Creating a legal framework for the protection of personal data.

Continuing the agenda of the 43rd Session, on the afternoon of March 11th, the Standing Committee of the National Assembly gave its opinion on the draft Law on Personal Data Protection.

7 principles for protecting personal data

The Government 's report clearly states that, although there are 69 legal documents directly related to personal data protection in Vietnam, none of them are consistent in defining and defining personal data and personal data protection. Only Government Decree No. 13/2023/ND-CP dated April 17, 2024, on personal data protection provides definitions for these two aspects.

However, this is only a Decree, not a Law, so it needs to be implemented consistently in practice. A Law is needed as the "fundamental law," a principled document that contributes to further institutionalizing the provisions of the Constitution and laws on the right to protect personal privacy and human rights.

The purpose of drafting the Law on Personal Data Protection is to perfect the legal system for personal data protection in our country, create a legal framework for personal data protection, enhance the capacity of domestic organizations and individuals to protect personal data to reach international and regional standards, and promote the lawful use of personal data to serve socio -economic development.

The draft Law on Personal Data Protection consists of 7 chapters and 69 articles; it regulates the protection of personal data and the responsibilities of relevant agencies, organizations, and individuals in protecting personal data, with 7 main contents, specifically:

To standardize terminology and establish several key concepts regarding personal data protection, such as: personal data; personal data protection; clarifying the concept and meaning of basic personal data, sensitive personal data, non-personal data, and personal data deidentification; accurately and comprehensively defining personal data processing activities; and the roles of parties involved in processing activities.

Seven principles for protecting personal data have been established, including: legality, transparency, proper use, limitation, accuracy, security, retention limits, and accountability.

Regulations defining the rights and obligations of data subjects.

Regulations on the conditions for protecting personal data for organizations providing personal data processing services; services providing personal data protection organizations and personal data protection experts; personal data protection credit rating services; and personal data protection competency certification services.

The draft requires an assessment of the impact of processing and transferring personal data abroad as a legally binding commitment regarding personal data processing activities. To align with the advancements in science and technology and the current types of businesses, the draft does not stipulate pre-approval (registration) but instead implements post-approval (inspection and evaluation) of personal data processing and cross-border data transfer.

完善 regulations on basic personal data protection measures, sensitive personal data, conditions for ensuring personal data protection activities, specialized agencies for personal data protection, and the National Portal on Personal Data Protection.

Regulations on state management of personal data protection, responsibilities of relevant ministries and agencies, are oriented towards the Government's unified implementation of state management of personal data protection; the Ministry of Public Security is the focal agency responsible to the Government for state management of personal data, excluding the scope of the Ministry of National Defense; responsibilities of the data controller, data processor, data controller and processor, third parties, organizations, and individuals involved.

Review and supplement the list of prohibited acts.

In its preliminary review of the draft law, the National Assembly's Committee on National Defense, Security, and Foreign Affairs stated that personal data plays a particularly important role, serving as a strategic data source that directly and comprehensively impacts a nation's politics, economy, society, national defense, security, and foreign affairs. However, the protection of personal data has been lax in recent times, allowing for the illegal collection, attack, appropriation, and sale of personal data.

Chairman of the Committee on National Defense, Security and Foreign Affairs, Le Tan Toi.

Although there are currently many legal documents related to personal data protection, their content is fragmented and inconsistent. Government Decree No. 13/2023/ND-CP dated April 17, 2024, on the protection of personal data has initially shown some effectiveness, but as a sub-legal document, it lacks legal validity, is not consistent with the provisions of the Constitution, and is not strong enough to prevent and handle violations.

Therefore, the development of a draft Law on Personal Data Protection is absolutely necessary to meet the requirements of protecting personal data; preventing acts of personal data infringement; enhancing the responsibility of agencies, organizations, and individuals; and ensuring legal validity for consistent implementation.

Regarding prohibited acts (Article 7), Committee Chairman Le Tan Toi stated that some opinions suggested reviewing and supplementing other prohibited acts to ensure completeness according to each group of activities and each type of entity protecting personal data. Some opinions suggested adding prohibited acts related to the five forms of buying and selling personal data as mentioned in the Government's submission.

Regarding the protection of personal data in marketing and advertising services, the Standing Committee of the National Defense, Security and Foreign Affairs Committee generally agreed with this regulation. However, some argued that the regulation prohibiting the hiring of third parties is impractical and inconsistent with reality, as the marketing and advertising industry depends on the digital ecosystem.

Some have suggested that third parties could be allowed to perform this task if security is ensured, there is a binding contract clearly outlining responsibilities, and there is a transitional clause similar to the provisions on Personal Data Protection Organizations and Personal Data Protection Experts in Article 68 of the draft Law.

In addition, the reviewing agency also proposed a thorough review of regulations on the organization of personal data protection (Article 39), personal data protection experts (Article 40), and the business of providing personal data protection services and personal data protection experts (Article 41) to ensure both effective state management and encouragement of innovation, unleashing full productive capacity, and unlocking all resources for development; drastically reducing and simplifying administrative procedures and conditions for investment, production, and business, reducing compliance costs, and creating the most favorable conditions for citizens and businesses.