Insights

Insights


Latest News

    Trending Topics

      Futures

      Products


      Brand Protection

      IP Intelligence

      Litigation Analysis

      Case Management

      Nunc Orci


      Products Case Studies

      People

      Careers

      About

      Announcements

      • About Us
      • The Rouse Network
      • The Rouse Difference
      • Rouse Connect

      Grass Roots

      • Climate Change
      • Mitrataa
      • Rouse Cares

      ClientWEB

      Thank You

      Your are now register subscriber for our Rouse

      New Draft Decree on Personal Data Protection in Vietnam

      Published on 22 Jan 2020 | 3 minute read

      It is expected to bring about unity in regulating personal data protection

      With the Industrial revolution 4.0 underway, personal data is has become an extremely valuable asset across various sectors including e-commerce, healthcare, security and education. The high rate of internet usage in Vietnam begs for an effective protection mechanism for personal data. In our previous article on three new important regulations on data protection in the making, we introduced the Vietnamese government plan to build a Decree on Personal Data Protection, creating the foundation of a unified regulation on personal data protection in Vietnam. On 27 December 2019, the Vietnamese Government published a  draft proposal, draft outline and policy impact assessment report for this upcoming decree on its website which is open for public comments and opinions.

      According to the draft proposal, personal data wrongdoings in Vietnam have become prevalent, posing a serious threat to the safety of the digital economy. The most prominent examples include the leak of 411,000 “Golden Lotus” member accounts by Vietnam Airlines in 2016 and more than 163 million customer accounts by VNG in 2018.  Meanwhile, Vietnam’s legislation on personal data protection remains scattered and insufficient to address the situation.

       The Ministry of Public Security (“MPS”) draft proposal is based on four main policies, including:

      1. Rules on personal data;
      2. Rules on personal data protection;
      3. Rights and obligations of relevant entities in personal data protection; and
      4. Sanctions against violation.

      In light of the above policies, the draft decree outlines the following provisions:

      • Definitions and principles related to personal data protection;
      • Rules for the processing of personal data, including provisions on the right to process personal data; data owner’s consent for processing; collection/ disclosure/ analyzing/ modification/ use/ deletion & destruction of personal data; processing personal data in exceptional circumstances, like when the data owner deceases; etc.
      • Rights of data owners, including the right to be informed of the processing and receipt of their personal data; limitation on such rights; right to request for the termination of personal data processing, deletion, and destruction of personal data; right to file complaints; right to request for damages.
      • Measures to protect personal data, including technical measures, state management measures, protection measures implemented by the competent authorities.
      • Registration to process sensitive personal data and registration for cross-border transfer of personal data.
      • Competent authority on personal data protection.
      • Actions against violation.

      The Decree is expected to bring about unity in regulating personal data protection in Vietnam, however concerns are being raised about the cost of compliance.

      In comparison to the MPS’s initiative presented in April 2019 and the policy impact assessment report, the draft outline seems to not include the following provisions:

      • Obligations of citizens to personal data: Corresponding with the citizens’ legal rights, it is reasonable to provide details on what their obligations to personal data in a separated section. This can cover the negative obligation to refrain from conduct that would infringe upon someone’s enjoyment of the right to data protection or the obligation to comply with the instructions given by competent authority on personal data protection and provision;
      • Registration for the transfer of personal data to a third party;
      • Procedures for processing data in some special sectors such as banking, health, IT and education.

      The draft proposal and outline on the protection of personal information has attracted widescale attention from the general public. It is indeed an essential response to the rapid development of information technology and in line with the government’s attention to this area of law. For now, the draft outline only includes limited amount of content with the names of articles. The draft proposal and outline are available for public consultation and MPS will consider relevant comments from the public while moving the draft forward. The MPS is expected to submit to the Government the Draft Decree in 2020.

      30% Complete
      Principal, Vietnam Country Manager Rouse Legal Vietnam
      +84 28 3823 6770
      Principal, Vietnam Country Manager Rouse Legal Vietnam
      +84 28 3823 6770