In business, enterprises often access personal data of their customers and employees. Accidentally or intentionally, they sometimes prioritize business strategy optimization over the responsibility of privacy protection. There are many negative consequences arising from such an action against society and enterprises themselves.

However, in the forthcoming time, enterprises should be more cautious about collection, disclosure, and transfer of personal data. From the beginning of February 2021, the Ministry of Public Security has been collecting public opinions within 60 days prior to submission to the Government for approval on the draft Decree on personal data protection. There are many notable proposals relating to corporate responsibility in the draft Decree.

Disclosure of personal data and measures of data protection

The draft proposes to classify personal data into (1) basic data (full name, date of birth, phone number, identification documents, etc.) and (2) sensitive data (health, sex orientation, credit cards, etc.). The protection level for sensitive data is higher than that for basic data. For example, generally companies are only allowed to disclose personal data of an individual to a third party with such individual’s prior consent. However, regarding sensitive data, companies are completely not allowed to disclose, and additionally required to register with the State before processing such type of data.

Nonetheless, there are some exceptions to disclose data without individual’s prior consent: (1) in accordance with the laws; (2) legally published on press without prejudice to personal rights and benefits; (3) for the sake of national security and interests, social order and safety, social ethics, public health; (4) in emergency cases according to the law, threats to the life or with serious impacts on the health of individual and public. It should be noted that pure business purpose is not subject to this list.

The draft also proposes enterprises to perform many measures to protect data, for example: (1) establishment of technical measures (de-identification, information encryption, storage, extraction, etc. to prevent data from being stolen); (2) issuance of regulations and setting-up of department, recruitment of specialists in data protection and settlement of complaints/claims. Therefore, in the short term, many companies may need to train employees and upgrade technology in order to implement these measures.

Cross-border transfer of personal data regulated for the first time!

Nowadays, the fear of losing “data sovereignty” makes many countries tighten the management of cross-border data transfer. With the similar inspiration, the draft proposes 04 new conditions that enterprises must satisfy for transferring personal data across Vietnamese border: (i) enterprises must obtain individual’s consent; (ii) enterprises must archive original data in Vietnam; (iii) the receiving country must protect the data with equal or higher level than Vietnam; and (iv) the Government approves.

As such, enterprises will need to obtain approval from the “Committee of Personal Data Protection”, an agency scheduled to be established under the Government, before transferring data. The reasonableness and feasibility of this regime to precheck is questionable. However, it will not be difficult to be aware of the procedure and responsibility burden on the companies’ shoulders if this proposal is passed by the Government.

Severe punishment for enterprises’ violation

The draft proposes to impose monetary fines as well as suspension of data processing, deprivation of sensitive data use right and of data cross-border transfer for enterprises’ violation. Depending on the nature and level of the violation, the fines range from 50 million to 100 million or up to 5% of total revenue.

The Decree on personal data protection is expected to be approved and come into effect from 1st December 2021.