal data may be less substantial than anticipated.
6. Cross-Border Transfer of Personal Data
According to Article 25, the transferor of personal data must first create a Dossier of Impact Assessment for the Cross-Border Transfer of Personal Data (“TIA Dossier”) before transferring personal data out of Vietnam. The TIA Dossier must include: (i) information and contact details of the transferor and receiver; (ii) full name and contact details of the organization and/or individual in charge of the transferor; (iii) description and explanation of the objectives of the personal data processing following the transfer; (iv) description and clarification on the type of personal data to be transferred; (v) description and explanation on the compliance with the regulations under the PDPD, detailing the applied measures for personal data protection; (vi) assessment on the impact of the processing, as well as the potential and unwanted consequences and/or damages, and measures to minimize or eliminate such consequences and/or damages; (vii) consent from the data subject; and (viii) documents pertaining to the binding responsibilities of personal data processing between the transferor and transferee.
The TIA Dossier must be made available at all times for the inspection and evaluation by the authority. In addition, the transferor must submit one original copy of the TIA Dossier to the Department of Cybersecurity and Hi-Tech Crime Prevention (“A05”), an authority under the Ministry of Public Security of Vietnam (“MPS”) within 60 days from the date of the personal data processing.
In terms of reporting, the PDPD adopts an ex-post management approach, requiring the transferor to notify and submit to the A05 the information on the transfer, as well as the contact details of the responsible organization and individuals in writing upon the successful completion of the transfer. The A05 will review the TIA Dossier and may request that the transferor complete the dossier if it is found to be incomplete or does not comply with the PDPD standards.
In addition, it is worth noting that the MPS has the power to halt cross-border data transfers if (i) the data is used for activities that violate the interests and national security of Vietnam; (ii) the transferor fails to complete or update the TIA Dossier; or (iii) the personal data of Vietnamese citizens is disclosed or lost. Needless to say, the first criterion is very broad and vague.
7. Rights of Data Subjects
Article 9 recognizes 11 rights of the data subject, including the right to be informed, the right to consent, the right to access, the right to withdraw consent, the right to delete data, the right to restrict data processing, the right to data provision, the right to object to data processing, the right to complain and denounce and/or initiate lawsuits, the right to claim compensation for damages, and the right to self-defense.
Among these rights, enterprises should pay special attention to (i) the right to restrict data processing; (ii) the right to object to data processing; (iii) the right to data provision; (iv) the right to access (specifically, the right to access and request data rectification); and (v) the right to delete data, as compliance in these regards would be subject to a 72-hour deadline.
8. Other Notable Provisions
In addition to the essential regulations listed above, it might also be necessary for businesses to take note of the following provisions:
- The PDPD introduces a new concept called “automated personal data processing” under Article 2.13, without setting out any specific requirements for this activity, but simply providing that using an automated system located outside of Vietnam to process personal data of Vietnamese citizens is also considered as a type of cross-border data transfer under the PDPD. In particular, “automated personal data processing” is defined as a form of personal data processing performed by the use of electronic means in order to evaluate, analyze and predict the activities of a specific natural person, such as habits, preferences, level of reliability, behaviors, locations, tendencies, capacities, and other information. Based on this definition, it seems that automated personal data processing is essentially “profiling” under the GDPR, which is an activity carried out using artificial intelligence (“AI”) algorithms. It is worth noting that Vietnam currently still lacks clear laws/regulations governing AI, as well as its application in products and services.
- The PDPD states in Article 20 that children over the age of seven can give consent, but their consent must be accompanied by consent from their parents/guardians. All parties involved in the processing of personal data must verify the age of the children before processing their personal data. The PDPD, however, is silent in the situation of children under the age of seven. However, it is very likely that only parental/guardian consent is required in this scenario, as stipulated under the Civil Code.
- Article 21 addresses personal data protection in the marketing and advertising industries. Accordingly, marketing/advertising service providers can only use customers’ personal data collected during the course of their business activities to provide marketing services or introduce advertising products provided the data subject gives informed, opt-in consent. The data subject should be notified about the content, method, form, and frequency of marketing/advertising activities that will be provided to them.
- Pursuant to Article 3.4, personal data cannot be bought or sold in any form, unless otherwise provided by law. However, Article 22 provides that the establishment of software systems and technical measures, or the organization of the collection, transfer, purchase and sale of personal data without the consent of the data subject are personal data violations. Accordingly, it is uncertain if these two articles, when read together, can be interpreted as implying that the trading of personal data is not entirely prohibited, but will be permitted with the consent of the data subject.
- The PDPD sets out the establishment of a national portal for the protection of personal data. It seems that the key functions of this portal are to provide information on laws and policies relating to personal data protection, to communicate with enterprises about their data protection activities, and to receive notifications about personal data violations.
Given the foregoing, it seems that the key issues of the PDPD are substantially different from those under the draft version which was released for public comments in 2021. In fact, some controversial requirements from the draft have been removed, such as the formation of what would have been a newly created agency, the Personal Data Protection Commission, as well as the new agency’s required approval for cross-border transfer of personal data and processing sensitive personal data. That being said, some new problematic issues may emerge.
For example, there is little doubt that the PDPD will have a huge impact on enterprises in the sense that enterprises will have to re-organize their management and technical measures to protect the personal data of both their customers and also employees. This is because, as mentioned above, the PDPD will apply to enterprises in all sectors which engage in the processing of personal data. However, the PDPD only provides a grace period of two years for micro-enterprises, small enterprises, medium-sized enterprises and start-up enterprises which do not directly engage in the business of personal data processing activities, and only for the obligation to appoint DPOs/DPDs.
At the moment, it is uncertain how seriously the authorities will enforce the PDPD’s requirements during this initial transition period, and how companies will be able to handle all of the onerous obligations set out by the decree in the following months. For the time being, businesses should exercise prudence and begin preparing their compliance plans.