SALIENT POINTS IN THE NEW DRAFT LAW ON PERSONAL DATA PROTECTION

Abstract: The upcoming Personal Data Protection Law (PDPL) with 68 articles across seven chapters, introduces significant new regulations compared to the existing Personal Data Protection Decree (Decree 13). Its primary objective is to govern the processing of personal data in various specific contexts, including marketing, behavioral and targeted advertising, big data analytics, artificial intelligence, cloud computing, recruitment practices, employment monitoring, banking and finance, social networks, and media services. Additionally, the PDPL addresses specific categories of personal data, such as health and insurance data, location data, biometric data, credit data, and children information. The PDPL is slated for enactment in May 2025 with effect from January 1, 2026.

Key words: #asialegal #business #PDPL #draftlaw #dataprotection #personaldata #vietnam #Decree13

Recently, the Vietnamese Government has just released draft Personal Data Protection Law (PDPL) for public consultation. While both PDPL and the Personal Data Protection Decree (Decree 13) share a common goal of protecting personal data and empowering individuals with control over their personal information, it is essential to understand the nuances between PDPL and Decree 13 to build up a compliance roadmap as soon as the PDPL comes into effect. The new key points include the following:

  1. Slightly amend the Rules for protection of personal data
    • The parent company, subsidiary companies, and each company within an economic group or corporation have the independent responsibility to protect personal data according to Vietnamese law. The consent of a data subject for one company does not imply consent for all companies within the economic group or corporation to process personal data. This rule aligns with the principles in the General Data Protection Regulation (GDPR) and shall avoid any similar case to Jeffrey Piccolo vs. Disney[1].
    • As a result of the above-mentioned rule, foreign companies that recruit and process personal data of Vietnamese employees residing and working within Vietnam’s territory must have written agreements or contracts with the invested entity in Vietnam regarding the processing of employees’ personal data.
  2. Anonymization and Pseudonymization in Personal Data Processing
    • In the context of data privacy and protection, the PDPL provides that personal data can undergo specific transformations to generate new data, ensure anonymity while still allowing for further processing, of which: (i) Anonymization refers to the process of transforming personal data in such a way that it becomes impossible or highly unlikely to identify an individual from the resulting data; (ii) Pseudonymization involves replacing direct identifiers with pseudonyms or codes, making it more difficult to directly link the data to an individual.
    • The transformed personal data can be used for research, statistical analysis, and other purposes without infringing upon privacy rights, while still enabling the Data Controller to revert the transformation.
  3. Types of services must comply with personal data protection regulations
    • Over-The-Top (OTT) services like YouTube, TikTok, Netflix, Skype, etc which provide direct communication and entertainment to users are not allowed to request Vietnamese citizens’ identity documents (such as national ID cards) for account verification purposes. Additionally, they are prohibited from eavesdropping on calls, recording conversations, or reading text messages without the explicit consent of the data subject. However, if an OTT service conducted verification onto Vietnamese citizens’ identity documents prior to the effective date of the PDPL, the handling would depend on the further guidance or explanations from the authorities.
    • Credit information services (CIC) shall be required to limit the display of credit information to binary outcomes (e.g., “Pass” or “Fail”, “Yes” or “No”) or a simple credit score is common practice. With this limitation, data subject shall rest assured knowing that their financial info remains secret, not for everyone’s taste buds.
    • Personal data protection in Big Data analytics: the PDPL provides that when the data subject publicly shares personal information on social media platforms, it shall become part of the public domain and allow organizations to extract insights from vast amounts of data, including personal data. However, limitations should be further regulated in consideration of the HiQ vs Linkedin case[2], where the social media platform provides internal rules for not extracting published information of the data subject.
  4. Conditional business activities in the field of personal data protection:
    • Personal Data Protection Organization Services: This refers to services which the provider shall act as an external entity responsible for safeguarding personal data of the Data Controllers, Data Processors, Third Parties, and those involved in transferring personal data abroad or receiving personal data from Vietnamese citizens.
    • Personal Data Protection Rating Services: These services involve assessing, verifying, confirming, and rating the level of trustworthiness regarding the protection of personal data conducted by other entities, evaluate how well an entity handles and secures personal data.
    • Personal Data Processing Services shall become conditional (previously not regulated in Decree 13).
    • To engage in these services, businesses must hold Certification(s) demonstrating both their technological and legal capabilities in personal data protection.
  5. Other new regulations that need further guidance
    • The draft PDPL also provides new concepts and regulations, aiming to create a legal framework for personal data protection in the field of: cloud computing, artificial intelligence, biometric verification, location tracking and other specific contexts. These legal frameworks are expected to be closely in connection with the draft Law on Data (currently under public consultation), Law on telecommunications 2023, and other specialized laws.

[1] https://www.linkedin.com/posts/asialegalvn_disney-lawsuit-activity-7244163645197205504-J2yO

[2] https://www.linkedin.com/pulse/landmark-case-linkedin-vs-hiq-labs-naman-gupta-5ypff/

You May Also Like