On March 1, 2024, the Ministry of Public Security (MPS) requested public comments on two draft reports on the development of a Law on Personal Data Protection. The MPS highlighted one draft report assessing the current state of social relations related to personal data protection, and a second draft report assessing the impact of policies in the proposal to develop a Law on Personal Data Protection.

What are the contents of the first report?

Notably, the first report highlights the poor awareness of personal data protection responsibilities in Vietnam, both under domestic legislation such as the Constitution of Vietnam and Decree No. 13/2023/ND-CP on the Protection of Personal Data (the PDPD), and legislation such as the General Data Protection Regulation (GDPR). Accordingly, the first report considers the risks, including cybersecurity risks, stemming from poor awareness of data protection, cybersecurity, and information security.

Likewise, the first report recognizes that there is no single agency responsible for data protection and the setting of minimum requirements to ensure compliance. The MPS, Ministry of Information and Communications (MIC), and Ministry of National Defense are all tasked with providing security services dependent on the incident itself.

The first report specifically considers data challenges stemming from a lack of awareness relating to personal data protection and cybersecurity responsibilities for controllers, processors, and third parties.

What are the contents of the second report?

The second report outlines the current legal landscape of personal data protection, including provisions under the Constitution of Vietnam and the PDPD. However, the second report clarifies that a Law on Personal Data Protection is required for full legal coverage of privacy.

Specifically, the second report outlines that a Law on Personal Data Protection is required to:

• protect data subject rights;
• define the responsibilities for processing personal data and protecting personal data;
• outline contact points to serve the State management of personal data protection; and
• determine the responsibilities of organizations, businesses, and individuals when violations of personal data protection provisions are apparent.

The second report also details that a Law on Personal Data Protection is required to develop:

• principles on personal data protection;
• regulations relating to consent and circumstances where consent is not required;
• regulations assessing the impact of processing personal data and the transfer of personal data abroad;
• measures to protect personal data and conditions to ensure this; and
• specialized agencies for personal data protection and the National Information Portal on data protection.

Centrally, the second report stipulates that the PDPD is only a Decree, and so a Law on Personal Data Protection is required for uniform implementation of provisions on data protection and to mitigate contradictions elsewhere in the law.

Public comments can be submitted here until April 1, 2024.

You can read the press release here, download the first report here, and download the second report here, all only available in Vietnamese.