On 24 September 2024, the Ministry of Public Securities (MPS) published the draft law on personal data protection (Draft PDPL). Compared to Decree 13/2023, the Draft PDPL introduces several significant points related to personal data protection. This blog will explore the key highlights and implications of these new provisions.

1)         Expanded scope of application

As compared to Decree 13/2023, the Draft PDPL broadens its scope to cover additional entities, being “agencies, organizations, and individuals collecting and processing personal data of foreigners within Vietnamese territories.” (Article 1.2(dd). This provision appears to enhance the protection of personal data belonging to foreign nationals. However, it remains unclear whether the provision applies solely to foreigners present in Vietnam or also to those residing abroad. The ambiguity lies in the interpretation of the phrase “within Vietnamese territories”. If it extends to foreigners outside Vietnam, it could impose significant compliance burdens on Vietnamese enterprises processing personal data of foreign nationals.

Furthermore, it is confusing that the Draft PDPL does not address the existing ambiguity in the scope of application under Decree 13/2023. Instead, it introduces another type of applicable entity that could potentially create even greater uncertainty.

2)         Definition of personal data associated to “citizen”

Unlike Decree 13/2023, the Draft PDPL defines both basic personal data and, seemingly, sensitive personal data as being specifically associated to “citizens”. It is unclear why Draft PDPL limits its personal data protection to citizens rather than to all individuals, regardless of nationality or status. This approach is not in line with the term “personal data” in GDPR (which refers to that of a natural person). Furthermore, limiting protections to citizens could also infringe on the rights of non-citizens and stateless people, potentially conflicting with Article 21 of the 2013 Constitution, which guarantees privacy rights to "everyone," not just citizens.

Additionally, the term “citizen” is ambiguous, as it is unclear whether it refers to Vietnamese citizens only or also encompasses foreign citizens. If the former interpretation is adopted, this would be inconsistent with the broader scope outlined in Article 1.2(dd) of the Draft PDPL, which governs the personal data of foreigners. If the latter interpretation is adopted, it would not be reasonable for the Draft PDPL and Vietnamese authorities to govern personal data of foreign citizens (especially those who are not in Vietnam).

3)         New entities involved in personal data protection

The Draft PDPL introduces new categories of organizations/individuals involved in personal data protection including (i) developer related to personal data protection; (ii) personal data protection organizations (PDP Organizations); (iii) personal data protection expert (PDP Expert); (iv) Organization qualified for personal data protection certification; and (v) Organizations providing credit ranking on personal data protection. These newly defined entities are expected to strengthen personal data protection in practice.

However, similar to Decree 13/2023, the Draft PDPL lacks “sub-processor” and “joint controller” concepts, which are expressly governed under the GDPR. This omission creates uncertainties, such as whether a sub-processor should be classified as a third party or a processor, and what rights and obligations apply in these cases. Additionally, there is a lack of regulation for scenarios where two controllers process personal data at different stages of processing.

4)         Stricter requirements on data subject’s consent

The Draft PDPL provides for stricter requirements for obtaining data subject’s consent as compared to Decree 13/2023, including:

• Consent must not impose conditions requiring the data subject to consent to the transfer of their personal data for services unrelated to the purpose of collection. Data subjects must be allowed to refuse such conditions;

• Consent must be given through an affirmative action that provides a clear and specific indication, which is in line with the GDPR (Recital 32); and

• Consent given to one company in a corporate group does not imply consent for other companies within the group to process the data.

Notably, the Draft PDPL retains the heavily consent-based approach as under Decree 13/2023 (i.e., processing primarily based on the data subject’s consent, with limited exceptions) and does not introduce additional grounds for lawful processing to balance the right of processor/controller, such as legitimate interests pursued by the controller/processor or by a third party, as outline in the GDPR

5)         New provisions on personal data protection in specific fields

The Draft PDPL introduces specific provisions on personal data protection across various sectors such as massive data; AI; cloud computing; recruitment and employee monitoring; financial and banking; health and insurance; social network and OTT services; and special types of data (e.g., location and biometric data). Key highlights include:

• Massive data processing: The Draft PDPL allows organizations to use personal data published by the data subject on platforms “without any limitations” (Article 23.1). The phrase “without any limitations” may raise questions about whether the data subject’s consent is required;

• Cloud computing service: Contracts with cloud service providers must include clauses on personal data protection. Specifically, providers are only allowed to process clients’ personal data solely for the benefit of and on behalf of their clients (Article 25.2(b));

• Recruitment and Employee Monitoring: Employers can only request information disclosed in publicly available recruitment materials or an employee's profile (Article 26.1). This restriction may limit employers' ability to collect additional personal data during employment, such as for investigating breaches of labor contracts/internal rules.

• Finance and Banking: Credit institutions, insurance organizations, intermediary payment service providers are prohibited from unlawfully sharing or transferring personal data among themselves or with other organizations, except as explicitly permitted by law only (Article 27.2);

• Health and Insurance: Personal data cannot be shared with healthcare or insurance providers unless the data subject provides written consent (Article 28.3);

• Social Networks and OTT Services: Service providers are prohibited from requiring identity card photos for account verification (Article 31.1(c)).

