Draft personal data protection decree

On 7 March 2022, the Vietnamese Government issued Resolution No. 27/NQ-CP approving the substantive contents of the draft personal data protection decree (the PDPD) (Resolution 27): 

  • The draft remains subject to consultation with the National Assembly Standing Committee (NASC) prior to issuance. So, the timeline for issuance of the PDPD would depend on the comments by the NASC. Under Decision 06/QD-TTg of the Prime Minister dated 6 January 2022, the final version of the PDPD should be presented by the Ministry of Public Security (the MPS) to the Government by May 2022.
  • the MPS is tasked with taking the prime responsibility and coordinating with the Ministry of Justice to formulate the Law on Personal Data Protection. This should occur by 2024.

Under Resolution 27, the Government approved the following cases in which personal data may be processed without the data subject's consent:

  • where the processing is necessary to respond to an emergency which threatens the life, health of safety of the data subject or other individuals. The Data Controller (Bên kiểm soát dữ liệu in Vietnamese), the Data Processor (Bên xử lý dữ liệu in Vietnamese), the Data Controlling and Processing Entity, (Bên kiểm soát và xử lý dữ liệu in Vietnamese), and the Third Party (Bên thứ ba in Vietnamese) bear the burden of proving this case;
  • where the disclosure of personal data is made in accordance with law; 
  • where the processing is necessary as required by national defense and security needs, and is performed by the competent authorities in accordance with other laws;
  • where a competent State authority investigates and handles law-infringing behaviour in accordance with law; and
  • where personal data is processed by a competent State authority for the purpose of serving the operation of State authorities in accordance with law.

This appears to be more limited than in the publicly available draft of the PDPD, which includes, among others, processing of personal data to serve statistical or scientific research operations.

Draft decree guiding the Cybersecurity Law

Ever since its issuance in 2018, the Cybersecurity Law has stirred controversy. Under its Article 26, domestic and overseas providers of telecommunications services, internet services and value-added services in Vietnam’s cyberspace that undertake the collection, analysis, processing of data on personal information, data about relationships of their service users or data created by their service users in Vietnam should retain such data in Vietnam for a specific period of time defined by the Government. Overseas enterprises should open branches or representative offices in Vietnam.

Under the latest publicly available draft of the decree guiding the Cybersecurity Law in August 2019, this obligation will be applicable in order to protect national security, social order and safety, social ethics and health of the community and when all three following conditions are satisfied:

  1. it supplies one of the prescribed services which are generally telecommunications services, internet services and other value-added services on the cyberspace;
  2. it collects, exploits, analyses, or processes activities of prescribed types of data about or created by individual service users in Vietnam;
  3. it has received warnings that its service(s) are used to commit a breach of the laws of Vietnam and fails to take measures for avoiding and resolving [such breach]; or deters, fails to comply with written request by the Department for Cybersecurity and Prevention of High-tech Crime under the MPS regarding coordination in investigating and dealing with a breach of law; or undertakes measures to neutralize and invalidate cybersecurity measures implemented by the cybersecurity specialized force.

In response to recommendations by the Vietnamese Business Forum in February 2022 on recasting data localisation requirements, the MPS advised that businesses are free to transfer user data using data security measures according to Vietnam’s international standards and regulations. Only when enterprises do not cooperate or refuse to cooperate with Vietnamese functional authorities in providing information for investigation and handling of crimes will Vietnam consider appropriate measures, discuss with enterprises and allow a reasonable period of time in order to fulfil data storage requirements and to set up a branch or representative office in Vietnam.

This interpretation of Article 26 of the Cybersecurity Law suggests data will not need to be localised as long as businesses fully comply with the requests of the MPS on coordinating and providing information for investigations and handling of violations.