Draft New Decree on Personal Data Protection in Vietnam
On 9 February 2021, the Ministry of Public Security issued a draft decree on the protection of personal data (Draft Decree). This decree, once enacted, will be the first comprehensive legislation of Vietnam on personal data. This blog will analyze some key points of the Draft Decree and compare them with the relevant provisions under the General Data Protection Regulation (GDPR). This post is written by Nguyen Thu Giang and edited by Nguyen Quang Vu. Please download the pdf version here.
1) Scope of application
a) While the GDPR lists out cases that are not governed by the GDPR, the Draft Decree tends to act as a catch-all for types of activities relating to personal data in Vietnam, both materially and territorially.
Material scope
b) Unlike the GDPR, the Draft Decree is silent on which cases can be exempted from personal data protection requirements. For example, the GDPR exempts, among others, the following cases from its governing scope:
i) the processing of personal data by a natural person in the course of a purely personal or household activity; and
ii) the processing of personal data by competent authorities for public purposes such as for the prevention, investigation, detection or prosecution of criminal offences.
c) Given this ambiguity, an individual maintains a contact list, which comprises of name, mobile number, email, in her phone purely for personal purposes, might still be subject to the Draft Decree.
Territorial scope
d) The Draft Decree is also silent on its territorial scope. On the contrary, the GDPR clearly specifies that, regarding territorial scope, it is applicable to the follows:
i) the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not (the establishment criterion);
ii) the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to purposes of providing goods and services, or monitoring the behavior of EU data subjects (the targeting criterion); and
iii) the processing of personal data by a controller not established in the Union but the GDPR is still applied by virtue of public international law.
b) While it is clear that entities having establishments in the territory of Vietnam are subject to the Draft Decree, it remains unclear to what extend overseas entities would be treated likewise. Before the Draft Decree, there are other documents that have touched on this issue. In particular:
i) Under Article 26.3 of the Law on Cybersecurity 2018,[1] overseas providers of telecommunications services, internet services and value-added services in Vietnam cyberspace that collect, analyze or process personal data or data about relationships of users or data generated by users in Vietnam must retain such data for a specific period of time; and such overseas providers must incorporate a branch or representative office in Vietnam; and
ii) Under Article 22.1 of Decree 72/2013,[2] overseas providers of public information across the border and which have users from Vietnam or can be assessed from Vietnam, must comply with relevant Vietnamese laws. Cross-border public information provision is defined as the activity where an overseas entity uses electronic information sites, social networking sites, online applications, search services and other online equivalents in order to provide public information accessed or used by both an entity and an individual in Vietnam.[3]
c) It appears that the above provisions do not take into account the “targeting criterion”[4] of data processing. That said, it is not clear whether the processing of overseas entities who do not intend to offer goods and services to the data subject in Vietnam would be subject to the Draft Decree. For example, a Japanese company sells goods on its website. This company does not intend to sell goods to Vietnamese residents, which is evidenced by the fact that its website is available in Japanese only, the available payment currency does not include Vietnam Dong and the method to ship the goods from Japan to Vietnam is not specified on its website. It is noteworthy that the GDPR does not cover the case where the offer of goods or services is not directed at a person in the Union.[5]
2) The notion of personal data
a) At a glance, both the Draft Decree and the GDPR promulgate that information is regarded as personal data if it relates to an identified natural person or can be used to identify a natural person.[6] It is reasonable that the definition of personal data is often drafted in a broad manner in order to protect an individual’s privacy. However, since Vietnam is a civil law country, a broad definition with no further official guidelines from the authorities might cause ambiguity for one to apply.
b) The following points can be drawn from the guidelines to the GDPR:[7]
i) Whether the information in question is identifiable should be evaluated from the perspective of third parties, rather than just the perspective of the party processing personal information (the objective approach);
ii) To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments; and
iii) The GDPR took a risk-based approach, this means that where there is a reasonable risk of identification, data must treat such data is personal data.
3) Parties involved in the processing of data
Overview
a) The table below summarizes definitions of parties involved in the processing of data under the Draft Decree and the GDPR.
Data controller, joint controller and data processor
a) One of the key difference between the Draft Decree and the GDPR is that the latter clearly allocates responsibilities among parties involved in the processing of data. For example,
b) Regarding the relationship between the controller and the processor, the Draft Decree requires that the controller must be responsible that the processing of data, either conducted by itself or by the processor acted on its behalf, complies with laws. The agreement between the controller and the processor must contain some compulsory provisions.
c) Regarding the relationship among joint controllers, joint controllers are required to have a transparent arrangement that sets out the agreed roles and responsibilities for complying with the GDPR. The essence of the arrangement must be made available to the data subject.
2) Harmonization with other legislations
a) Before the Draft Decree, there are other regulations that have already dealt with personal data. Since these regulations are fragmented, it is expected that the Draft Decree would act as comprehensive legislation. However, there are some issues that the Draft Decree fails to address. For example,
i) It is not clear how the Draft Decree address the processing of personal data which has already been made public. The Draft Decree does not directly address this issue. Instead, it is regulated that obtaining consent from the data subject is not required where other legislation allows so. Under Article 70.4(a) of Decree 52/2014, collecting personal information which has already been publicly disclosed on e-commerce websites are not subject to obtaining consent from such individual. However, this article is applied to information on e-commerce websites only. It is noteworthy that under the GDPR, while one can collect public personal data without obtaining further consent, he/she must inform the data subject his/her intention to process their data.
ii) It is not clear how the processing of personal data conducted by credit institutions is addressed in the Draft Decree. A credit institution when processing financial information of its customers might have to obtain approval from the PDPC (as defined at 5.2). This requirement might cause cumbersome to the business of credit institutions.
3) Other notable points
a) Principles of processing personal data. The Draft Decree introduces principles of processing personal data as follows:
i) Principle of the lawfulness of processing. Personal data is only collected in case of necessity as prescribed by law;
ii) Principle of purpose limitation. Personal data is only processed in accordance with the registered purpose, declared about processing personal information;
iii) Principle of minimalism: Personal data is collected only to the extent necessary to achieve the defined purpose;
iv) Principle of limited use: Personal data is only used with the consent of the data subject or with the permission of the competent authority in accordance with the law;
v) Principle of accuracy: Personal data must be updated and complete to ensure data processing purposes;
vi) Principle of security: Personal data protection measures are applied during the processing of personal data;
vii) Personal principle: Data subjects know and receive notifications about their activities related to the processing of personal data; and
viii) Privacy principle: Personal data must be kept confidential during data processing.
b) Personal Data Protection Committee. Under the Draft Decree, the Personal Data Protection Committee (PDPC) will be incorporated. The PDPC is in charge of, among others, assessing applications for processing sensitive personal data and cross-border transferring of personal data.
c) Personal data of children. Processing children information is subject to stricter requirements.
d) Cross-border transfer of personal data. The following requirements must be met when transferring personal data outside of Vietnam:
i) The data subject consents to the transfer;
ii) Original data is stored in Vietnam;
iii) The country/territory where the data is transferred to has regulations on personal data protection at an equal or higher level than those under the Draft Decree; and
iv) The PDPC approves such transfer.
- End of documents -