Key Highlights Of Vietnam New Data Law

A new Data Law, passed in late November 2024 and set to take effect on 1 July 2025, focuses primarily on establishing a national general database and data centre for state use. However, it also introduces rules on digital data (data in the rest of this article) that concerns the private sector, such as, data products and services. The Government is also drafting three draft decrees detailing key issues under the Data Law, including Data-Related Products & Services Draft Decree, Core & Important Data Draft Decree and a Master Draft Decree.

This blog will discuss several key points under the Data Law and related draft decrees. This post is written by Ha Thanh Phuc and Trinh Phuong Thao.

1)          The police will review and supervise your data activities

The Ministry of Public Security (MPS) again is authorized to regulate all activities relating to data except for data under the Ministry of Defence. Accordingly, it seems that Vietnam considers data as security issue and violation of data activities could result in significant liabilities. This could raise significant compliance costs for businesses and companies in Vietnam if they want to be fully comply with unclear rules (see discussion below).

1)          Conditional Business Lines

Amendments to the Investment Law 2020 in late 2024 now require businesses involved in (i) data intermediary products and services, (ii) data analysis and synthesis, or (iii) data platform services to meet certain conditions. The Data Law suggests that:

a. data platform services may be restricted to state enterprises and public providers, potentially excluding private companies; and

b. only providers of data analysis and synthesis services that potentially harm national defence, national security, social order, safety, social ethics, or public health, which have been detailed under the Data-Related Products & Services Draft Decree, will be subject to these conditions.

Under the Data-Related Products & Services Draft Decree, businesses in these sectors are subject to strict requirements. Notably, all such businesses must maintain an escrow of at least 5 billion VND at a Vietnamese commercial bank to cover compensation and expenses in the event their licenses are revoked.

Read MoreInfo
Comment
Written by Nguyen Quang Vu On In ,

Notable points under the Draft Law on Personal Data Protection (Draft PDPL)

On 24 September 2024, the Ministry of Public Securities (MPS) published the draft law on personal data protection (Draft PDPL). Compared to Decree 13/2023, the Draft PDPL introduces several significant points related to personal data protection. This blog will explore the key highlights and implications of these new provisions.

1)         Expanded scope of application

As compared to Decree 13/2023, the Draft PDPL broadens its scope to cover additional entities, being “agencies, organizations, and individuals collecting and processing personal data of foreigners within Vietnamese territories.” (Article 1.2(dd). This provision appears to enhance the protection of personal data belonging to foreign nationals. However, it remains unclear whether the provision applies solely to foreigners present in Vietnam or also to those residing abroad. The ambiguity lies in the interpretation of the phrase “within Vietnamese territories”. If it extends to foreigners outside Vietnam, it could impose significant compliance burdens on Vietnamese enterprises processing personal data of foreign nationals.

Furthermore, it is confusing that the Draft PDPL does not address the existing ambiguity in the scope of application under Decree 13/2023. Instead, it introduces another type of applicable entity that could potentially create even greater uncertainty.

2)         Definition of personal data associated to “citizen”

Unlike Decree 13/2023, the Draft PDPL defines both basic personal data and, seemingly, sensitive personal data as being specifically associated to “citizens”. It is unclear why Draft PDPL limits its personal data protection to citizens rather than to all individuals, regardless of nationality or status. This approach is not in line with the term “personal data” in GDPR (which refers to that of a natural person). Furthermore, limiting protections to citizens could also infringe on the rights of non-citizens and stateless people, potentially conflicting with Article 21 of the 2013 Constitution, which guarantees privacy rights to "everyone," not just citizens.

Additionally, the term “citizen” is ambiguous, as it is unclear whether it refers to Vietnamese citizens only or also encompasses foreign citizens. If the former interpretation is adopted, this would be inconsistent with the broader scope outlined in Article 1.2(dd) of the Draft PDPL, which governs the personal data of foreigners. If the latter interpretation is adopted, it would not be reasonable for the Draft PDPL and Vietnamese authorities to govern personal data of foreign citizens (especially those who are not in Vietnam).

Read MoreInfo
Comment
Written by Nguyen Quang Vu On In

E-signatures of individuals under the Law on E-Transaction 2023

On 22 June 2023, the National Assembly passed a new Law on E-transactions, set to be effect from 1 July 2024 (LET 2023). The LET 2023 introduces significant changes regarding the use of e-signatures by individuals as outlined below:

1)         Restriction on individuals’ right to create and use of their own e-signature

The LET 2023 categorizes e-signatures into three types as below, none of which encompass e-signatures self-generated by individuals:

  • specialized e-signatures (chữ ký điện tử chuyên dùng), which are created and used by organizations for their “own private operations” in accordance with their function and tasks;

  • public digital signature (chữ ký số công cộng), which are used for “public activities” and are secured by an e-certificate confirming the public digital signature issued by a qualified service provider; and

  • specialized digital signature for official use (chữ ký số chuyên dùng công vụ), which are digital signatures used for official activities and are secured by an e-certificate confirming the specialized digital signature for official use issued by a qualified service provider

Unlike the broader definition of e-signatures under the LET 2005, which may cover signatures self-created by individuals, this classification significantly limits individuals' ability to create and use their own e-signatures. Under the LET 2023, individuals may be required to use a public digital signature issued by a third-party service provider in normal e-transactions.

Read MoreInfo
Comment
Written by Nguyen Quang Vu On In ,

Difficulties In Dealing with the Administrative Procedures under Personal Data Protection Decree

Decree 13/2023 on Personal Data Protection (PDPD) has stirred a lot of excitement among legal professionals in Vietnam. Recently, such excitement met with the cold hard realities of the difficulties in fulfilling even the basic administrative procedures under PDPD. In particular, in July 2023, the Ministry of Public Security (MPS)  published the required contents of the file for assessment of the impact of personal data processing and the file for assessment of the impact of offshore transferring personal data. The levels of details and analysis required to prepare these files are very demanding. For example, the MPS require these files to include the following information and documents:

Read MoreInfo
Comment
Written by Nguyen Quang Vu On In ,