by Steven Jacob
It finally happened. A few weeks ago, the Ministry of Public Security issued its draft Decree on Personal Data Protection. This is apparently the second draft though I’ve only seen reference to a previous “outline” issued at the end of 2019. Prepared in conjunction with advisors from the EU it is less intense than I had thought it might be given such influence. It is also riddled with problems. I have only read the English version with a couple of references to the Vietnamese version to confirm issues here and there. With that caveat, I want to give a brief overview of some of the rights and responsibilities ensconced in the draft decree.
The draft decree is not very clear on who must comply with the provisions of the decree. It purportedly applies to anyone “involved in personal data.” While personal data is defined as “data about individuals or relating to the identification or ability to identify a particular individual,” the act required is not clear and definitely not defined. The question of national borders is also largely ignored. The definition of personal data processors includes both domestic and foreign entities, but it is not clear how many of the provisions of the decree will apply to them. It is worth noting that the personal data of Vietnamese citizens must be kept within the borders of Vietnam except for certain, explicit exceptions (which I will discuss below).
Types of Personal Data
There are two types of personal data defined by the decree, basic and sensitive. Basic personal data is essentially data that can be used in the identification of a person. It also includes data regarding the online activities of an individual. Though it is defined, the defined term is never used and it is not clear that basic personal data is actually part of personal data. This is obviously a drafting error and will hopefully be remedied in consultations.
Sensitive personal data is data about the life and preferences of an individual: genetics, health, criminal history, politics, etc. It is interesting that both gender identification and sexual orientation are included in this list, possibly a sign of the government’s moving towards more liberal attitudes about these issues. Sensitive personal data is treated with separate rules for its processing and sharing. For the purposes of this article, I assume that the drafters intended for personal data to include basic personal data, despite their failure to actually include it in the appropriate definitions.
The processing of personal data, which probably are the acts deemed to make an entity become “involved in” personal data include:
collection, recording, analysis, storage, alteration, disclosure, granting of access to personal data, retrieval, recovery, encryption, decryption, copy, transfer, deletion, or destruction of personal data or other relevant actions.
This is important to understand as the rest of the draft decree refers back to these acts in imposing enumerated rights and obligations.
Rights of Data Owners
Those who are the originators of personal data have specified rights. Those rights include the following:
- to allow or not allow personal data processors or third parties to process their personal data;
- to receive notices from the personal data processors at the time of processing or as soon as possible;
- to request the personal data processors to correct, view, and provide a copy of their personal data;
- to request the personal data processors to terminate the processing of personal data, restrict the right to access personal data, terminate the disclosure or access to personal data, delete or close collected personal data;
- to file complaints in specified circumstances; and
- to claim compensation in the case of a breach.
Most of these rights can be infringed if other legal provisions disallow, amend, or limit them in some way. They may also be waived through consent and ignored upon request from government authorities. They may also be limited by the interests of national security, social order, and safety. There is also an exception for use of personal data by the media, though it is limited for purposes of the public good. This could allow authorities to cite this decree in prosecuting the media for use of personal data they deem not to fall within provided definitions. Note the language regarding deletion, to “delete or close collected personal data.” This may be an effort to allow for an alternative treatment of collected data from its simple destruction, an issue for the use of data on the blockchain (as discussed in my article on data protection and the blockchain in Vietnam).
As stated in the rights of individual data owners, individuals have the right to consent to the processing of their data. Unlike previous regulations, the draft decree explicitly defines the required elements of such consent. Prior to giving consent, the individual data owner must be informed of:
- Types of personal data to be processed;
- Purpose of personal data processing;
- Relevant subjects with whom personal data is processed and shared;
- Conditions for transferring or sharing personal data to a third party; and
- Data subjects’ legitimate rights related to the processing of their personal data.
Silence or non-response cannot be considered consent and though consent doesn’t have to be in writing, it must be in a form that can be printed or copied in writing. Consent may be partial and withdrawn at any time. Proper consent will be deemed to continue through the required life of the personal data: 20 years for the purposes of state agencies, unspecified–though it may be required for up to 20 years after the personal data owner’s death–for non-government data processing entities.
If the data processor desires to use or share the data outside the scope of the activities disclosed in the initial consent they must notify the personal data owner and obtain additional consent. Requirements of law and the authorities are excluded. They may also use scrubbed personal data for research and statistical purposes (activities that are regulated by the draft decree but outside the intended scope of this article).
Data Protection Measures
Entities processing personal data must take specified measures to ensure the protection of collected personal data. They must gather statistics as to the collection and use of personal data, limit access to equipment used in the processing of personal data, encrypt collected and processed data, and develop internal regulations for the protection of personal data throughout processing activities.
Internal data protection regulations must include the allocation and possibly the creation of a data protection department with appointed expert personnel. The regulations must provide for procedures to guarantee data protection and deal with complaints or breaches. Regulations must be inspected by a newly minted government agency called the Personal Data Protection Commission up to twice annually.
Cross-border Transfer of Personal Data
As mentioned above, the personal data of Vietnamese citizens must be kept within the borders of Vietnam. It can only be transferred upon the satisfaction of the following four conditions:
- the data owner’s consent is granted for the transfer;
- the original data is stored in Vietnam;
- proof is obtained that the recipient country, territory or a specific area within the recipient country or territory has issued regulations on personal data protection at a level equal to or higher than that specified by the draft decree; and
- written approval is obtained from the Personal Data Protection Commission.
The draft decree then proceeds to obviate this requirement and say that transfer may be made upon obtaining consent from the personal data owners and the making of a commitment to protect that data. Whether this is an alternate approach to the issue is unclear in the language of the draft but such would seem to be the case as the two articles are completely contradictory in their requirements.
Violations of the draft decree will receive impressive fines of from 50 to 80 million VND for a first offense. Violations related to sensitive personal data, cross-border transfer of personal data, and second offenses of other violations will receive a fine of from 80 to 100 million VND. And additional repeats of the specified offenses will receive a fine of 5% of the revenue of the entity that has been obtained in Vietnam.
The draft decree covers other issues as well. It addresses the processing of children’s data, data of deceased individuals, and as mentioned using data for statistical or research purposes. It also creates the new Personal Data Protection Commission and outlines that body’s responsibilities. The Commission is to be based at the Department of Cyber Security and Hi-tech Crime Prevention and Control under the Ministry of Public Security. Finally, the provision sets out the responsibilities of relevant government organs at the various levels of the administrative hierarchy.
The draft decree on personal data protection is an interesting beast. In some areas, it offers clarification to previously confusing regulations but in others proceeds to increase that confusion. Particularly concerning is the lack of any attempt to place the new regulations within the existing frameworks of cybersecurity and data protection requirements for foreign data processors. This may change throughout the consultation process as Vietnam is increasingly demonstrated a desire to exert control over all foreign digital service providers who have the slightest relation to the country. It will be interesting to see how this draft changes by the time it is finally adopted.