Update on Regulations of Personal Data Protection in Vietnam and What Local/Offshore Companies/Platforms need to know
The draft Personal Data Protection Decree (PDPD) was introduced in 2021 and was hailed as a significant step towards data privacy regulation in Vietnam, with the potential to be the Vietnamese counterpart to the GDPR as a new standard for data privacy in Vietnam.
Although the Vietnamese legal landscape on privacy has been shaped by various general and sector-specific rules such as the Civil Code, Criminal Code, Law on Information Technology, Law on Cyber Information Security, Law on Cybersecurity, and Decree 52 on E-commerce, these regulations lack uniformity and are potentially outdated, struggling to keep up with the pace of technological advancement. The introduction of the PDPD is thus much needed.
The PDPD is about to reach its final phase, more than two years since the first draft version came to public awareness. The legislative history of the PDPD highlights its critical and sensitive nature in the eyes of the Vietnamese policymakers.
Legislative history:
- February 2021: The Ministry of Public Security published the first draft version of the PDPD for public consultation.
- September 2021: A revised version of the draft PDPD was submitted to the Ministry of Justice for appraisal.
- From October 2021 to early 2023: The draft PDPD was circulated back and forth between the Government, the National Assembly Standing Committee (NASC) and other State agencies for comments and approval.
- February 2023 to date: The draft PDPD has recently obtained the NASC’s greenlight and is under the final technical process before being officially issued by the Government.
Conclusion:
The prolonged legislative process can be attributed to the colossal impact of the decree on the rights of individuals, which necessitates thorough and careful consideration. Among other things, lawmakers have deliberated on conditions for cross-border data transfer, sensitive data processing, requirements for appointing a data protection officer and documenting a data processing impact assessment, etc. The PDPD is expected to be officialized in March or April 2023, and it will be the legal basis for the promulgation of the draft Decree on Penalties for Administrative Violations in Cybersecurity (PAVCD). The PAVCD can trigger the imposition of a GDPR-type penalty calculated based on corporate income for PDPD violation.
It is highly suggested that foreign companies promptly comply with applicable requirements regarding personal data protection to avoid the risk of facing adverse enforcement actions in future. In case adequate compliance is yet to be feasible, an exchange of notice with a competent authority explaining the situation will be preferred.
