Vietnam Issues New Draft Decree On Personal Data Protection.
Legal News & Analysis - Asia Pacific - Vietnam - Cybersecurity - Regulatory & Compliance
25 February 2021
On February 9, 2021, Vietnam’s Ministry of Public Security (MPS) finally released the full text of the Draft Decree on Personal Data Protection (the “Draft”) for public consultation, after having released an outline in December 2019, with an ambitious goal for the Draft to be promulgated and take effect on December 1, 2021.
The Draft is divided into six chapters and 30 articles, providing comprehensive coverage of personal data protection and some brand-new requirements. Notable contents of the Draft include the following:
Re-categorization of personal data into basic personal data and sensitive personal data;
New data processing requirements, including new legal bases for data processing and disclosure without consent; specification of the forms of consent; regulations for data processing for research and statistical purposes and automated data processing; and time limits for data retention;
New data protection measures, including de-identification/encryption requirements, appointment of data protection officers, data accessibility from government authorities, and registration for processing of sensitive data and cross-border transfer of data;
Establishment of a new Personal Data Protection Commission (PDPC) under the MPS; and
New administrative sanctions for violations, including fines of up to 5% of the revenues earned from violating activities.
Among the various newly introduced requirements proposed in the Draft, Article 20 (Registration of Processing of Sensitive Personal Data) and Article 21 (Cross-Border Transfer of Personal Data) are notably problematic, and seem infeasible for the operation of various businesses and industries.
Article 20 – Registration of Processing of Sensitive Personal Data
The Draft’s Article 20 requires that sensitive personal data be registered with the PDPC prior to processing. The scope of sensitive personal data as defined in the Draft ranges from specific types of data such as gender, biometrics, criminal records, and location to very broad concepts such as political and religious views and social relationships.
Among the required contents of the registration application for processing of personal data is an impact assessment report that clearly points out the potential harm to data subjects due to such proposed processing and measures to manage, minimize, or eliminate such harm. The PDPC will process the applications within 20 working days from the date of receipt of a valid application, which means the date that all information and documents provided in the application are acceptable to the officers in charge.
Although the government’s intent is to protect persons and entities covered by the Draft from any improper and harmful processing of their personal data—a laudable goal—this registration requirement potentially creates a huge impact on businesses in terms of time, costs, and administrative procedures. In reality, almost every company, whether local or overseas entity, needs to process its employees’ sensitive data (such as health data, criminal records, etc.) for various legitimate purposes. To be eligible to do so under the Draft, companies will have to prepare and submit applications to the PDPC for approval. Not only will this impose significant costs on companies in terms of time, money, and human resources, but it is highly doubtful that the PDPC would have sufficient resources to process the expected volume of applications within the specified timeline.
Article 21 – Cross-Border Transfer of Personal Data
Similarly, Article 21 of the Draft requires that, before transferring Vietnamese citizens’ personal data out of Vietnam, the following four conditions be fulfilled: (i) consent must be obtained from the data subjects; (ii) the original data must be stored in Vietnam; (iii) the data transferor must have proof that the recipient country has personal data protection at a level equal to or higher than the level specified in the Draft; and (iv) a written approval for transfer must be obtained from the PDPC.
The Draft provides an exemption to the foregoing requirement, when there is (a) consent from the data subject, (b) approval from the PDPC, (c) a commitment from the data processor to protect the data, and (d) a commitment from the data processor to apply measures to protect the data. (It is unclear from the wording of the Draft whether the data transferor needs to meet one or all of these criteria to be eligible for the exemption, but presumably all four must be met.)
In order to obtain a written approval from the PDPC, an application must again include an impact assessment report with an assessment of potential harm and measures to manage, minimize or eliminate such harm. The PDPC has 20 working days from the date of submission to process applications for approval.
It is apparent that these requirements in Article 21 could create a barrier to trade and the flow of data, and increase cost, time, and human resources requirements for companies across many industries. For example, there are a significant number of multinational companies operating in Vietnam that need to regularly process personal data, and they usually process such data in a selected country outside of Vietnam or use cloud services with physical servers located outside of Vietnam. This practice is very common for many industries, including e-commerce, banking, travel, education, health care, etc. If all companies sending personal data overseas have to store data in Vietnam, it would create huge costs and additional work and overhead for them. Moreover, the process for applying for approval from the PDPC would unavoidably delay transactions and data transfers, which usually need to be processed instantly.
The Draft is open for public consultation from February 9 to April 9, 2021, and merits the urgent attention of industries, associations, and businesses to share comments with the MPS in order to develop legislation which is effective as well as feasible for implementation, balancing data subjects’ rights with the smooth operation of business.
As the effective date for this legislation could come later this year, it is also important for companies to get a head start on evaluating data transfers and processing within their own organization, and start formulating plans.
For further information, please contact:
Waewpen Piemwichai, Tilleke & Gibbins