mask
Conditions for consent under Decree 13 on personal data protection
Decree 13/2023/ND-CP on personal data protection (“Decree 13”), since its official announcement, has strongly attracted the public’s attention. Decree 13 has become effective on 1 July 2023. It is the first comprehensive set of rules on personal data protection to prove Vietnam’s ultimate effort to achieve international legal standard.
The personal information of natural persons has increasingly become available publicly and globally__Photo: ictnews.vn

Rapid technological developments and globalization have brought new challenges for the protection of personal data. The personal information of natural persons has increasingly become available publicly and globally. The demand of economic and social integration has prompted the cross-border transfer of personal data. Those developments require the implementation of coherent framework on personal data protection to govern the collection, use, processing and transfer of personal data, while safeguarding the fundamental right of natural persons with regard to their own personal data.

In the context, many countries and regions have imposed their legal frameworks on the protection of personal data. Therefore, Decree 13/2023/ND-CP on personal data protection (“Decree 13”), since its official announcement, has strongly attracted the public’s attention. Decree 13 has become effective on 1 July 2023. It is the first comprehensive set of rules on personal data protection to prove Vietnam’s ultimate effort to achieve international legal standard.

Briefly, Decree 13 applies to any domestic, and foreign entities and individuals that are involved in or relate to the processing of personal data, in or outside Vietnam. This Decree lays down rules relating to the protection of data subjects with regard to the processing and movement of their personal data. To some extent, provisions under Decree 13 are fairly similar to those of the General Data Protection Regulation of EU (“GDPR”), one of the world-wide well-established legal framework on personal data protection.

Both the two legal frameworks set out the principle of personal data being processed lawfully and in a transparent manner[1]. Therefore, they require data controller/data processor to obtain the consent of data subject before processing his/her personal data or when there is any change in the data processing[2]. This requirement would ensure that personal data would be treated for specified, explicit and legitimate purposes that are fully aware of and agreed by the data subjects.

Compared to GDPR, conditions for formation of consent under Decree 13 show little difference. Such a consent is required to be given by a clear affirmative act, such as written statement in electronic or verifiable form, or oral statement. This could include ticking a box, choosing technical settings or another statement or conduct which clearly indicates the data subject’s acceptance of proposed processing of personal data[3]. Silence, pre-ticked boxes or inactivity should not constitute a valid consent[4]. Even though, Decree 13 happens to open for various methods of obtaining consent, it is also required that the consent must be presented in a format which is printable or copiable in writing. These seems to be contradictory rules that implies the reference to written form of consent as data controller/data processor must prove the existence of consent in a dispute.

Both Decree 13 and GDPR provide that if processing has multiple purposes, consent should be given for all of them[5]. In other words, all cases in which personal data is used must be explained and listed out for the separate approval of data subjects. Consent under GDPR also covers the circumstances in which various processing activities carried out for the same purpose, while no clear indication of such a requirement for consent under Decree 13[6]. The data subject’s consent on processing methods should not be a strict obligation as stipulated under Decree 13, instead, data controller/ data processor may unilaterally notify data subject of processing activities[7]. Consequently, Decree 13 may lay down substantial burden on data controller/ data processor as they are obligated to deliver notification to data subject, apart from obtaining consent for data processing, while lower the level of right exercise of data subject.

Of the fundamental conditions for consent is freely given. Pursuant to GDPR, a consent is presumed not to be freely given if (i) there is a clear imbalance between the data subject and the controller; or (ii) it does not allow separate consent to be given to different personal data processing operations despite being appropriate in the individual case; or (iii) the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance[8]. Decree 13, nonetheless, is silent on the legal ground for assessing whether a consent is voluntarily given. In the case, the “voluntary” element should be determined by referring to the interpretation under Civil Code. Particularly, the meaning of “voluntary” under the Civil Code is rather broad and abstract, which takes into consideration a relation between the parties’ will and the reflection of such will into an agreement[9]. In case of dispute, normally the data subject would appear to be vulnerable to this unspecified and vague words.

