To read the article on the Vietnam Investment Review website, please click here.
Decree No.13/2023/ND-CP on personal data protection, which was issued on 17 April with an effective date of 1 July. Its significance is great in that it is Vietnam’s first attempt to consolidate data protection regulations into a single piece of legislation and an effort to build a framework in line with international standards.
It is expected to change the local regulatory landscape and will have far-reaching effects with its extraterritorial scope. Regardless of whether an organisation is based onshore or offshore, Decree 13 will likely capture organisations if it is involved in personal data processing of Vietnamese nationals either in Vietnam or abroad and foreigners residing in Vietnam.
With Decree 13, Vietnam will become the fifth country in the ASEAN region following Malaysia, Singapore, the Philippines, and Thailand with an omnibus set of data protection regulations.
Considering the high internet penetration rate of its near 100 million population and a thriving $23 billion digital economy that experts predict will more than double in just a couple of years, legislators clearly have taken all this as an opportunity to revamp the digital regulatory landscape.
While a digital economy report released by Google, Temasek, and Bain & Company highlighted e-commerce as accounting for $14 billion of the aforementioned $23 billion, the integration of technology across industries is apparent.
Currently, the government is promoting digital transformation in areas such as healthcare, education, finance and banking, and agriculture, but this naturally comes with a slew of risks, with data protection a key concern.
A strong data protection framework is particularly important for a country’s digital economy because it will foster consumer trust, promote increased use of digital tools, and enable businesses to become more resilient. Naturally, the lack of legal instruments that adequately protect data rights will potentially hinder a country’s digital growth.
In Vietnam, businesses have long relied on a patchwork of data protection provisions. As such, there was a need to address the resulting inconsistencies relating to issues including definitions, requirements, and governing authorities.
Decree 13 is a promising starting point. It provides definitions for terms that had been inconsistent and/or absent in previous rules. For example, personal data is now defined as information expressed in the form of symbols, text, numbers, images, sounds, or equivalences in an electronic environment that is associated with a specific individual or helps to identify a specific individual.
Personal data is then classified into two categories – basic data and sensitive data. While some sector-specific regulations had provided for terms akin to sensitive data, this is the first local attempt at providing a definition for sensitive data. It is defined as the information relating to the private life of an individual and, when being infringed upon, could cause a direct effect on the legitimate rights and interests of such individual.
Also, consent rules are now stronger under Decree 13. Consent now must be clearly and specifically expressed by an affirmative action (silence/non-response will not be construed as consent). Consent must be made for a single purpose and when multiple purposes are involved, they must be listed out to ensure that consent is freely given. Decree 13 also provides for data processing principles, such as lawfulness, transparency, accuracy, integrity and security, and also lists data subjects’ rights and obligations.
However, Decree 13 is not without its share of uncertainties. Provisions covering data processing impact assessment as well cross-border personal data transfer data pose great practical challenges for its administrative elements (such as completion of dossiers, manner/form of submission, and timelines) to in-scope onshore and offshore entities. Also, it does not provide specifics on what is required of data protection officers and departments. It is noted that small businesses and startups, save those directly engaged in personal data processing activities, are entitled to a two-year grace period regarding appointments at data protection officers and departments.
That said, Decree 13 is a starting point – but merely a starting point. How the provisions will play out in practice and be enforced, as well as how uncertainties will be addressed, remains to be seen. The upside is that there is room for development, which will be helpful as Vietnam has long-term plans to develop a data protection law to eventually replace Decree 13. Also in the pipeline is a draft decree on sanctions against administrative violations in cybersecurity.
As such, the business communities are strongly encouraged to continuing with to advocate for the alignment of local provisions with international standards and communicating with the relevant competent authorities. Also, Vietnam can also consider being part of more regional cooperation by signing MoUs with neighboring countries. Efforts such as these could help the local framework springboard into an approach that is tailored and fitting to the specific needs and context of Vietnam.