In today’s interconnected world, the collection, processing, and sharing of personal data have become increasingly prevalent. With the growing concern over data breaches and privacy infringements, governments around the globe are taking proactive measures to safeguard the rights of individuals and regulate the activities of organizations involved in data handling. In this regard, Vietnam has recently introduced a groundbreaking legal framework through the issuance of Decree 13/2023/ND-CP (”Decree 13”) in April 2023. This decree marks a significant milestone as the country’s first comprehensive legislation specifically tailored to address data privacy concerns.
In parallel, the General Data Protection Regulation (GDPR) in the European Union has set a global benchmark for data privacy regulations. GDPR emphasizes the importance of obtaining valid and informed consent from data subjects as a fundamental principle for lawful data processing. It provides a comprehensive framework for businesses to ensure transparency, fairness, and individual control over personal data.
In this article, we will explore the key provisions of Decree 13 and the GDPR regarding consent requirements. We will examine how these regulations place new challenges on businesses in obtaining and ensuring the validity of consent from data subjects. Furthermore, we will discuss the significance of these regulations in protecting individual privacy rights and fostering a culture of data privacy. By understanding the requirements and implications of these consent regulations, businesses can navigate the complexities of data privacy laws, build trust with their customers, and establish responsible data handling practices.
1. Decree 13/2023/ND-CP: Transforming Data Privacy Landscape in Vietnam
Before the introduction of comprehensive data privacy regulations, Vietnam had some provisions related to data protection scattered across various laws and regulations. These regulations primarily focused on sectors such as banking, finance, telecommunications, and e-commerce. However, they lacked a unified and cohesive framework to address the broader data privacy concerns arising from the pervasive use of technology and the internet.
In 2018, the country took a significant step by enacting the Law on Cyberinformation Security, which included provisions regarding the protection of personal information in cyberspace. Although it addressed certain aspects of data privacy, the law was primarily aimed at ensuring cybersecurity and did not cover the full spectrum of data protection concerns.
Subsequently, in April 2023, Vietnam issued Decree 13/2023/ND-CP, a groundbreaking legislation that introduced a comprehensive legal framework specifically dedicated to data privacy. With the issuance of Decree 13/2023/ND-CP, Vietnam joined the ranks of countries actively addressing data privacy concerns and aligning itself with global data protection standards. By establishing a comprehensive legal framework, Vietnam is taking proactive measures to ensure that personal data is handled securely and ethically, thereby fostering a conducive environment for digital innovation and sustainable growth.
2. Data subject’s consent under Decree 13
While the Law on Cyberinformation Security of 2015 (Law on Cyberinformation) briefly addressed consent in data processing, it provided a broad and ambiguous framework, lacking clarity and specificity. Under the Law on Cyberinformation Security, organizations and individuals processing personal information were required to obtain consent from data subjects regarding the purpose and scope of data collection and usage. However, the law lacked explicit guidelines on the form, content, and implications of consent, resulting in ambiguity and inadequate protection for data subjects. The Law on Cyberinformation Security leaves room for interpretation and raising questions regarding whether silence could be considered as consent.
Recognizing these limitations, Decree 13/2023/ND-CP emerged as a significant milestone by rectifying these gaps and providing explicit provisions on consent. In particular:
- The decree defines the necessary elements of valid consent, emphasizing the voluntary and informed nature of the consent given. Noteworthy enhancements include:
- Content of Consent: Decree 13 mandates that data subjects must be informed of the type of personal data being processed, the purpose of processing, the organizations or individuals involved in data processing, and the rights and obligations of data subjects.
- Form of Consent: The decree specifies that consent must be expressed clearly and explicitly, either in written form, oral form, through electronic means, or other demonstrable actions that signify consent.
- Silence is not Consent: Decree 13 explicitly states that silence or non-response cannot be considered as consent. This provision establishes a higher standard for consent, ensuring that individuals actively and consciously provide their consent.
- Sensitive Data Notification: Decree 13 also requires that data subjects be notified when processing involves sensitive personal data, ensuring individuals are aware that sensitive information is being processed.
- Burden of Proof: Decree 13 places the burden of proof on the Data Controller, emphasizing their responsibility to demonstrate that valid consent has been obtained. This provision enhances accountability and encourages organizations to implement robust consent management practices.
Vietnamese law defines persons 16 years old or younger to be minors. To process the personal data of a minor, an organization must obtain the consent of the minor’s parent or guardian.
Decree 13 also introduces for the first time the right to withdraw consent of the data subject. Decree 13 ensures that individuals have the right to exercise control over their personal data by withdrawing their consent. The withdrawal of consent is respected and does not invalidate the previous lawful processing of data. The decree also emphasizes the need for clear communication and notification to the data subject regarding the potential consequences of withdrawing consent. Once consent is withdrawn, all parties involved must immediately cease processing the data, ensuring compliance with the data subject’s decision. These measures promote transparency, accountability, and respect for individuals’ rights to determine how their personal data is used and processed.
3. In comparison to the “consent” under GDPR in EU
When comparing provisions on the “consent” under Decree 13 with those of the General Data Protection Regulation (GDPR) of EU, we can observe similarities in their emphasis on the form and requirements of consent. Both regulations aim to ensure that consent is obtained in a clear, specific, and unambiguous manner.
The GDPR states that consent should be given through a clear affirmative act that establishes a freely given, specific, informed, and unambiguous indication of agreement. It provides examples such as a written statement (including electronic means) or an oral statement. The GDPR also highlights that silence, pre-ticked boxes, or inactivity should not constitute valid consent. Similar to Decree 13, GDPR emphasizes that consent should cover all processing activities carried out for the same purpose or purposes.
