EU’s General Data Protection Regulation and Vietnam's Draft Decree On Personal Data Protection: At Interplay or At Cross-currents?
18 March 2022
On 25 May 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) became enforceable, which was touted to be the “toughest privacy and security law in the world” and is considered as the benchmark for personal data protection regulation all over the world imposing data protection obligations on organisations (regardless of location, whether in the EU or outside the EU), so long as they collect data or target data relating to data subjects in the EU (regardless of citizenship).
The GDPR arguably led the transition for more jurisdictions to take a more robust approach on data protection. Vietnam is one such jurisdiction. With Vietnam’s increasingly developing infrastructure and legal framework for technological advancements in various aspects of daily life – e.g. online banking, fin tech-led processing of online payments, tele-medicine and virtual working – there is the concomitant necessary regulation for the right to personal data protection for individuals as well. The Vietnamese Government has issued the second version of the draft decree on data personal protection (Draft Decree) and, with amendments or feedback from the relevant State agencies, is expected to take effect soon.
The GDPR’s extraterritorial scope could mean it could be applicable toward organisations located in Vietnam. If an organisation in Vietnam collects data of data subjects in the EU, whether in its capacity as data processor or data controller, the GDPR provisions could be engaged and made applicable on that organisation. The Draft Decree, on the other hand, is to be made applicable to personal data of individuals in Vietnam, without specification of citizenship requirements, save for the cross-border transfer of data. There is thus a possibility by which both the GDPR and the Draft Decree could be triggered in the processing of data with a Vietnam component. In this article, we highlight the major differences between the GDPR and the Draft Decree that could potentially have an impact on organisations processing data with a Vietnam component. It is not clear yet at this stage which provisions would prevail in the event of conflicting provisions or how the conflicting provisions could be reconciled.