PDP legislation changing the game in data processing

Eunjung Han, consultant, Rouse Legal Vietnam, and vice chairwoman, Digital Sector Committee, EuroCham

It is expected to change the local regulatory landscape and will have far-reaching effects with its extraterritorial scope. Regardless of whether an organisation is based onshore or offshore, Decree 13 will likely capture organisations if it is involved in personal data processing of Vietnamese nationals either in Vietnam or abroad and foreigners residing here.

With Decree 13, Vietnam will become the fifth country in the ASEAN region following Malaysia, Singapore, the Philippines, and Thailand with an omnibus set of data protection regulations. Considering the high internet penetration rate of its near 100 million population and a thriving $23 billion digital economy that experts predict will more than double in just a couple of years, legislators clearly have taken all this as an opportunity to revamp the digital regulatory landscape.

While a digital economy report released by Google, Temasek, and Bain & Company highlighted e-commerce as accounting for $14 billion of the aforementioned $23 billion, the integration of technology across industries is apparent.

Currently, the government is promoting digital transformation in areas such as healthcare, education, finance and banking, and agriculture, but this naturally comes with a slew of risks, with data protection a key concern.

A strong data protection framework is particularly important for a country’s digital economy because it will foster consumer trust, promote increased use of digital tools, and enable businesses to become more resilient. Naturally, the lack of legal instruments that adequately protect data rights will potentially hinder a country’s digital growth.

In Vietnam, businesses have long relied on a patchwork of data protection provisions. As such, there was a need to address the resulting inconsistencies relating to issues including definitions, requirements, and governing authorities.

Decree 13 is a promising starting point. It provides definitions for terms that had been inconsistent and/or absent in previous rules. For example, personal data is now defined as information expressed in the form of symbols, text, numbers, images, sounds, or equivalences in an electronic environment that is associated with a specific individual or helps to identify a specific individual. Personal data is then classified into two categories – basic data and sensitive data. While some sector-specific regulations had provided for terms akin to sensitive data, this is the first local attempt at providing a definition for sensitive data. It is defined as the information relating to the private life of an individual and, when being infringed upon, could cause a direct effect on the legitimate rights and interests of such individual.

Also, consent rules are now stronger under Decree 13. Consent now must be clearly and specifically expressed by an affirmative action (silence/non-response will not be construed as consent). Consent must be made for a single purpose and when multiple purposes are involved, they must be listed out to ensure that consent is freely given. Decree 13 also provides for data processing principles, such as lawfulness, transparency, accuracy, integrity and security, and also lists data subjects’ rights and obligations. However, the decree is not without its share of uncertainties.

Provisions covering data processing impact assessment as well cross-border personal data transfer data pose great practical challenges for its administrative elements (such as completion of dossiers, manner/form of submission, and timelines) to in-scope onshore and offshore entities. Also, it does not provide specifics on what is required of data protection officers and departments.

It is noted that small businesses and startups, save those directly engaged in personal data processing activities, are entitled to a two-year grace period regarding appointments at data protection officers and departments. That said, Decree 13 is a starting point – but merely a starting point. How the provisions will play out in practice and be enforced, as well as how uncertainties will be addressed, remains to be seen. The upside is that there is room for development, which will be helpful as Vietnam has long-term plans to develop a data protection law to eventually replace Decree 13. Also in the pipeline is a draft decree on sanctions against administrative violations in cybersecurity.

As such, the business communities are strongly encouraged to continuing with to advocate for the alignment of local provisions with international standards and communicating with the relevant competent authorities. Also, Vietnam can also consider being part of more regional cooperation by signing MoUs with neighbouring countries. Efforts such as these could help the local framework springboard into an approach that is tailored and fitting to the specific needs and context of Vietnam.

Decree on Personal Data Protection promulgated The Government on April 17 issued Decree on Personal Data Protection which specifies measures and conditions to ensure the work.

Legislators seek to reinforce protection of personal data The addition of provisions on buying and selling private information is expected to be a robust sanction to protect the personal data of consumers in Vietnam.

Protections to be ramped up via new personal data rules The new Decree No.13/2023/ND-CP on protection of personal data will come into effect on July 1, and will apply to both local and offshore entities engaged in personal data processing. While Decree 13 does reflect most of the comments and views from the business community, there are additional requirements applicable to businesses that process such data. In comparison to the last draft, Decree 13 introduces several new and revised concepts.

Nuts and bolts of new personal data decree Last month the government in Vietnam finally issued Decree No.13/2023/ND-CP on personal data protection (PDP). The decree will take effect from July; however, micro, small, and medium-sized enterprises as well as startups (excluding data processing companies) are optionally exempted for two years.