October 2, 2024
Vietnam’s Draft Personal Data Protection Law: An In-Depth Look

The first draft of Vietnam’s new Personal Data Protection Law (“Draft PDPL”) was released for public consultation on September 24, 2024, and is open for comments until November 24, 2024. (See further details here.) It is expected that the draft will be presented to the National Assembly before the end of 2024 and will be submitted for adoption in May 2025, with a tentative entry into force on January 1, 2026. As the Draft PDPL incorporates most of the provisions of Decree No. 13/2023/ND-CP on Personal Data Protection (“PDPD”), which has been the primary legal instrument on personal data protection since it took effect on July 1, 2023, it is likely that it will supersede the PDPD when it takes effect. [Please contact our Vietnam data protection team to request a detailed comparison of the Draft PDPL to the PDPD.]

Noting that there might be further changes to the draft once the public consultation period closes, the Draft PDPL proposes new specific requirements for a number of services. Some highlights of the current version include the following:

  • Marketing services: Although marketing services are already regulated under the PDPD, the Draft PDPL now recognizes that the use of personal data for marketing must comply with anti-spam regulations. The current draft does not clarify whether organizations are exempted from the consent requirement for the purpose of the initial call or message under the anti-spam regime. Marketing service providers are not allowed to outsource the services to another organization to perform or support the implementation of marketing business, which may prevent the sharing of personal data.
  • Behavioral advertising: Behavioral advertising (targeted personalized advertising based on a user’s activity or personal data) requires the consent of the data subject in a modifiable manner that allows the data subject to refuse to share data in different contexts. As with marketing services, advertising service providers may only use personal data collected through their business activities to provide their advertising services.
  • Big data processing: Organizations are free to utilize personal data on platforms where the data subjects have disclosed such data without any restrictions (which seems to allow the processing of any publicly available data, for as long as the data subjects do not restrict the use), as long as the collected data is only used for business activities in accordance with the law. The Draft PDPL specifies that the information registered for social network accounts or OTT services will not be considered public data, and cannot be processed without consent.
  • AI: Organizations are entitled to use personal data for research and development of machine-learning algorithms, artificial intelligence, and other automated systems, provided that notice is given to the data subjects (including explanations on the influence of the algorithm, artificial intelligence, or automated system on the legitimate rights and interest of the data subjects), and the data subjects are offered the right to opt out.
  • Cloud computing: The Draft PDPL now imposes the obligations on clients of cloud service providers to request that some content be included in the cloud computing contracts, notably that cloud service providers will only process their clients’ data for the benefit of and on behalf of the clients (which is very close to the definition of a data processor); compensation for damages must be clearly addressed; security, technical and organizational measures must be enumerated; technical measures are in place to ensure that the right to access data is reasonably decentralized, etc. In addition, cloud service providers must comply with impact assessment dossier requirements and with regulations on personal data protection in general; appoint a data protection department; request subcontractors to comply with regulations on personal data protection; and apply technical and organizational measures adequate to the scale and level of processing.
  • Labor and recruitment: When monitoring employees using technological and/or technical measures, organizations must ensure the rights and interests of the data subjects, particularly that the employees are aware of and consent to the monitoring, which must not be contrary to the law. The Draft PDPL confirms that employees must consent to the processing of their personal data — taking a different approach from the European Union and disregarding the argument that employees’ consent might not be voluntary considering the power imbalance with the employer. For intra-group sharing in a global employee database system, the legal entities must prove that the collection and processing of personal data is lawful, and the employees are responsible for the legality of the information provided. Further, the Draft PDPL indicates that the consent of the employees to share with one entity of the group does not mean the consent is given to the other entities of the group, which will be considered independently.
  • Financial, banking and credit information services: The sale and purchase of credit information is prohibited between financial institutions, credit institutions, and credit information institutions, as is the sending or transmission of unencrypted financial and credit data related to data subjects. Express consent is required to use the credit information of a data subject in credit scoring. The result of credit information assessment can only be binary (pass or fail; yes or no; true or false; etc.) or using a scale based on the database collected directly from the customers of the financial institutions, credit institutions, banks, or credit information institutions. De-identification measures must be applied at a specific stage of the processing. Credit information services/products can only be provided to financial institutions, banks, and credit institutions and when prescribed by law.
  • Health and insurance: Consent is mandatory for the collection and processing of health and insurance information. Organizations operating in the health sector may not provide personal data to healthcare providers or insurance providers, unless requested in writing by the data subject. This could hint that the data subject’s consent alone would not be sufficient in this case, and that the sharing of health information can only be initiated at the request of the data subject. For the sharing of health information in the context of reinsurance, any transfer must be clearly stated in the contract with the data subject.
  • Social network and communication services through cyberspace: Notification to the data subject on personal data processing must clearly state the content of personal data collected when installing or using the services, and organizations must refrain from collecting personal data outside the scope agreed with the user. Service providers are not allowed to request a photo of the ID card as an account authentication factor. Users must be allowed to opt out of cookies and have a “do-not-track” option. The service provider can only track the usage of its platform/OTT services with consent. When providing advertising or marketing services, notification must include information on the sharing of personal data and on the security measures that are applied. Calls and text messages must remain private—any recording or monitoring without the data subject’s consent is expressly stated as an illegal activity.
  • General B2C businesses: Contracts must now contain a clause on personal data protection clearly stating the responsibilities, rights and obligations of the parties.

