Vietnam: Data Privacy in a Communist ASEAN State
(2021) 170 Privacy Laws & Business International Report, 1, 5-8
6 Pages Posted: 19 Jul 2021
Date Written: April 20, 2021
Vietnam, a ‘socialist market economy’ under the firm control of the Community Party, had from 2006-14 gradually developed a range of data privacy protections in its e-commerce and consumer laws, to the level of the OECD Guidelines (or APEC Privacy Framework). The 2016 Law on Cyber-Information Security (CISL) expanded existing protections into the single most detailed set of data privacy principles in a Vietnamese law, but with its scope limited to commercial processing and only in ‘cyberspace’, so it was not comprehensive. Vietnam is now proposing to enact a comprehensive data privacy law for the first time. a draft Decree on Personal Data Protection (‘Decree’) released for public consultation by the Ministry of Public Security (MPS). This article analyses this proposed law by comparison with international standards, and previous Vietnamese practice.
The Decree includes many of the requirements of the EU Data Protection Directive 1995, including some limits on automated processing, data minimisation, sensitive data protections, export limits based on the law of the recipient country, and individual access to the courts. In addition, the influences of the GDPR are seen in the inclusion of genetic and biometric data in sensitive data, and fines based on business turnover. Going beyond the GDPR is the inclusion of geographical location data in sensitive data.
An innovation is that the law creates a Personal Data Protection Committee (PDPC), located within the Ministry of Public Security (MPS). The scope of the law is comprehensive, stating that it ‘applies to agencies, organizations and individuals related to personal data’, with some exceptions. The scope of the law extends to anyone ‘doing business in Vietnam’, not only those located in Vietnam. ‘Sensitive’ data is given a very extensive definition, important because sensitive personal data must be registered with the PDPC, which is of concern to foreign businesses, including because of doubts that the PDPC will be able to process the volume of applications in the 20 days specified. The proposed Decree has detailed baseline data export requirements for the first time, the complexity of which are also of concern to foreign businesses. The PDPC’s largely discretionary powers over the approval of processing sensitive data, and over personal data exports, make the proposed Decree potentially onerous for foreign companies.
Keywords: Vietnam, ASEAN, data protection, privacy
Suggested Citation: Suggested Citation