When first introduced in 2021, the draft Personal Data Protection Decree (PDPD) was heralded as a Vietnamese counterpart to the GDPR and a new standard for data privacy in Vietnam.
The draft PDPD is not the first legislation that regulates personal data protection. In fact, the Vietnamese legal landscape on privacy has long been shaped by various general and sector-specific rules, such as the Civil Code, Criminal Code, Law on Information Technology, Law on Cyber Information Security, Law on Cybersecurity, Decree 52 on E-commerce, etc. However, the issue with these regulations is that they lack uniformity and might be unable to keep up with the pace of technological advancement. The introduction of the PDPD is thus demanded.
After more than two years since the first draft version came to public awareness, the PDPD is about to reach its final phase. A recap of the PDPD’s legislative history can indirectly tell how critical and sensitive this privacy bill is in the eye of the Vietnamese policy-makers.
- February 2021: The Ministry of Public Security published the first draft version of the PDPD for public consultation.
- September 2021: A revised version of the draft PDPD was submitted to the Ministry of Justice for appraisal.
- From October 2021 to early 2023: The draft PDPD was circulated back and forth between the Government, the National Assembly Standing Committee (NASC), the Politburo, and other State agencies for comments and approval.
- February 2023 to date: The draft PDPD has recently obtained the NASC’s greenlight and is under the final technical process before being officially issued by the Government.
The prolongation of the PDPD’s legislative process can be attributed to the decree’s colossal impact on the rights of individuals which should have been regulated at the law level. Regarding the draft PDPD’s substance, deliberations between law-makers have resulted in marked changes across different versions of the draft PDPD regarding, among others, conditions for cross-border data transfer and sensitive data processing, requirements for appointing a data protection officer and documenting a data processing impact assessment, etc.
The PDPD is expected to be officialized in March or April 2023. The issuance of PDPD will be the legal basis for the promulgation of the draft Decree on Penalties for Administrative Violations in Cybersecurity (PAVCD), which can trigger the imposition of a GDPR-type penalty calculated based on corporate income for PDPD violation. Both the PDPD and PAVCD are worth being watched out for, as they will substantially alter how personal data shall be treated in Vietnam.
