New Report on Limits of “Consent” in Vietnam’s Data Protection Law

FILTER
August 3, 2022
Dominic Paulger
Deputy Director for Asia-Pacific and China
About Dominic
Blogs by Dominic

Today, the Future of Privacy Forum (FPF) and the Asian Business Law Institute (ABLI), as part of their ongoing joint research project: “From Consent-Centric Data Protection Frameworks to Responsible Data Practices and Privacy Accountability in Asia Pacific,” are publishing the ninth in a series of detailed jurisdiction reports on the status of “consent” and alternatives to consent as lawful bases for processing personal data in Asia Pacific (APAC).

This report provides a detailed overview of relevant laws and regulations in Vietnam, including:

  • notice and consent requirements for processing personal data;
  • the status of alternative legal bases for processing personal data which permit processing of personal data without consent if the data controller undertakes a risk impact assessment (e.g., legitimate interests); and
  • statutory bases for processing personal data without consent and exceptions or derogations from consent requirements in laws and regulations.

The findings of this report and others in the series will inform a forthcoming comparative review paper which will make detailed recommendations for legal convergence in APAC.

Vietnam’s Evolving Data Protection Landscape

Vietnam currently does not have a comprehensive law on protection of personal data, and instead, Vietnam’s personal data framework is made up of a patchwork of different legal instruments. 

At the fundamental level, Vietnam’s Constitution provides for an inviolable right to privacy and legal protection of information regarding personal privacy and personal and familial secrecy. 

The Civil Code gives expression to these rights in a limited manner by, among others, requiring an individual’s consent for collection, use, retention, or publication of information about that individual’s private life.

These are complemented by a number of sector specific laws and regulations which provide for protection of personal data in a number of specific contexts, including cyberspace, healthcare, commerce, banking, and finance.

However, it is expected that Vietnam will enact a comprehensive data protection law in the coming months. In February 2021, Vietnam’s Ministry of Public Security (MPS) initiated consultation on a draft legislation, releasing a draft Decree on Personal Data Protection (Draft PDP Decree) for public comment. 

This Draft PDP Decree sought to introduce several major additions to Vietnam’s personal data protection framework, including:

  • establishment of a Personal Data Protection Committee within MPS that would be responsible for, among others, enforcing the PDP Decree; 
  • a framework for cross-border data transfers; 
  • a unified set of overarching principles (including data minimization and purpose limitation) that would govern the collection, use, and disclosure of personal data; and
  • a number of data subject rights, including rights to be notified of and object to processing of one’s personal data and to access and correct personal data about oneself; and
  • a set of general obligations that would apply to all entities that process personal data.

It is understood that in the year and a half since this public consultation, MPS has been further developing a revised draft of the legislation internally. However, to date, this revised draft has not been released publicly. While the report and this blog post refer to the February 2021 version of the Draft PDP, note that this draft legislation has not yet been enacted, and its provisions remain subject to change.

Consent in Vietnam’s Existing Data Protection Framework

Under Vietnam’s existing data protection framework, consent is generally the default basis for processing individuals’ personal information or information about an individual’s private life, unless an applicable legal instrument provides an exception to consent. 

Vietnamese law also imposes confidentiality requirements on certain providers of regulated services – such as medical professionals, credit institutions, and banks – and generally requires these service providers to obtain consent from users of their services before disclosing users’ personal information to third parties, subject to narrow exceptions, such as requests from state authorities or necessity for medical care.

Generally, under Vietnamese law, consent for processing of personal information must be freely given. Prevailing laws generally require entities that handle personal data to inform the data subject of the scope and purpose for collection and use of the data subject’s personal information before obtaining the data subject’s consent. Vietnamese law does not generally require consent for processing of personal information to be given in any specific form. However, more stringent requirements apply in the contexts of e-commerce and advertising/marketing communications. 

Consent in the Draft PDP Decree (Not Yet Enacted)

Consent plays a prominent role in the Draft PDP Decree: it is one of several legal bases for processing personal data (including sensitive personal data) and is one of several requirements for transferring personal data out of Vietnam.

Under the Draft PDP Decree, consent must be affirmative, voluntary, informed, and recorded in a written form. 

If an entity seeks to rely on consent to process a data subject’s personal data, the entity must inform the data subject of the type of data to be processed, the purpose for processing, any third parties with whom the data may be shared and the conditions sharing the data, the data subject’s legal rights regarding processing of the personal data, and whether the personal data to be processed is sensitive personal data. 

Interestingly, the Draft PDP Decree recognizes a form of deemed consent in the narrow context of audio or video recording by competent state agencies. By default, the collecting agency must notify data subjects of the recording in a way that data subjects understand unless recording is for the purposes of national defense, security, social order and safety, social ethics, or the health of the community.

The Draft PDP Decree also permit processing of personal data without consent where the processing is:

  • pursuant to other applicable provisions of law; 
  • in the interests of national security, social order, and safety; 
  • required by law in emergency events that threaten life or seriously affect the health of the data subject or the public health; 
  • in support of investigation and handling of regulatory violations; 
  • in compliance with specific provisions of international agreements or treaties to which Vietnam is a signatory; or
  • of de-identified personal data for research or statistics purposes, in compliance with certain other requirements in the Draft PDP Decree.

Additionally, the Draft PDP Decree permits disclosure of personal data without consent where the disclosure is in the media:

  • for the purposes of national defense and security, social order and safety, social ethics, and community health; or
  • according to the provisions of the Press Law in a manner that does not cause economic, reputational, psychological, or material damage to the data subject.
Read the Full Report

Read the previous reports in the series here.

Published: Last Updated: August 3, 2022
Tags:

Explore

Issues

authors

dates

Posts by Dominic

global,network,connection.,world,map,point,and,line,composition,concept
Regulatory Strategies of Data Protection Authorities in the Asia-Pacific Region: 2024, and Beyond
Read More
global,network,connection.,world,map,point,and,line,composition,concept
Regulatory Strategies of Data Protection Authorities in the Asia-Pacific Region: 2024, and Beyond
Read More
fpf apac gena 1080x1080
New Report Examines Generative AI Governance Frameworks Across the Asia-Pacific Region
Read More
View More