Creating a legal framework for personal data protection

Continuing the 43rd Session program, on the afternoon of March 11, the National Assembly Standing Committee gave opinions on the draft Law on Personal Data Protection.

7 principles of personal data protection

The Government's submission stated that although there are up to 69 legal documents directly related to personal data protection in Vietnam, all of them have not yet agreed on the concept and content of personal data and personal data protection. Only Decree No. 13/2023/ND-CP dated April 17, 2024 of the Government on personal data protection provides a definition of these two contents.

However, this is only a Decree document, not a Law document, so it needs to be implemented uniformly in practice. There needs to be a Law document as the "original law", with principles, contributing to continuing to institutionalize the provisions of the Constitution and laws on the right to protect personal privacy and human rights.

The development of the Law on Personal Data Protection aims to perfect the legal system on personal data protection in our country, create a legal corridor for personal data protection, improve the capacity to protect personal data for domestic organizations and individuals to reach international and regional levels; promote the legal use of personal data to serve socio-economic development.

The Draft Law on Personal Data Protection consists of 7 chapters and 69 articles; regulating the protection of personal data and the responsibility of relevant agencies, organizations and individuals to protect personal data with 7 main contents, specifically:

Unify terminology and develop some important concepts on personal data protection, such as: personal data; personal data protection; clarify the concepts and contents of basic personal data, sensitive personal data, non-personal data, de-identification of personal data; accurately and fully define personal data processing activities; the roles of parties in processing activities.

Develop 7 principles of personal data protection, including: legality, transparency, purposefulness, limitation, accuracy, security, limited storage time, and accountability.

Specifies the rights and obligations of data subjects.

Regulations on personal data protection conditions for organizations providing personal data processing services; services providing personal data protection organizations and personal data protection experts; personal data protection credit rating services; and services certifying eligibility for personal data protection capacity.

Requires an assessment of the impact of personal data processing and the transfer of personal data abroad as a legal commitment to personal data processing activities. To be consistent with the development of science and technology and current types of enterprises, the draft does not stipulate a form of pre-inspection (registration) but conducts a post-inspection (inspection, assessment) for the processing of personal data and the transfer of personal data across borders.

Complete regulations on basic personal data protection measures, sensitive personal data, conditions for ensuring personal data protection activities, specialized personal data protection agencies, and the National Personal Data Protection Information Portal.

Regulations on state management of personal data protection, responsibilities of relevant ministries and branches in the direction of the Government unifying the implementation of state management of personal data protection; the Ministry of Public Security is the focal agency responsible to the Government for implementing state management of personal data, except for the scope of the Ministry of National Defense; responsibilities of the personal data controller, data processor, data controller and processor, third party, relevant organizations and individuals.

Review and supplement prohibited acts

In its preliminary review of the draft Law, the National Assembly's Committee on National Defense, Security and Foreign Affairs said that personal data plays a particularly important role, is a strategic data source, and has a direct and comprehensive impact on a country's politics, economy, society, defense, security and foreign affairs. However, the protection of personal data has been lax in the past, allowing for the illegal collection, attack, appropriation and trading of personal data.

Chairman of the Committee on National Defense, Security and Foreign Affairs Le Tan Toi.

Although there are currently many legal documents related to personal data protection, the content is still scattered and inconsistent. Decree No. 13/2023/ND-CP dated April 17, 2024 of the Government on personal data protection has initially taken effect, but is a sub-law document, does not guarantee legal value, is not consistent with the provisions of the Constitution and is not strong enough to prevent and handle violations.

Therefore, the development of the Law on Personal Data Protection is extremely necessary, meeting the requirements of protecting personal data; preventing acts of personal data infringement; enhancing the responsibility of agencies, organizations and individuals; ensuring legal value for unified implementation.

Regarding prohibited acts (Article 7), Chairman of the Committee Le Tan Toi said that some opinions suggested reviewing and supplementing other prohibited acts to fully cover each group of activities and each type of subject protecting personal data. There were opinions suggesting supplementing prohibited acts related to 5 forms of buying and selling personal data as stated in the Government's Submission.

Regarding the protection of personal data in marketing and advertising services, the Standing Committee of the National Defense, Security and Foreign Affairs Committee basically agrees with this regulation. However, there are opinions that the regulation prohibiting the hiring of third parties is not feasible and not suitable for practice because the marketing and advertising industry depends on the digital ecosystem.

There are suggestions that a third party may be allowed to do so if confidentiality is ensured, there is a contract with clear responsibilities, and there must be transitional provisions similar to the provisions on Personal Data Protection Organizations and Personal Data Protection Experts in Article 68 of the draft Law.

In addition, the inspection agency also proposed to carefully review the regulations on personal data protection organizations (Article 39), personal data protection experts (Article 40), business services of personal data protection organizations, personal data protection experts (Article 41) to both ensure state management requirements and encourage creativity, liberate all productive forces, and open up all resources for development; thoroughly cut and simplify administrative procedures, investment conditions for production and business, reduce compliance costs, and create the most favorable conditions for people and businesses.