On the other hand, Decree 13 states that consent must be expressed clearly and explicitly through various means, including written form, verbal agreement, checking a consent box, using specific messaging, selecting technical settings, or through other actions that signify consent. This includes the provision of consent via text message or other formats that can be printed, copied in writing, or electronically verified. While both regulations share the goal of ensuring that consent is clear, specific, and freely given, Decree 13 provides a more extensive list of explicit forms of consent, including specific references to technical settings and messaging.
The specific forms of consent mentioned in each regulation reflect their respective considerations and contexts. Ultimately, organizations must ensure compliance with the requirements outlined in the applicable data protection laws, considering the specific provisions of their jurisdiction.
4. Processing may occur without the data subject’s consent
Decree 13 provides several instances where data processing may occur without the data subject’s consent:
- In emergency cases, where processing is necessary to protect the life and health of the data subject or others. The Data Controller, Data Processor, Data Controller-cum-Processor, and third parties have the responsibility to substantiate such cases.
- Public disclosure of personal data as required by law.
- Processing of data by state authorities with jurisdiction in cases of urgent situations concerning national defense, national security, social order, major disasters, dangerous epidemics, or when there is a risk to security and defense, but it has not reached the level of declaring a state of emergency. This includes prevention and control of riots, terrorism, crime, and violations of the law as stipulated by law.
- To fulfill contractual obligations between the data subject and relevant agencies, organizations, or individuals as prescribed by law.
- Serving the activities of state agencies as defined by specialized laws.
In these cases, the regulations recognize the necessity of processing personal data without explicit consent to protect vital interests, uphold public interests, or fulfill legal obligations. These exceptions ensure a balance between privacy protection and legitimate interests or obligations that serve the well-being of individuals and society.
In this respect, GDPR provides more detailed provisions regarding the cases and conditions under which data can be processed without the data subject’s consent compared to Decree 13. Article 6 of the GDPR outlines the legal bases for processing personal data without requiring explicit consent. This includes processing that is necessary for the performance of a contract, compliance with a legal obligation, protection of vital interests, tasks carried out in the public interest or in the exercise of official authority, and legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the data subject’s rights and freedoms.
However, it is important to note that this comparison considers that the GDPR is a comprehensive regulation applicable to EU member states, while Decree 13 is specific to Vietnam. The differences in scope and objectives between the two texts may result in variations in approach and detailed provisions.
5. Ensuring Valid and Active Consent: Key Considerations for Businesses under Data Privacy Regulations
When seeking and obtaining the consent of data subjects in accordance with the provisions of Decree 13 (and, GDPR in some cases), businesses need to consider and implement the following to ensure that the consent of data subjects is effective:
- Transparency and Clarity: Businesses should provide comprehensive, understandable, and clear information about the processing of personal data to the data subjects. This includes the purpose, scope, and duration of the processing, the organization or individual processing the data, and the rights and obligations of the data subjects.
- Freely Given: Consent must be given voluntarily, without coercion or conditional terms. Businesses must not impose or deceive to obtain the consent of the data subjects.
- Specific and Informed: Businesses need to ensure that data subjects are fully informed about the types of personal data being processed, the purpose of the processing, the organization or individual processing the data, and the rights and obligations of the data subjects.
- Unambiguous: Consent should be clear and unambiguous, leaving no room for misunderstanding. Businesses should use clear methods such as in writing, verbally, ticking a box, or other actions to ensure that the data subjects understand and express their consent clearly.
- Not relying on Silence or Inactivity: Businesses should not rely on silence or inactivity to obtain consent. It is essential for businesses to ensure that data subjects take an affirmative action to indicate their consent, such as actively ticking a box, selecting an option, or providing a clear statement. This requirement emphasizes the importance of active and informed consent, where data subjects have the opportunity to exercise control over their personal data and make conscious choices regarding its processing.
- Retrievable: Consent of data subjects should be stored and retrievable. Businesses need to design procedures and systems to store and manage information about the consent of data subjects.
- Revocable: Businesses should ensure that data subjects have the right to easily withdraw their consent. Clear information and procedures should be provided to data subjects for withdrawing consent and ceasing the processing of their personal data.
The analysis above highlights the new and challenging requirements set forth by Decree 13 and the GDPR for businesses to obtain valid and effective consent from data subjects. These regulations emphasize the importance of transparency, clarity, and informed decision-making when it comes to processing personal data. They aim to empower individuals by giving them greater control over their data and ensuring that their privacy rights are respected.
However, achieving compliance with these consent requirements is an ongoing journey for businesses. It requires careful consideration of the specific provisions outlined in the respective regulations, as well as proactive measures to implement robust consent mechanisms that meet the required standards. Businesses must invest in developing transparent and user-friendly consent processes, educating individuals about their rights, and establishing mechanisms for consent withdrawal.
Furthermore, as technology and data practices continue to evolve, it is likely that further refinements and clarifications will be made to these regulations in the future. This highlights the need for ongoing monitoring, adaptation, and refinement of “consent practices” within organizations.
Ultimately, by prioritizing the principles of transparency, fairness, and individual autonomy, businesses can not only meet regulatory obligations but also build trust with their customers and foster a culture of data privacy. By navigating the complexities of consent requirements, businesses can forge a path towards responsible data handling and contribute to a more privacy-conscious digital ecosystem.
As businesses continue to adapt to the evolving data privacy landscape, maintaining a customer-centric approach and a commitment to ethical data practices will be instrumental in building long-term success and trust in the digital age.
Disclaimers:
This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.
For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.
Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Intellectual Property Rights. Please refer to our services Intellectual Property Rights and contact our team of lawyers in Vietnam via email info@apolatlegal.com.
