In September 2024, the Ministry of Public Security released the first draft of the Law on Personal Data Protection (“Draft LPDP“) for public consultation. The Draft LPDP is expected to be submitted to the National Assembly for adoption in 2025, with a tentative effective date of January 1, 2026.
The Draft LPDP incorporates most provisions from Decree 13/2023/ND-CP on Personal Data Protection (“Decree 13“), which has served as Vietnam’s primary legal framework for personal data protection since July 1, 2023. Once enacted, the Draft LPDP is expected to supersede Decree 13. It will also introduce significant new requirements, particularly regarding the personnel who are responsible for ensuring that an organization complies with data protection laws and regulations.
Regulations on personal data such as the main stream General Data Protection Regulation of the European Union (GDPR) or the California Consumer Privacy Act of California, USA (CCPA), create a Data Protection Officer (DPO). However, the Draft LPDP has created Personal Data Protection Organizations (PDP Organization) and Personal Data Protection Experts (PDP Expert) and makes them responsible for personal data protection.
New Requirements for PDP Organizations and PDP Experts
Under Decree 13, businesses that process sensitive personal data are only required to appoint a data protection department and designate personnel responsible for personal data protection. No specific qualifications nor regulatory framework exists for these personnel.
In contrast, the Draft LPDP mandates the appointment of a PDP Organization and a PDP Expert in order to process both basic and sensitive personal data, with a limited exemption for micro and small enterprises during their first two years of operation (unless they are directly engaged in personal data processing).
The Draft LPDP introduces formal definitions for these roles:
- PDP Organization: An organization responsible for data protection within an entity. It may be an internal department or an external service provider.
- PDP Expert: An individual with recognized expertise in technology and/or law as related to personal data protection. The PDP Expert must hold relevant certifications, and these certifications must be specified in various impact assessments required under the Draft LPDP.
A PDP Organization must have at least one certified PDP Expert. Businesses seeking to offer PDP Organization services or PDP Expert services (“PDP Service Providers“) must meet the following conditions:
- Have appropriate business lines suitable to a PDP Service Provider;
- Employ at least one PDP Expert certified in both technology and law as related to personal data protection, or employ separate PDP Experts with expertise in each field;
- Receive a minimum rating of “Passed” from a qualified privacy rating organization.
Emerging Compliance Challenges and Uncertainties
The Draft LPDP introduces two new regulatory services:
- PDP Expert Certification Services, and
- Privacy Rating Services.
However, the Draft LPDP does not provide specific criteria for PDP Expert certification nor does it provide rating standards for privacy rating services. These details are expected to be outlined in subsequent decrees.
Vietnam’s Draft LPDP imposes stricter requirements than the EU’s GDPR. While the GDPR mandates the appointment of a DPO only in specific cases, the Draft LPDP requires all entities processing personal data to designate both a PDP Organization and a PDP Expert. Additionally, unlike the GDPR’s voluntary privacy rating mechanism, the Draft LPDP specifies mandatory privacy rating requirements.
Under the GDPR, a DPO is granted limited protection against dismissal or penalties related solely to their DPO duties and is not personally liable for the company’s non-compliance. The Draft LPDP lacks similar protections, raising questions about the liability of PDP Organizations and PDP Experts. In the absence of such provisions, it can be inferred that these entities are not shielded if they fail to fulfill their statutory duties or if they act negligently. Furthermore, if a PDP Organization or PDP Expert fails to perform their role, resulting in a breach of data protection regulations, they may face disciplinary action under their employment contract or be held liable for damages due to breach of contract and/or negligence, particularly in the case of an external PDP Organization or PDP Expert.
While these regulations may create new opportunities for legal and technology professionals, they also increase compliance costs and operational burdens for businesses, particularly those handling large volumes of personal data. This reflects a common legislative approach in Vietnam, where “law” often contains broad provisions with general language that may later be refined through decrees and circulars. But in the meantime, the broad language creates ambiguity in the law. But the government often finds that ambiguity gives it broader scope for enforcement.
Recommendations for Businesses
Given the potential impact of the Draft LPDP, businesses should take proactive steps to assess compliance risks and engage in the public consultation process to help shape the final law into a commercially attractive and workable piece of legislation. As Vietnam continues to refine its personal data protection framework, businesses must stay informed and prepare for evolving compliance obligations.
As a market leader in data protection, privacy, and information security regulations, Russin & Vecchi is able to support businesses as they seek be compliant navigate the regulatory changes.