The consent for processing personal data should not be defined as a perpetual contract since data subject has the right to withdraw consent at any time[10]. Undoubtedly, both GDPR and Decree 13 indicate that such a withdrawal would not affect the legal validity of the processing being previously consented. Compared with the silence of Decree 13, GDPR specifies that the right to withdraw consent must be informed prior to giving consent to data subject[11]. This may allow a data subject to be clearly aware of the legal right with regard to his/her own personal data as it is processed by the other party.

Remarkably, Decree 13, like GDPR, may suggest that consent is just one of the legal bases to help businesses to comply with regulations on personal data protection as processing personal data. The processing of personal data can also be justified by other legal bases, including (i) in emergency cases, processing is necessary to save someone’s life; (ii) the disclosure of personal data is required as a legal obligation; (iii) processing is for governmental authorities to perform tasks concerning public interest; (iv) processing is to fulfill a contractual obligation to which data subject is a party; and (v) processing is necessary to serve operations of governmental authorities in accordance with law[12]. Compared to the interpretation under GDPR, wordings under Decree 13 are quite arguable for ground (iv). Accordingly, data controller/data processor is suggested to ensure that the contractual obligation should be separate from the data processing itself and necessary for the performance of contract. This conservative approach would necessarily prevent Data controller/Data processor from breaching obligations under Decree 13 as the burden of proof for the compliance shall fall under their own responsibility.

The impacts of Decree 13 could closely be observed in the companies and institutions that requires the processing of a large-volume of personal data. Particularly, banking sector perhaps faces the most heroic struggles due to their huge scale of customers, both individuals and corporations. Prior to the implementation of Decree 13, several banks have already maintained their own privacy policy in place that follow either GDPR or other privacy laws of different countries, in which consent for processing personal data may be omitted or vary. The enactment of Decree 13 has urged all banks to promptly review their internal procedure, draft consent and notice to deliver to their customers, given the very short period of time. Recently, privacy notice that denotes the banks’ announcement on their processing of personal data in accordance with Decree 13 and their intention to seek consent from customers can be easily found in banks’ websites.

In fact, companies may encounter difficulties as obtaining consent, normally arising from the gaps in parties’ privacy policies, which may take great time and effort to reach mutual agreement. Moreover, no exemption for consents obtained before the effective date is provided under Decree 13. Therefore, it should be prudent for companies to update their consents in line with the new regulations under Decree 13 to mitigate unnecessary risk, particularly if the data processing is on-going. 

In general, as Decree 13 is the very first legal document in personal data protection in Viet Nam law, it is simply supposed to underline greater concentration on the obligation of data processor/ data controller regarding the consent. Whereas, GDPR has developed more comprehensive approach that not only regulates obligation of data controller/data processor, but also ensure data subject’s entitlements to be well recognized and protected. This implies by GDPR’s repetition of the requirement that consent shall be as easy to access, understand and withdraw; and the inclusion of all data subject’s rights into the content of consent.

To sum up, the Decree 13 consent requirements are relatively easy to understand but probably hard to implement. Companies may find hard to reconcile their business needs with the demand of Decree 13 compliance. Also, they may encounter tough problems when obtaining consent from their customers being individuals, or corporations with different legal background or drafting a unambiguous and specific consent. Despite these challenges, the implementation of Decree 13 is definitely an opportunity for businesses to improve their privacy policy, for natural persons to have their right being recognized and protected, and for Vietnam’s legal regime to globally integrate.- (Do Ngoc Huyen)

 

[1] Article 3, Decree 13 and Article 5, GDPR

[2] Article 11, Decree 13 and Article 7, GDPR

[3]  Article 11, Decree 13 and Recital 32, GDPR

[4]  Article 11, Decree 13 and Recital 32, GDPR

[5] Article 11, Decree 13 and Recital 32, GDPR

[6] Recital 32, GDPR

[7] Article 13, Decree 13

[8] Article 7 and Recital 43, GDPR

[9] Article 3, Civil Code 2015

[10] Article 12, Decree 13 and Article 7, GPDR

[11] Article 7, GPDR

[12] Article 6, GDPR and Article 17, Decree 13

back to top