The Draft PDPL also recognizes new services of (i) personal data protection trust rating organizations, and (ii) personal data protection organizations and experts (notably DPO-as-a-service), making it evident that outsourcing data protection departments and data protection officers (DPOs) is accepted.

Personal data protection trust rating organizations

Personal data protection trust rating organizations assess the ability of an organization to fully comply with the personal data protection regulations. The assessment will evaluate risk factors and their impact on the ability to satisfy personal data protection obligations, and will notably cover market and business environment risks, technological risks, governance risks, personnel risks, and financial risks. Results of the assessment are given in four rating levels—“high trust,” “trust,” “pass” and “failing”—and are reported to a “trust rating council” (a term which has not been defined in the Draft PDPL).

Organizations must satisfy certain eligibility requirements to obtain a certificate to provide trust rating services, including notably:

  • Registered capital of VND 5 billion or more;
  • Having at least one year of experience in personal data protection;
  • Employing at least three qualified personal data protection trust analysts.

Under the Draft PDPL, having a trust rating is mandatory for all organizations processing sensitive personal data. Considering the broad definition of sensitive personal data, which includes personal data that must be processed in an employment relationship (e.g., for salary payment purposes), this requirement will be practically applied to all organizations.

Personal data protection experts and organizations

A personal data protection expert (“PDP Expert”) is defined as a person with technological and/or legal capabilities appointed by a given processing entity to act as personal data protection person (i.e., data protection officer). PDP Experts must obtain a competence certificate from a certification organization whose role is to ensure that the PDP Experts are sufficiently qualified to undertake their roles. The Ministry of Public Security (MPS) will rely on licensed certification organizations to issue competence certificates to qualified PDP Experts who, at minimum, hold a college degree in a relevant field and have completed a data protection certification course.

A personal data protection organization (“PDPO”) is an entity that can be designated by a given data processing entity (including data controllers, data controller-processors, third parties, data transferors, and data recipients—but notably not data processors) as its personal data protection department. The PDPO provides personal data protection services to meet the needs of its appointing entity. The MPS will be in charge of issuing the license to the PDPO, subject to the PDPO hiring at least one technological and/or legal PDP Expert; engaging in functions, tasks, business lines, or domains related to technology and/or law; and obtaining a “pass” trust rating or higher.

The Draft PDPL imposes new requirements on businesses engaged in data processing services, which is now defined as a conditional business line (including any data processor engaged to process data for a data controller), notably to have at least one technological and legal expert (or one technology expert and one legal expert), register business lines related to technology or legal services or consultancy about technology or law related to personal data protection, and obtain a “pass” trust rating level or above.

Outlook

In sum, the Draft PDPL recognizes new data protection services with what seems to be an ambition to build trust (with the certification mechanism for PDP Experts and PDPOs and the trust rating organizations) and provide for sector-specific regulations on personal data protection. As the level of awareness in Vietnam regarding personal data protection remains low, these new service lines and sector-specific regulations might further contribute to the MPS’ efforts on capacity-building.


Related Professional
Quang Minh Vu
+84 28 6284 5661