After much speculation and planning by the Government, the Draft Law on Personal Data Protection in Vietnam was officially published for public consultation on 24 September 2024 (the “Draft Law”). The Draft Law builds on the foundation of Decree No. 13/2023/ND-CPdated 17 April 2024 (“Decree 13”), which is the first comprehensive legal framework for data privacy in Vietnam. Nonetheless, it introduces several new and significant regulations. Below are some key points anticipated to impact businesses once the Draft Law comes into effect.
Extend the scope of application:
Compared to Decree 13, the Draft Law has added an additional subject within its scope: “Agencies, organizations, and individuals collecting and processing personal data of foreigners within the territory of the Socialist Republic of Vietnam.” This clarification addresses previous debates about whether Decree 13 applied to the personal data of foreigners in Vietnam. However, the Draft Law lacks specific provisions outlining the distinct rights and obligations for entities processing personal data of foreigners, potentially creating uniform compliance obligations for both Vietnamese citizens and foreign nationals.
Detailing compliance regulations for specific cases:
Compared to Decree 13, the Draft Law breaks down personal data privacy compliance obligations into specific cases, including notable ones as follows: (i) protection of personal data in marketing activities; (ii) protection of personal data in behavioral or targeted advertising services (e.g. the collection of cookies on websites); (iii) protection of personal data in big data processing; (iv) protection of personal data in artificial intelligence; (v) protection of personal data in cloud computing; (vi) protection of personal data in employee monitoring and recruitment; (vii) protection of personal data in financial, banking, credit, and credit information activities; (viii) protection of personal data related to social networks and media services provided directly to viewers through cyberspace (e.g. OTT services); etc.
Previously, businesses faced challenges applying the general provisions of Decree 13 to these specific contexts. The Draft Law provides more detailed regulations for each field to a certain extent. However, these regulations are still considered general and not detailed enough, which may complicate practical application without additional sub-law guiding documents.
Brand-new regulation on data privacy credit rating:
A significant new provision in the Draft Law compared to Decree 13 introduces data privacy credit ratings, which is expected to increase compliance burdens for businesses. State agencies will license data privacy credit rating organizations operating in Vietnam to rate the data privacy activities/compliance of businesses. When submitting a data processing impact assessment (“DPIA”) and/or cross-border data transfer impact assessment dossier (“TIA”), these dossiers now include an additional component: a “data privacy credit rating document” compared to what was required under Decree 13.
Moreover, one of the newly added measures to protect sensitive personal data is that it “must be credit rated for data privacy.” It remains unclear whether this requirement applies universally to all entities handling sensitive data, and businesses will need to await further drafts of the law for clarification. Additionally, it is anticipated that once the Draft Law comes into official effect, it would take time for those data privacy credit rating organizations to be established and licensed to operate in the market, and the question then arises as to how many data privacy credit rating organizations will be licensed and what their actual operations will look like, which will significantly impact the ease of compliance with the Draft Law of businesses in the future when this regulation taking effect.
Regarding obligation to submit and update DPIA and TIA:
Contrary to expectations, the Draft Law, similar to Decree 13, does not specify any exceptions for not submitting DPIA and TIA. This means that all controllers and processors must submit a DPIA to local regulator, and also, all cross-border transferors must submit a TIA. The Draft Law provides clearer regulations on updating DPIA and TIA compared to Decree 13, stating that the dossiers must be updated every six months if there are any changes. This can be reasonably understood to mean that if there are no changes from what has been submitted to the state agency under the DPIA / TIA,businesses do not need to update the dossiers. Additionally, a potential concern for businesses with this Draft Law is that the DPIA and TIA forms attached to Decree 13 are no longer included in the Draft Law, and it is unclear whether these forms will be revised or updated. Hopefully, future versions of the Draft Law will clarify these issues.
The Draft Law is expected to be enacted in May 2025 and take effect on January 1, 2026. However, there is no grace period for compliance, except for a limited two-year exemption for the obligations to appoint data privacy officer, which is only available for some SMEs and start-up enterprises. Additionally, the Draft Law does not mention any transitional provisions or how Decree 13 will be handled after the official issuance of the Draft Law, nor does it address the retroactive effect of the Draft Law for the past compliance with Decree 13 of businesses. In the coming period, DFDL will provide feedback during the drafting process of the Draft Law to maximize the protection of the interests of businesses in general and DFDL’s clients in particular. Businesses are advised to closely monitor the drafting process of the Draft Law and, and if there are any comments or suggestions that need clarification or proposals to the law-making body, please contact DFDL for support or directly provide feedback to the law maker through the link: https://chinhphu.vn/du-thao-
