9 Takeaways From Vietnam’s Draft Decree On Personal Data Protection

This article was written in Vietnamese by Trinh Huu Long and previously published in Luat Khoa Magazine on February 18, 2021. The translation was done by the author.


It’s been almost three years since Vietnam’s National Assembly passed the highly controversial Cybersecurity Law. No guidance on the law’s implementation has been given as the central government usually does in the case of decrees, circulars, and decisions.

A draft decree was made available to the public for comments back at the end of 2018, but it quickly disappeared after receiving huge backlash from domestic and international actors.

Earlier this month, the Ministry of Public Security’s website announced another draft decree which was to address personal data protection.

You can find the full text of this document in Vietnamese here (Google Drive link). The draft decree is available for public consultation from February 9 to April 9.

We have taken a look at the text and below are nine takeaways.

1. Two types of personal data

The draft decree categorizes personal data as two types: basic and sensitive.

Basic personal data includes information about personal identification, such as name, date of birth, place of birth, address, nationality, ethnicity, marital status, and ID number. One thing, however, is unclear: “data containing online activities and history.”

Sensitive personal data includes political and religious opinions; health, genes, sex, biometrics; finances; sexual life; residence; social networking; and others.

2. Individual right to personal data

Individuals have a wide range of rights regarding their personal data as follows:

  • To consent or refuse data processing by others of one’s own personal data;
  • To be informed of personal data being processed by others;
  • To demand an end of data processing; to file complaints about violations;
  • To demand compensation in cases of data abuse;
  • Sensitive personal data should not be released. Plus, no release of basic personal data is allowed should it negatively affect its owner. The draft decree doesn’t specify the term “to release personal data” and whom the data is released to besides the public, but based on the wording of Article 6, the draft seems to be only addressing releases to the public.

According to Article 10, all personal data, regardless of being basic or sensitive, is subject to being processed (collection, storing, and use) without consent in the following circumstances:

  • Matters relating to national security, public security, and public order;
  • Emergencies where the freedoms, or the health and life of the owner’s personal data or of the community’s are being involved;
  • Investigations and convictions of legal violations;
  • Conducting research and gathering statistics (after de-identifying the data);
  • Other circumstances according to the law and international treaties.

The last circumstance, “other circumstances according to the law,” is a loophole that is widely used in the legal system of Vietnam to give the government’s executive branch, especially ministries, an almost unlimited ability to interpret laws and regulations using circulars and executive decisions.

4. Personal data being processed without informing its owner

According to the draft decree, the owners of personal data are normally informed should their data be processed by government agencies or other legal actors.

However, there are three exceptions to the rule, and the most concerning is the second one (Item b, Section 3, Article 11): “In case the processing of personal data is constituted by the law, international agreements, and international treaties.”

This is another loophole in an important matter relating to the transparency of personal data processing.

5. The establishment of the Committee on Personal Data Protection

A new government agency called the Committee on Personal Data Protection is going to be established. It will be set up under the central administration.

The Ministry of Public Security (MPS) can appoint no more than six members to the Committee upon the cabinet’s approval.

The Committee is closely tied to the MPS Department of Cybersecurity and Hi-Tech Crimes Prevention as it is headquartered at the department and chaired by the department’s head officer.

6. Permit required for processing sensitive personal data

Article 20 requires that parties who want to process sensitive personal data must register with the Committee on Personal Data Protection.

However, the Article excludes activities by government agencies relating to law enforcement, judicial procedures, heath, social security, and scientific research. That means these agencies don’t need to register. Also, the Article leaves another loophole for other authorities to exploit by attaching a clause saying “other activities according to the law.”

What remains after excluding the above-mentioned government agencies? Enterprises and non-governmental organizations, both domestic and international ones. Services such as social media, banking, and healthcare must register with the Committee.

7. Permit required for conducting cross-border transfer of personal data

This is directly related to foreign services operating in Vietnam or domestic services operating in other countries, especially technology companies.

Article 21 states that four conditions must be met before a party can make a cross-border transfer of personal data:

  • Data owner’s consent;
  • Storing the original copy of the data in Vietnam;
  • Providing documents that prove the data receiving countries have personal data protection regulations at the same or higher level than that of this decree;
  • Obtaining a written approval from the Committee.

The second and third conditions can be waived should the data processing party provide statements regarding their commitment on protecting the data.

The data processing party must archive records of data transferring within three years, and stop transmitting data should data leaks or abuses occur, or should they no longer have sufficient capacity to protect the data, or the data owner is incapable/ having difficulties  protecting his/her rights and interests.

The Committee on Personal Data Protection will routinely inspect data transmitting parties once a year.

The requirement of storing data’s original copy in Vietnam will likely make it a bit more difficult for foreign social networks, email services, and e-commerce activities to operate in Vietnam. According to Google expert Duong Ngoc Thai, Facebook is unlikely to store users’ personal data in Vietnam but rather just cache data to make access to its services faster.

8. Administrative fines can be up to 5 percent of the total revenue of a company in the Vietnam market

Those who violate the regulations on personal data protection are subject to fines of 50 million dong or 5 percent of their total revenue in  the Vietnam market.

Simultaneously, violators can also be banned from processing personal data for 1 to 3 months and may have their data processing licenses revoked.

If not allowed to collect, store and use users’ personal data, online services will probably not be able to function the way they do currently.

The decree doesn’t specify how the government can prohibit online services from processing personal data, but the Cybersecurity Law provides the government  with the authority to order the telecommunications companies to block services and sources of information that are deemed to be harmful to society.

9. Effectivity

The draft decree is expected to take effect on December 1, 2021, as stated in the document.