Planning crucial for personal data protection overhaul

Philip Ziter, lawyer at Russin & Vecchi

Vietnam’s Ministry of Public Security (MoPS) has released the full text of the draft decree on personal data protection for public comment. The draft decree is expected to take effect on December 1, regulating the cross-border transfer of data, processing of sensitive personal data, and the rights of individuals. Based on the existing draft, the free flow of data will be adversely affected.

The new rules are based on the European General Data Protection Regulation. As such, this transition could be a means for Vietnam to integrate into a circle of countries that have already adopted fairly sophisticated rules for dealing with privacy. But for Vietnam, considering its current level of protection, the new rules will be a fairly large step.

The draft decree would apply to every agency, organisation, and individual involved in the processing of personal data which originates in Vietnam. It applies to both local and foreign processors, whether based in Vietnam or abroad.

Unlike the narrower approach in many jurisdictions, the scope of the draft decree is wider. As defined, personal data concerns an individual or relates to the identification of a particular individual. This includes basic personal data such as a name, date of birth, blood type, marriage status, and activity or history of an individual’s activity on the internet, as well as sensitive personal data such as political opinion, financial data, religious views, physical and mental health, social relationships, biometrics, actual location, crime records, and many more.

Financial data and health-related data were previously classified as state secrets and enjoyed additional protection. But since late 2020, rules defining state secrets were relaxed and such data is no longer a state secret. The draft decree considers this data sensitive personal data, which shall be protected as such.

Personal data processing is broadly defined as any action having to do with personal data, including the collection, recording, analysis, storage, alteration, disclosure, retrieval, encryption, decryption, transfer, deletion, and destruction, among others.

The consent principle

The collection, storage, processing, disclosure, and transfer of information and materials related to the private life of an individual must be consented to by that person, unless consent is exempted by law, and the use of such personal information must be consistent with the scope of the consent. Children below 16 lack the legal capacity to give consent. In that case, consent must be obtained from the child’s parent or legal guardian.

For the most part, existing data protection laws do not expressly state whether the subject’s consent must be affirmative or may be implied. The draft makes it clear that consent must be voluntary, based on full information, and that failure of a subject to respond does not constitute consent. This means that consent must be explicit and affirmative.

Consent can be partial or conditional, and it can be withdrawn at any time. Consent, under the draft decree, must be capable of being printed or copied in writing, and is valid throughout the life of the subject and for 20 years after their death, unless the subject decides otherwise. In the case of a dispute, the burden of proving consent rests with the data processor.

Personal data may be disclosed to third parties without consent in certain cases, such as to protect the life, health, or freedom of the subject, or where disclosure causes no harm to the legitimate rights and interests of a subject, and where obtaining consent would be impossible.

Consent and exceptions

The draft decree requires that a person gives consent before their data is disclosed or processed, but it provides some exceptions, such as if provided by law; for matters of national security, social order, and safety; while investigating an act in violation of law; and as permitted by regulations in international agreements or treaties of which Vietnam is a member.

For the purpose of establishing these new rules, the MoPS will set up a committee on personal data protection (PDPC). This committee will be empowered to inspect for compliance with personal data protection regulations up to twice a year.

Moreover, under the current version of the draft decree, sensitive personal data must be registered with the PDPC prior to processing. To register, processors must submit an application which meets specific requirements, and the PDPC will then process the application within 20 working days from receipt. This requirement would obviously be extremely burdensome for most companies.

Enterprises are being urged to examine current policies in preparation for the outcome of the draft data decree, Photo: Shutterstock

Data localisation

According to the draft decree, there would be a permit required to make cross-border transfers of personal data. Personal data of Vietnamese citizens can be transferred out of the territory of Vietnam when the following four conditions have been satisfied:

- The person consents to the transfer;

- Original data will continue to be stored in Vietnam, meaning data localisation;

- The data processor must prove that the recipient country or territory has regulations on personal data protection at a level equal to or higher than those specified in the draft decree; and

- Written approval of the transfer is obtained from the PDPC.

These new regulations on cross-border data transfer would create enormous barriers to trade and would unreasonably restrict the flow of data. This would result in increased costs for existing businesses, certainly deterring new businesses, and would negatively impact development of the digital economy.

The draft decree is a step well beyond the data localisation requirements which have already been enacted. Requirements regarding cross-border transfers of data were highly criticised when the Law on Cybersecurity was issued in 2018. A draft decree guiding the implementation of that law has somewhat narrowed the broad language. With the new decree, there could be much confusion about data localisation requirements.

The draft decree also mentions possible fines for violations. Administrative fines could amount to up to VND100 million (over $4,300) for violations of rules on registration for processing of sensitive personal data; or rules on cross-border transfers of personal data; as well as up to 5 per cent of the violator’s annual revenues in Vietnam for repeated violations.

Practical guidance

Regarding labour contracts and internal labour rules, to ensure that employers comply with personal data obligations, they will need to implement their obligations as they relate to the personal data of their employees. Special consideration should also be made in relation to staff in employment agreements, internal labour rules, and collective labour agreements.

To prevent future claims from employees over unpermitted processing of their personal data, employment agreements should clearly state that employees must be aware and comply with requirements on personal data protection, and account for data processing by the employer of employees’ personal data for the purpose of employment, for example on tax and health information and for the processing of CVs and other documents.

An enterprise should also consider updating current and future contracts with customers to ensure that it they are entitled to process and disclose specific personal data, and that customers give consent.

In certain circumstances, the internal labour rules must be registered with the authorities, but there is no requirement to register a company’s privacy policy. As such, it may be beneficial if the privacy policy is separated from the internal labour rules so it can be adjusted at will.

Vietnam’s data privacy protection regime continues to evolve. But enterprises should take measures to be prepared when the draft decree takes effect in December this year. The decree would introduce a number of new and material changes to the existing regime on data privacy protection.

As more enterprises embrace new technologies and increase their digital footprints, they naturally collect, receive, transmit, and use ever-increasing amounts of data from their customers, employees, and various other subjects. Under the current language of the draft, it could be hard to imagine an enterprise that would not qualify as a data processor.

Lastly, the government has solicited and received public comments on the draft. The final version is likely to include a number of changes. However, we believe the most prudent approach will be to prepare. Hence, enterprises are urged to work with the information available and make a plan based on the current draft’s language. Conducting a legal data audit, examining current policies, including the possibility to amend existing agreements, privacy policies, is a good starting point.