Nowadays, data is being considered as the key building block of the global digital economy, and its application plays an essential role in shaping a redefinition of socioeconomic systems. Among other subsectors of data laws, regulations in the realm of cross-border transfer of personal data have drawn considerable attention from both legislators and businesses, and Vietnam is by no means an exception to the rule. In the early of 2021, the Ministry of Public Security (MPS) began consulting public opinions on the draft version of Vietnam’s first-ever unified legal instrument prescribing data protection: the Draft Personal Data Protection Decree (PDPD), with one article dedicated to regulating the cross-border transfer of personal data.
- Requirements under Vietnam’s legislation
To be specific, under Article 21.1 of the Draft PDPD, personal data of Vietnamese citizens can be transferred out of the border and territory of Vietnam when the following four conditions are fully satisfied:
- The data subject’s consent is granted for the transfer;
- The original data is stored in Vietnam;
- The country of recipient imposes the same or higher level of data protection (a document proving such sameness is required); and
- Written approval is obtained from the Personal Data Protection Commission.
The above second criterion introduces a concept of data localization that has attracted much controversy recently due to its seemingly rigorous nature as well as the potential contradiction in regulations provided for under the Law on Cybersecurity 2018 and the Draft Cybersecurity Decree that has yet to be effective.
Departing from this general requirement for the cross-border transfer of personal data, Article 21.3 proposes an exception when the four conditions under Clause 1 of this Article do not need to be fulfilled:
- The data subject’s consent is granted for the transfer;
- Written approval is obtained from the Personal Data Protection Commission;
- There is a commitment to protect personal data from the data processor;
- There is a commitment to apply personal data protection measures from the personal data processor.
Regarding this Exception Clause, there are two issues that still remain questionable: firstly, whether one or all of the four given conditions shall be met for personal data to be legally transferred out of Vietnam; and secondly, should the latter apply, how this exception differs from the general requirements collectively provided for by the first two clauses of this Article.
Besides, when it comes to the cross-border transfer of sensitive personal data, Article 21.7 proposes the imposition of a registration process that requires, among others, the submission of an impact assessment report consisting of a detailed description and purpose of the transfer, an assessment of potential harm, as well as measures to mitigate or eliminate such harm.
After the consultation round, the MPS, in September 2021, submitted the revised Draft PDPD to the Ministry of Justice for internal appraisal. Unlike other standard drafting processes, the revised version of the Draft PDPD is being kept strictly confidential from the public.
Notwithstanding the inaccessibility of the revised Draft PDPD, there was an important legislative movement that could provide hints as to the major substance of this updated version. In particular, in late September 2021, the MPS released the Draft Decree on Penalties for Administrative Violations in Cybersecurity (PAVCD) to gather public opinions. Since the formulation of penalties depends largely on the existing obligations stipulated in other legal documents, the Draft PAVCD can partly reveal what amendments have been made to the Draft PDPD.
Per the wording of the Draft PAVCD, it appears that the precondition for the cross-border transfer of personal data has been simplified to a notification and post-inspection procedure, in place of the pre-approval approach as suggested under the initial version of the Draft PDPD. Accordingly, only the following three conditions shall be met:
- The data subject’s consent is obtained;
- There is an impact assessment report related to the transfer; and
- There is a legally valid agreement that binds organizations and individuals involved in the cross-border transfer and receipt of personal data.
The impact assessment report and the legally valid agreement shall be made available to serve the inspection and assessment activities of the Personal Data Protection Authority within 60 days from the date the enterprises start their operation. Besides, the party carrying out the transfer may also need to notify the Personal Data Protection Authority of the responsible contact point’s information when the cross-border transfer completes.
- Observation on data laws of other jurisdictions
- The General Data Protection Regulation of the European Union (GDPR)
Before delving into analysis, it is worth mentioning that the GDPR can be considered as the main source of inspiration for the formulation of the Draft PDPD, as evident in the great similarities between the two concerning different matters, e.g., the broad definition of personal data, the prescription of the data subject’s rights, the extraterritorial scope of regulation, the potentially harsh penalties for non-compliance, etc.
Under the GDPR, there will be no additional requirement with regard to the direct applicability of GDPR in cases of transfer of personal data within the Union. In the case of non-EU data transfers, the GDPR provides for specific requirements for such transfers to be carried out. In particular, parties engaging in non-EU transfer will need to verify whether there is an adequacy decision of the European Commission that determines the country of recipient ensuring an adequate level of data protection; if this is not the case, they shall provide appropriate safeguards in a specified form.
Besides, the GDPR also prescribes several exceptions where the transfer of personal data can take place even in absence of the abovementioned transfer mechanisms (e.g., when explicit consent is given by the data subject; when the transfer is necessary for the performance of a contract; etc.).
- The Personal Information Protection Law of the Republic of China (PIPL)
The PIPL, which became effective as of 1 November 2021, signifies a milestone in the information protection landscape of China. Despite being viewed as the Chinese counterpart to the GDPR, the PIPL seems to impose more stringent obligations on, among other matters, how personal information can be transferred across the national border. Notably, in addition to the general prerequisites for the cross-border transfer of personal information, the PIPL requires Critical Information Infrastructure Operators and organizations processing personal information that has reached a prescribed threshold to store in China personal information domestically collected and generated. In case they need to transfer such personal information abroad, they shall pass a security assessment administered by the government authorities.
- Closing remark
The benefits offered by a digital economy can only be sufficiently captured if the approach and legislative framework are coordinated to cut across all sectors in the harmonization between adequate data security and reasonable freedom of its flows. As Vietnam is on the way to introducing its first-ever comprehensive legal instrument on personal data protection, it is anticipating to see how policymakers can facilitate the emergence of a more equivalent, safe, and trusted regulatory regime in the context of a globalized era.