6)         New requirements on PDP Organization and PDP Expert

The Draft PDPL introduces more detailed requirements for appointing a PDP Organization and PDP Expert compared to Decree 13/2023. Key points include:

• The PDP Organization and PDP Expert must have expertise/capacity in technology and/or law. The PDP Expert must hold specific qualifications (Article 36 – 38);

• Unlike Decree 13/2023, the Draft PDPL requires the appointment of a PDP Organization and PDP Expert for both basic and sensitive data processing, with the exception that micro and small enterprises are exempt for the first two years (unless they are directly processing personal data) (Articles 48.3, 49.1 and 68.2);

• The Draft PDPL also allows for the PDP Organization to be an external service provider, offering controllers and processors greater flexibility in meeting these requirements. The external service provider acting as the PDP Organization must have a rating of “Passed” in personal data protection (Article 37.1(c)).

These stricter requirements even exceed the GDPR's standards, which only mandate a Data Protection Officer (DPO) in certain cases (Article 37). While these new provisions may create job opportunities for legal and technology experts, it could also place significant financial and operational burdens on businesses.

7)         Privacy credit rating service

A significant new point of the Draft PDPL is the introduction of a privacy credit rating service that assesses the credibility of organizations and individuals involved in personal data processing. Providers of this service must meet strict requirements (e.g., a minimum legal capital of VND 5 billion and submission of a detailed service proposal). The service offers a certification mechanism with four rating levels: “highly credible,” “credible,” “passed,” or “not passed” (Article 41). However, the Draft PDPL does not specify criteria for each rating level, leaving room for further guidance in subsequent decrees.

The introduction of this service and certification mechanism could impose significant paperwork and financial burdens on businesses. Particularly,

• Businesses seeking licenses for personal data processing or DPD Organization services must secure at least a "passed" credit rating certification (Articles 37.1(c) and 43.2(c));

• The data processing impact assessment (DPIA) dossier must now include a document on privacy credit rating (Article 44.1(l)) - an entirely new requirement compared to the DPIA components outlined in Decree 13/2023; and

• Privacy credit rating is now recognized as a measure for protection of sensitive personal data (Article 49.5).

Unlike the voluntary certification mechanism in the GDPR (Article 42), the Draft PDPL requires privacy credit rating certification in certain scenarios, imposing stricter compliance requirements.

8)         New requirement for updating DPIA and TIA dossiers

The Draft PDPL requires that the DPIA and cross-border transfer impact assessment (TIA) dossiers must be updated every six months if there are any changes, as well as immediately in specific situations, such as company dissolution or mergers (Article 46). This could increase administrative burden for the data controller/processor.

Similar to Decree 13/2023, the Draft PDPL maintains the strict obligation for submitting DPIA and TIA dossiers without any exceptions. This means that all personal data processing activities or cross-border data transfers will be subject to this requirement.

Notably, the Draft PDPL does not address the use of templates for DPIA and TIA forms. This omission raises uncertainty regarding whether the templates under Decree 13/2023 (including those available on the National Public Service Portal) will remain valid or be replaced.

9)         New cases of cross-border personal data transfer

The Draft PDPL specifies cases that are considered as cross-border personal data transfer including: (i) sharing personal data with recipients outside of Vietnam; (ii) sharing personal data at conferences, seminars, meetings, or discussions held abroad; (iii) sending documents or emails containing personal data to recipients outside of Vietnam; (iv) publishing personal data in cyberspace making it accessible to individuals outside of Vietnam; (v) providing personal data to organizations, enterprises, or individuals to carry out business activities; and (vi) providing personal data to fulfill legal obligations abroad or in accordance with the laws of the host country.

This broad scope, without exceptions, may present practical challenges for businesses. For instance, routine activities such as sending an email containing a personal data-laden signature to international clients could fall under scenario (iii). Similarly, publishing personal data on a publicly accessible website or social media platform—without any intent to target individuals outside Vietnam—might still fall under scenario (iv). Such an expansive interpretation may be seen as excessive and impractical, potentially disrupting daily business operations and having adverse effects. Hopefully, the future version of the Draft PDPL will address these concerns.

10)       Other notable points

Additional noteworthy points in the Draft PDPL include:

• Stricter requirements for personal data protection in marketing/advertising, including compliance with regulations on anti-spam and fraudulent SIM cards (Article 21 – 22);

• A new principle for group processing - Each company within a corporate group is independently responsible for ensuring personal data protection (Article 3.4);

• Provision dealing with conflict with other laws - In case of conflict, the Draft PDPL take precedence over other laws related to personal data protection (Article 6.1);

• Transition-period: The Draft PDPL does not provide a grace period for full compliance after its effective date, except for a two-year exemption allowing micro-enterprises and start-ups to delay appointing a PDP Organization and PDP Expert.

This post is written by Trinh Phuong Thao.