Rouse, in cooperation with Lexology and Global Data Review, hosted a webinar discussing data protection and cybersecurity issues across South East Asia (“Webinar”) on 16 June 2021.  You can watch the full recording of the session here. Participants from more than ten jurisdictions tuned in as Yen Vu (Principal, Country Manager of Vietnam), Kaew (Peeraya) Thammasujarit (Principal, Deputy Country Manager of Thailand), and Eunjung Han (Consultant) shared the legal frameworks of Vietnam, Thailand, Indonesia, and Philippines and current issues. The portion on Vietnam covered the current regulations and how the Draft Personal Data Protection Decree (“Draft PDP Decree”) could possibly impact the consent requirement, cross-border data transfer, cybersecurity and data localization, and cybercrime prevention going forward.  This article will focus on the Draft PDP Decree, its implications and reaction from the private sector, and specific questions raised by participants during the Webinar.

Updates on the Draft PDP Decree

The Draft PDP Decree is significant in many ways, among others, in that it consolidates data protection regulations and reflects international standards. We note that rules absent in current legal instruments are also featured in the Draft PDP Decree. Rouse has written about some notable points here when the latest version of the Draft PDP Decree was first published. The Draft PDP Decree has since undergone a consultation phase that brought forth many comments – both of positive and critical nature. For example, the lack of distinction between data controller and processor is in contrast to international standards under which legal obligations are provided for the respective parties. In addition, “sensitive data”, defined for the first time in Vietnam, appears to include personal financial data and personal location data. This has resulted in comments as to the definition’s far-reaching implication for the banking industry and location-based services such as ride-hailing, map and weather forecast apps.  Cross-border transfer of data and proposed requirements has also triggered much discussion. In particular, the government prior-approval obligation raised comments on the potential hinderance to data/trade flow and general burden on relevant entities because seamless data flow is essential for international trade and multinational corporations to operate at a global scale.  Many businesses also proposed the removal of the local data storage requirement, which also must be fulfilled to carry out cross-border transfer of data.  One of the reasons being that most multinational corporations use cloud infrastructure to manage their data, and thus the condition can be a considerable constraint.[1]

Common questions regarding the Draft PDP Decree

The following are excerpts from the Webinar’s Q&A portion during which the audience raised questions.

1. When will the Draft PDP Decree come into effect?

Following the consultation phase that took place from February to April 2021, the Draft PDP Decree is currently under review and scheduled for submission to the Government by June 2021 as announced in the Prime Minister’s Decision 889/QD-TTg dated 7 June 2021.  The Draft PDP Decree needs to be issued in mid- October at the latest to take effect on 1 December 2021 (i.e., the effective date specified in the Draft PDP Decree).[2] 

2. What would the split of roles and responsibilities between the different relevant authorities look like?

The Ministry of Public Security (“MPS”) is the drafter and main governing authority of the Cybersecurity Law, Draft Cybersecurity Law Decree and Draft PDP Decree. The MPS guides and monitors the implementation of the abovementioned instruments, handles personal data violations and cybercrimes (e.g., investigating infringements, imposing administrative penalties, prosecuting criminal cases, etc.) The Department of Cybersecurity and Hi-tech Crime Prevention is the specific body under the MPS mainly responsible for these duties.

The Ministry of Information and Communication (“MIC”) is traditionally responsible for administering and enforcing regulations in cyberspace, including those related to personal data protection. The MIC makes requests to service providers for removal of information in violation of Vietnamese content rules and is to collaborate with the MPS for cybersecurity breaches. The responsible body within the MIC is the Authority for Broadcasting and Electronic Information (ABEI).

The Ministry of Industry and Trade (“MOIT”) is the drafter and the main governing authority of Decree No. 52 on E-commerce (“E-commerce Decree”). The MOIT guides and monitors compliance of e-commerce regulations including provisions related to personal data protection, handles disputes around personal data protection in e-commerce activities, and imposes relevant administrative penalties.

Further guidance as to how the different ministries and bodies will coordinate and collaborate to carry out their respective roles is expected to be provided.

3. What are the governments priorities in the context of crafting this Draft PDP Decree?

From the MPS’s Proposal for Building the Draft PDP Decree, a document released together with the Draft PDP Decree, we can understand the Government’s priorities and legislative goals as being the following:  

• Ensuring a solid legal framework for personal data to effectively serve as valuable input for Vietnam’s digital economy. This is required to optimize the great potential and fulfill the needs of Vietnam to develop a digital economy and application of science and technology to social life, with most local industries and sectors now involved in processing personal data.
• Tackling cybercrimes such as, among others, illegal trade of personal data, unauthorized disclosure of personal data, and data theft.
• Implementation of e-Government, which requires Government systems storing personal data to ensure security from attacks and appropriation.
• Raising public awareness about personal data protection, especially information about, among others, personal profiles, relationships, health status, financial status so that people understand and strictly comply with the provisions of the law, and can contribute to the prevention and fight against illegal acts.
• Making Vietnam’s data regulations consistent with personal data protection laws of other countries (e.g., European Union’s General Data Protection Regulation (GDPR)).

 4. How will overlaps between the Draft PDP Decree and existing instruments be dealt with, and how would the Draft PDP Decree work in conjunction with different sectoral laws?

Given the Draft PDP Decree aims to be a consolidation of data protection provisions currently scattered across different instruments, there will inevitably be overlaps and conflicts. Some examples are as follows:

• Both the E-commerce Decree and the Draft PDP Decree provide consent requirement rules;
• Both the Information Technology Law 2006 and the Draft PDP Decree provide exemptions for the consent requirement;
• Both the Draft Cybersecurity Law Decree and Draft PDP Decree, as well as other sectoral regulations, stipulate timeframes for data storage;
• Both Decree No. 117/2018/ND-CP dated 11 September 2018 on Protection of Confidentiality and Provision of Client Information of Credit Institutions and Foreign Banks’ Branches and the Draft PDP Decree may overlap in dealing with personal information in the banking industry.

We note that when a law and decree conflict regarding a certain issue, the law shall apply.  If various decrees contain different regulations on the same issue, the one that is promulgated later in date shall apply.[3]  Considering the many existing instruments featuring personal data protection regulations, the application of the Draft PDP Decree when passed will require further guidance by the MPS.  The private sector has suggested that regulations center around the Draft PDP Decree and the Government take steps to develop a roadmap for this process.

To be continued...

Authors: Yen Vu, Eunjung Han, Trung Tran, Khanh Nguyen 

[1] This is included in Vietnam Business Forum (“VBF”)s consolidated comments on Draft PDP Decree. The VBF is a very active dialogue channel between the Vietnamese government and the business community.     

[2] Article 151 of the Law on Promulgation of Le gislative Documents provides that the effective date of the whole or part of a legislative document shall be specified in the document. Nevertheless, the effective date shall not be not sooner than 45 days from the day on which it is ratified or signed if it is promulgated by a central regulatory agency, […]

[3] Article 156 of the Law on Promulgation of Legislative Docments

TAGS

• Vietnam
• Data Privacy
• Webinar