Amid on-going discussion on Decree No. 13/2023/ND-CP on Personal Data Protection (the “PDPD”) which has been in effect over a year, the Ministry of Public Security (the “MPS”) recently released a draft Law on Personal Data Protection (the “Draft PDPL”) on 24 September 2024 for public consultation. The Draft PDPL, with seven (7) chapters and sixty-eight (68) articles, marks a critical development for personal data protection regime in Vietnam. This Special Alert yields several remarkable insights on the Draft PDPL.
Expanding Scope of Application
In comparison with the PDPD, the Draft PDPL expands its scope of application to include entities (organizations and individuals) that process the personal data of foreigners within the territory of Vietnam. Accordingly, data subjects being foreigners will also be protected in particular circumstances under the Draft PDPL.
However, the revision fails to address the existing concern regarding the interpretation of the term “in Vietnam”, and raises the need for clarification to differentiate between the two concepts “in Vietnam” and “within the territory of Vietnam”.
Refining Core Definitions and Proposing New Concepts
Key definitions from the PDPD have been refined, including “basic personal data”, “sensitive personal data”, and “overseas transfer of personal data”, etc.
- Instead of only listing the types of data being classified as basic personal data, the Draft PDPL provides further explanation as “basic information of citizens or information other than sensitive personal data, which is associated with the citizens’ identity”;
- Notably, “sensitive personal data” further includes information about land users and land data. This intention aims to ensure consistency with the new 2024 Land Law, which classifies land data as state secrets in accordance with the law and recognizes that information about land users cannot be disclosed without consent, except in certain cases stipulated by law;
- For the modification of “overseas transfer of personal data”, the Draft PDPL provides for more specific situations that fall within this definition. The scope of overseas transfer of personal data has been clarified and widened, compared with the PDPD, in particular:
- Sharing personal data with recipients outside the territory of Vietnam;
- Sharing personal data at conferences, seminars, meetings, or discussions held abroad;
- Sending documents or emails containing personal data to recipients outside the territory of Vietnam;
- Publishing personal data online where it is accessible outside the territory of Vietnam;
- Providing personal data to foreign organizations, businesses, or other individuals for business purposes; and
- Providing personal data to fulfill legal obligations abroad or in accordance with the laws of the host country.
With this revision, it appears that more organizations and enterprises may be required to prepare and submit the Overseas Personal Data Transfer Impact Assessment Dossier (the “OPDTIA Dossier”) under the Draft PDPL.
Several new concepts are being introduced, including: “developers”, “personal data protection organization” (the “PDPO”), “personal data protection expert” (the “PDPE”), “PDPO service”, “PDPE service”, “certification organization of eligibility for personal data protection (the “Certification Organizations”)”, “credit rating for personal data protection”, “credit rating organizations for personal data protection” (the “CRO for PDP”), and “personal data processing service” (the “PDP Service”), etc.
- The Draft PDPL allows for the provision of PDPE services and PDPO services, provided that certain requirements are met as prescribed therein.
- PDP Services also appear as a conditional business line under the Draft PDPL. Accordingly, in addition to the registration of relevant business lines in accordance with the enterprise law and investment laws, a sub-license must be obtained from the Personal Data Protection Agencies (the “PDP Agencies”) attached to/assigned by the MPS, namely, the Certificate of Eligibility for PDP Services. Notwithstanding the detailed requirements regarding the provision of these businesses and services, further guidance will be required for practical implementation.
- Under the Draft PDPL, more protection requirements are also imposed on the processing of basic and sensitive personal data. Remarkably, it is compulsory for entities processing personal data to appoint both PDPO and PDPE as one of personal data protection methods, regardless of the type of personal data to be processed (i.e., basic or sensitive). Information of such PDPO and PDPE must be communicated to the PDP Agencies, unless the processing entities are individuals, in which case information of relevant individuals must be communicated.
- Additionally, in case of processing sensitive personal data, it is required to conduct “credit evaluation of personal data protection”, although this concept is not clarified in the Draft PDPL.
- New definitions of “credit rating for personal data protection” and “credit rating organizations” are added. Accordingly, a credit rating mechanism is provided by a licensed rating organization, containing four levels (high credibility, credibility, pass, and fail). This also imposes the new obligation for organizations/enterprises when conducting the Personal Data Processing Impact Assessment Dossier (the “PDPIA Dossier”).
Emphasizing and Revising the Principles for Personal Data Protection
The Draft PDPL reaffirms fundamental principles concerning transparency, scope, application of protection methods during processing, and obligations of entities processing personal data as mandated by the PDPD. Notably, the Draft PDPL reiterates that trading of personal data is strictly prohibited.
Of particular importance, the Draft PDPL introduces a new provision regarding the processing of personal data by companies within the same corporate group. Specifically, each member company within the same corporate group must obtain explicit consent from the data subject before processing their personal data. Furthermore, each member company bears its own independent responsibility to protect the data it processes.
Identifying Marked Changes in PDPIA Dossier and OPDTIA Dossier
- More components have been added to the PDPIA Dossier. Notably, a credit rating document for personal data protection is required to be provided as a supporting document.
- Components of both the PDPIA Dossier and OPDTIA Dossier have been revised in general. Typically, requirements on a designated personal data protection officer under the PDPD have been further elaborated, aligning with the new requirements applicable to the PDPO and PDPE under the Draft PDPL. Accordingly, both PDPOs and PDPEs must meet specific qualifications related to technological and/or legal expertise, as well as other statutory conditions. Therefore, it can be implied that documentation evidencing the fulfillment of these qualifications may be required to accompany the PDPIA Dossier and OPDTIA Dossier.
- Furthermore, the Draft DPDL requires that both Dossiers to be updated every six (6) months in the event of changes, and immediately in some specified situations such as corporate restructuring, amendment to or change of information of PDPO/PDPE and nature of business.
Personal Data Protection in Specific Sectors
The Draft PDPL introduces significant rules for emerging sectors, including artificial intelligence (AI), big data, and behavioral/targeted advertising.
For the AI sector, the Draft PDPL permits the use of personal data for research and development of automated systems like self-learning algorithms. However, it mandates that processing parties notify data subjects about how these systems impact their rights and provide opt-out options. This underscores the law’s focus on balancing innovation with the protection of personal rights.
Big data processing is addressed by allowing companies to exploit personal data that has been publicly disclosed by the data subject without restrictions. This presents new opportunities for data-driven platforms but also raises concerns about the potential for overreach in data usage, which may require careful interpretation and implementation. Similarly, in behavioral and targeted advertising, the Draft PDPL introduces stricter rules, requiring explicit consent from the data subject and mechanisms to refuse data sharing.
Other key sectors impacted by the law include cloud computing, where technical and organizational safeguards against unauthorized access are emphasized, and finance, where new pseudonymization regulations have been introduced. These pseudonymization requirements, which aim to de-identify personal data, are currently limited to the financial sector, though the technology’s application is expected to expand into areas like healthcare.
Conclusion
The Draft PDPL is set to open up numerous new business sectors, aligning with social and economic development while fostering the growth of high-quality human resources in personal data protection. However, it introduces new legal obligations, necessitating swift adaptation and adjustments by organizations, businesses, and individuals. The current legal document, PDPD, will likely undergo significant amendments to ensure compatibility and provide clear guidance and detailed explanations for the Draft PDPL’s provisions.
The Draft PDPL is expected to be submitted to the National Assembly for approval in the May 2025 session. Therefore, it is anticipated that any issues and gaps in the document will be thoroughly reviewed and addressed.
