Data protection: Cost-Effective Commercial Approaches to Compliance Risks under Vietnamese Law
July 31, 2023
Data is one of the most important resources a company can own. Accordingly, and after two decades of an unregulated landscape, the Vietnamese government -like many others- issued a Decree[1] providing strict regulations governing data management and processing, which may be challenging to fully implement in a commercially reasonable way.
Soon, companies, especially international ones, will face strict regulations to protect Vietnamese subjects’ data, which will likely become even harsher in the future. They will need to consider the new regulations carefully and adopt measures to ensure compliance and avoid legal issues or penalties. In Vietnam, the fact that these regulations were issued by the Ministry of Public Security (“MPS”) should give foreign companies pause to create innovative compliance programs.
Consent of the data subject is the most notable feature of the new regulations. Companies that possess data are now legally required to notify the data subject of (i) the type of data being processed, (ii) the purpose of the processing, (iii) the person or organization processing the data, and, finally, (iv) their rights and obligations.[2] Companies will be challenged to implement efficient processes to comply with these consent requirements or outsource this service.
Under the new regulations, companies are required to obtain express consent from the data subject. This consent could be in the form of a written instrument, voice, a consent box, a text, or others[3]. The absence of an express action, or silence, is not considered consent.
Thus, the question naturally arises: Is it possible for companies to implement a universal privacy notice setting out all the purposes of the data processing and seeking consent via a single checkbox, or must consent be obtained separately for each data processing purpose? The Decree specifies that companies may obtain consent for multiple purposes simultaneously, but the specific purposes must be disclosed, and the data subject must be provided an opportunity to consent separately for each stated purpose.[4] An “all or nothing” check box is not permitted under the regulations.
In addition, parties responsible for controlling and processing personal data must prepare and maintain a “dossier for the assessment of the impact of personal data processing” for inspection and evaluation by the Ministry of Public Security.[5] This dossier must be sent to the Department of Cyber Security and Hi-Tech Crime Prevention of the MPS within 60 days of starting personal data processing. Any updates or changes to the processing impact assessment dossier must also be reported to the MPS. This condition alone may require companies that process significant amounts of data to create additional positions solely to monitor compliance with the regulations.
Finally, several new conditions apply to cross-border transfers of personal data. Once again, the subject must consent, a dossier (transfer impact assessment dossier) must be created,[6] and written notice must be sent to the Department of Cyber Security and Hi-Tech Crime Prevention.[7] This could create difficult complexities for international companies, which may motivate them to store and process their data in Vietnam.
The entire notification and consent process must be observed during all stages of data processing (collecting, recording, storing, publishing, accessing, etc.), unless otherwise provided by the law. Moreover, exceptions are limited to: (i) protection of life and health in an emergency; (ii) disclosure in accordance with the law; (iii) fulfilment of contract obligations; and (iv) support of state agencies as prescribed by specialized law.[8] Furthermore, violation of the regulations on personal date protection enables the data subject to claim damages,[9] although the Decree does not specify the amount of potential liability. Despite the increased complexity of data transfer under the new regulations, companies operating worldwide will likely still prefer to transfer data to their home country. As a result, companies will be compelled to implement procedures to repatriate data pursuant to the regulations.
In conclusion, this Decree will lead to changes in the Vietnamese legal landscape, compelling companies to implement internal procedures and report to the government. Although these changes will probably have less impact on international companies -accustomed to similar requirements in other countries- they may be more problematic for local companies, requiring significant spending on compliance. On the other hand, the Decree creates opportunities for investment in service companies to outsource and manage data of private companies in Vietnam.
[1] Decree No. 13/2023/ND-CP issued on April 17, 2023; takes effect from July 1st, 2023.
[2] Article 11.2
[3] Article 11.3
[4] Article 11.4
[5] Article 24.4
[6] Article 25.3
[7] Article 25.4
[8] Article 17
[9] Article 9.10
Contributor
View the article on Lexology HERE.
For more information, please contact YKVN Marketing Team:
T: (+84-28) 3 822 3155
marketing@ykvn-law.com