On 17 April 2023, the Vietnamese government issued the Personal Data Protection Decree, which is set to take effect 1 July 2023 without any transitional period. The PDPD is considered to be the first comprehensive document on data protection in Vietnam. Accordingly, it provides detailed regulations on the rights of data subjects, consent requirements and requirements for data processing impact assessments and outbound transfer impact assessments.
In 2024, the adoption of the Law on the Protection of Consumer Rights and the Law on Electronic Transactions will play a vital role regarding data protection. The LPCR will require traders to obtain consent to collect consumer data and establish a mechanism enabling consumers to select the information they consent to traders collecting. Consumers must also be allowed to express consent in a suitable form. For special processing purposes — such as sharing, disclosure, or transfer of personal data to third parties, and use of personal data to send advertisements and to introduce products — the LPCR requires a mechanism which enables data subjects to clearly opt in to give, or not give, their consent. This requirement is similar to procedures currently required for regulated stakeholders under the PDPD. In the same vein, the LET strictly forbids the acts of trading data to protect Vietnamese personal data.
The government is anticipated to provide more details relating to data privacy guidelines after the issuance of the Draft Law on Telecommunications. Accordingly, the draft requires enterprises to provide the requisite information — such as service user’s name and address, number and location of transmitting or receiving servers, call times, IP address and other personal information supplied by the service user when entering a contract — to the relevant authority, as per a request which is made in accordance with the law.
Amendments to Decree 72/2013/ND-CP on the management, provision and use of internet services will be adopted in 2024. A new draft provision that will be applicable to both onshore and regulated cross-border social network service providers is the requirement to authenticate social network user accounts via their mobile phone numbers in Vietnam. This regulation was proposed by the Ministry of Information and Communications in response to the growing prevalence of cybercrime and aims to enhance state management of social networks and protect personal data, while also increasing user awareness and responsibility around uploading content on the internet.
The Draft Sanction Decree is expected to be issued at the end of 2023 and adopted in 2024. Following the adoption of the PDPD, this will be a supplemental tool used to deal with PDPD violations. Violations, depending on severity, may result in warnings, discipline or administrative penalties or criminal prosecution.
Simultaneously, the Ministry of Public Security established a National Portal on Personal Data Protection to receive reports concerning PDPD violations. Once the portal officially launches, companies are likely to be more vulnerable to inspections, as it will enable data subjects — including company employees or clients — to report noncompliance or personal data breaches more easily.
Therefore, 2023 was a busy year, and 2024 will no doubt be the same.
Athistha (Nop) Chitranukroh and Phuc Huu Nguyen provided this update as part of the “IAPP Global Legislative Predictions 2024” from the International Association of Privacy Professionals. Tilleke & Gibbins also provided the Thailand update.