By Dr. Thao Nguyen Minh Central Institute for Economic Management (CIEM), Vietnam
Vietnam has one of the world’s highest growth rates of internet usage and development. As of 2023, the number of Internet users in Vietnam has reached 77.93 million, accounting for 79.1% of the total population. The number of social media users also reached 70 million, equivalent to 71% of the total population. However, as technology rapidly develops, so does the need for personal data protection. Thus, there is a crucial need for the governments to protect their citizens’ personal data to deter unsanctioned use.
Prior to the promulgation of Decree No. 13/2023/ND-CP, Vietnam’s legal system did not have a unified definition of personal data. There were different definitions of personal data in various legal documents, and the provisions regarding personal data protection were fragmented. This resulted in duplication and overlap, making it challenging to implement the legal provisions effectively. According to the Ministry of Public Security (MPS), more than two-thirds of Vietnamese’s personal data is unsecured due to the proliferation of illegal data collection and exchange.
A closer look at Vietnam’s Decree No. 13/2023/ND-CP
The personal data protection decree was issued by the Vietnam government on 17 April 2023, as part of the government’s effort in implementing the National Digital Transformation Programme which aims to accelerate digital transformation to improve the country’s business efficiency and competitiveness. The decree is scheduled to take effect from 1 July 2023, with the Department of Cybersecurity and Hi-tech Crime Prevention under MPS as the key authority of the personal data protection decree.
Below are some of the notable key provisions of the decree.
The Decree provides a general, unified concept of personal data; recognized in both traditional physical and virtual environments, creating standardisation across existing overlapping legal documents.
Additionally, the decree classifies personal data into two categories – basic personal data and sensitive personal data. Basic personal data includes name, date of birth, gender, nationality, phone number, identification number, marriage status and so on. Sensitive personal data, on the other hand, is more private and if violated, has the potential to jeopardise a person’s legitimate rights and interest. It includes health status, medical records, customer information of credit institutions, location data and so on. This differentiation allows one’s sensitive personal data to be more strictly regulated and protected than before.
Lastly, sale of any data be it basic personal data or sensitive personal data in any form is strictly prohibited by the government, unless it is stipulated otherwise by the law. [4]
To ensure that companies strengthen their responsibilities in data control and processing, the decree divides regulated parties into four categories:
- Personal data controller (“Controller”): an entity or individual who is responsible for determining the purposes and means of data processing
- Personal data processor (“Processor”): an entity or individual who conducts processing on behalf of the Controller
- Personal data controller-processor (“Controller-Processor”): an entity or individual who performs both roles concurrently
- Third party: any organization or individual, other than the data subject, Controller, Processor, or Controller-Processor, that processes personal data
The decree also enforces both the data controllers and processors to keep a profile of the impact assessment of their personal data processing and regularly update it as necessary.
The decree comprehensively regulates the basic rights of individuals as data subjects and sets forth technical and legal requirements for enterprises of controlling and processing data of Vietnamese citizens.
It stipulates 11 rights for data subjects. Namely: (1) Right to be informed; (2) Right to give consent; (3) Right to access personal data; (4) Right to withdraw consent; (5) Right to delete personal data; (6) Right to obtain restriction on processing; (7) Right to obtain personal data; (8) Right to object to processing; (9) Right to file complaints, denunciations and lawsuits; (10) Right to claim damage; and (11) Right to self-protection.
In the case where a Vietnamese citizen’s personal data is needed to be transferred abroad, the sender of personal data need to first create a Dossier of Impact Assessment for the Cross-Border Transfer of Personal Data (“TIA Dossier”) before being able to transfer the personal data out of Vietnam.
The sender will need to notify MPS of information relating to the information transfer for MPS’s review and submit one original copy of the TIA Dossier to the Department of Cybersecurity and Hi-Tech Crime Prevention under MPS within 60 days from the date of personal data processing.
Dossiers on the assessment of impact of processing personal data should also be kept updated and made readily available to the MPS.
Micro, small and medium-sized enterprises and startup companies have the right to opt for exemption from regulations on personal designation and personal data protection for a period the first 2 years, from the date of establishment of the business, except for enterprises that are directly engaged in the processing of personal data.
Key Challenges in implementing the Personal Data Protection Decree
1. Integration of data processes into businesses – While large organisations typically have an existing system that is compliant with international data protection regulations, small and medium-sized businesses face the technical challenge of creating such a process for both data controllers and processors to meet these new regulation requirements. These businesses will need to review their entire process to meet these new data requirements and may not have the technical capabilities to evolve in such a short period of time to meet all the data requests, especially extensive impact assessment and filing requirements from stakeholders.
2. Withholding of personal data information – with the decree stipulating that the data subject has the right to “delete or request deletion of his/her personal data” or “obtain restriction on the processing of his/her personal data”, this creates a challenge for businesses (e.g. airlines and hotels) who have been collecting these personal data in their systems to make these changes quickly.
3. Government agencies to adapt to new technologies and maintain impartiality –governments will also face the challenge and pressure in pivoting to new technologies to meet the new data regulations in areas of data review, inspection and assessment, to identify data protection anomalies and data violation. Additionally, as government agencies themselves are subjects under the inspection of personal data protection, there is a need for all agencies including the governing authority of data protection, MPS, to maintain impartiality in their own internal inspection.
In conclusion, protecting personal data is essential for establishing trust in online services and encouraging participation in the digital transformation process. The issuance of Decree No 13/2013/ND-CP by the Vietnam government is a crucial step towards meeting the demands for personal data protection. However, to fulfil the promise of the personal data protection decree, it will require the MPS to provide a detailed guidance on implementing this decree, for it to properly serve as a foundation for the future development of the law on protection of personal data.
Dr. Thao Nguyen Minh is the Head of the Business Environment and Competitiveness Research Department, at the Central Institute for Economic Management (CIEM), Vietnam. She is an expert in business environment and digitalization. She is also the key drafter of Vietnam’s National Strategy for Fourth Industrial Revolution by 2030.
The views and recommendations expressed in this article are solely of the author/s and do not necessarily reflect the views and position of the Tech for Good Institute.
