CIPL provides comments on the Vietnamese draft decree on the protection of personal data

On April 8, 2021, the Center for Information Policy Leadership (“CIPL”) in Hunton Andrews Kurth submitted comments to the Vietnamese Ministry of Public Security (“MPS”) on the Vietnamese Draft Decree on Personal Data Protection (“Draft Decree”). .

The draft decree was published on the MPS website on February 9, 2021. The deadline for submitting comments was April 9, 2021. If entered into force, the first comprehensive data protection and data protection law would be introduced for Vietnam. The draft decree borrows concepts and definitions from a variety of global data protection laws and frameworks, but also deviates from global norms in several ways. It covers many privacy issues that are often included in comprehensive data protection laws, such as: B. (1) rights of data subjects; (2) restrictions and conditions on the processing of personal data; (3) children’s privacy; and (4) cross-border data transfers.

In its comments, the CIPL focused its recommendations and proposed amendments primarily on the way in which the draft decree deviated from global norms. In particular, CIPL made several key recommendations, including that the MPS:

  • Revised the section on cross-border data transfers by replacing the existing requirements, which currently require consent, data localization, adequacy assessment and ex-ante regulatory approval, with a comprehensive set of globally recognized cross-border data transfer mechanisms such as contracts and company rules and bilateral agreements;
  • Make sure the law isn’t so consent-dependent that it undermines legitimate, necessary, and beneficial processing activities by adding additional bases for processing, such as: B. a basis for legitimate interests.
  • Reconsider the proposed ex ante registration requirement for processing sensitive personal data and replace it with a risk-based approach that includes impact assessments.
  • Make a clear distinction in the law between those responsible for the processing and the data processors and define the respective obligations. and
  • Enable automated decision-making for purposes that go beyond the current scope of the draft decree and limit its use to processing in the performance of the contract.

CIPL’s comments also touched on a few other important issues such as: B. (1) Asking the MPS to clearly define when its rules for processing child data would apply; (2) Ensure that data breach notifications are only required if the breach is likely to result in significant harm to a data subject; and (3) extending the effective date to give organizations sufficient time to comply with the law.

Read CIPL’s full commentaries in English and Vietnamese.

Comments are closed.