Opening the webinar, Mr. Bruno shared his insights on value of a modern data protection regime; overview of the Vietnamese framework focusing on the Draft Personal Data Protection Decree (the Draft), which discussed how companies should adapt with this in new world and the solace of technology. The current Draft is based on General Data Protection Regulation (GDPR); however, it lacks the notion of Data Controller vs Processor. Mr Bruno advised that company should build up a system in three layers perspectives: legal, organizational, and technical to protect its data safely.
Prof. Graham Greenleaf, introduced a broad picture of 148 countries with data privacy laws and over 20 countries with official Bills and revision Bills (up to October 2021). He discussed on the convergence of the current global standard for data privacy. Globally, data privacy laws are converging on principles originating in EU instruments: current global standards is 16/28 principles from EU Data Protection Directive (DPD) & GDPR and standard outside Europe is 10.7/28. Asian laws converge (on average) on a selection of 13/28 principles originating in GDPR & DPD. Interestingly, the Vietnam’s draft Decree consists of 5/18 GDPR principles and 8/10 of DPD principles. He also indicated that the Vietnam’s Draft Decree lacks convergence in 5 points:
- No independence or powers
- Excessive registration of sensitive data processing
- Restrictive approval of data exports;
- Excessive data localization;
- Too much discretion to set standards.
Later, Mr. Hai Nguyen shared a vibrant picture of Gojek practice in creating a robust data protection from a Tech Company view. A “robust” data protection means a data protection securing the data, which is complied with data protection applicable regulations and standards, and at the same time, enhancing the business and innovation by facilitating the data flow. He also shared the issue of online data leak revealing 17 GB word of Vietnamese identity card information. The solution for this should be technical & legal solutions which combine both polices and human measures. According to Hai, in Vietnam, there is data protection standard in ISO 27001 in banks but there is no specific regulation on e-commerce sector and other internet-based services. In order to have a healthy protection of data flow in Vietnam, people should share with secured and defined purpose; also with clear responsibility. The solution is to build a legal Tech (oneNDA) and a flexible and umbrella Privacy Policies which must be easy to read and understand. The current Draft does not totally facilitate data flow with three practical reasons:
- The cross-border transfer clause has potentially a blocker;
- The current Draft is also inconsistent with other regulations such as Draft Decree amending Decree 47 on Postal Services and Decree 85 on E-commerce (i.e. requirement to obtain MPS’s approval for ecommerce platforms)
- Increased requirement to consult and obtain MPS’s approvals.
The webinar has received many questions related to current data protection issues. EuroCham Chairman at Digital Committee Mr. Bruno Sivanandan closed the webinar with a note of thanks to all guest speakers and attendees. EuroCham will frequently update changes in Vietnamese framework focusing on the Draft Personal Data Protection Decree (the Draft) to our members.