The fast-paced development of technology and science in recent times has resulted in various legal issues regarding personal data privacy in Vietnam.
Currently, personal data in Vietnam is regulated by various laws and legal documents, which cannot provide consistency comparable to the General Data Protection Regulation (GDPR) of the European Union, the Personal Information Protection Law of China, and laws and regulations from other nations.
|Vi Nguyen - Lawyer, Dentons LuatViet |
In this context, a draft decree on personal data protection was drafted to gather feedback and opinions from 2021. However, in February this year, the government published Resolution No.13/NQ-CP approving the application to draft the decree on personal data protection.
Accordingly, the National Assembly Standing Committee has considered the necessity of the order, procedures, and documents for the draft decree. This is an important step forward in personal data protection in Vietnam.
Resolution 13 provides for circumstances when personal data can be processed without the consent of the data owner. Compared with the draft decree and the currently regulations on personal data, the aforementioned regulations on personal data have new definitions, namely regarding personal data controllers and personal data processors.
Currently, the laws in Vietnam do not separate the data controller and data processor, and only refer to “organisations and individuals collecting, processing, and using personal data from other individuals” as well as “organisations and individuals processing personal information”.
The addition of the new definitions should bring Vietnamese laws closer to the level of GDPR, which provides a clear definition of data processor and data controller as well as their obligations. However, as the latest version of the draft has not been disclosed, the details are unknown.
The disclosure of personal data is in accordance with the law. Areas covered include national defence, security, safety, significant disasters, and pandemics, among others.
For the performance of contracts of data owner with the relevant agencies, organisations and individuals must act in accordance with the law. Accordingly, Resolution 13 has expanded the cases where the processing organisation can process personal data without consent from the data owner “to perform the contracts on use of information, products, and services on the internet” provided in the Law on Information Technology to contracts of data subjects. This provision is relatively broad and might need further clarification.
Overall, the broadness of the above regulations could be exploited to unnecessarily process personal data without the consent of data owners. As such, authorities should provide appropriate guidance on this regulation to limit the use of this provision affecting the interest of data subjects.
Resolution 13 also fails to clarify the application of the regulations to personal sensitive information or children as data owners. As these issues are special in nature, the processing of such data or from such owners should be regulated separately. Therefore, the official decree on personal data protection should be examined holistically.
Although Resolution 13 shows the government’s intention to emulate the GDPR of the EU, authorities must provide specific guidance and explanation for circumstances of processing data without consent from the data owner, particularly for circumstances where data is processed for the performance of contracts of the data owner with relevant agencies, organisations, and individuals in accordance with the law.
| ||Vietnam bulking up protection of online information |
In Vietnam, the government has drafted a new decree on the protection of personal data, expected to come into effect at the end of the year. Yen Vu, Trung Tran, and Khanh Nguyen from global intellectual property leader Rouse focus on the proposed provisions on obligations of cross-border information providers and data centre services.
| ||Planning crucial for personal data protection overhaul |
The Ministry of Public Security’s draft decree on personal data protection is expected to impact the free flow of data once it takes effect in December. Philip Ziter, lawyer at Russin & Vecchi, analyses possible impacts based on the existing draft.
| ||Multi-cloud is the new trend |
Cloud computing is no longer just a phase, it has become a vital trend in Vietnam, especially for the local banking sector. Tran Nhat Minh, VIB deputy CEO and head of Banking Technology Services, shared with Nhue Man how multi-cloud is now essential due to the personal data security and large storage capacity it offers.
| ||Ensuring protection of children’s personal data |
Over the years, protecting children’s informational privacy has become a controversial issue. From a legal perspective, there are two questions: to what extent does it depend upon parental control and consent, and how is this factor incorporated into the law seeking to protect children’s informational privacy?