Vietnam's Personal Data Protection Law Set to Come into Force in 2023

Vietnam is set to join the global trend towards more stringent data protection regulations with its forthcoming law on personal data protection. The law, which is heavily influenced by the EU's General Data Protection Regulation (GDPR), will include new cookie consent requirements that businesses operating in Vietnam will need to adhere to.

While the specifics of these requirements are not yet defined, Vietnam's government has provided some guidance on what they could look like. According to Resolution 13/NQ-CP, passed by the Vietnamese government, businesses may process personal data without prior consent in specific situations, which include:

• Emergencies involving the protection of life and health,
• Legal requirements for disclosure of personal data,
• Processing of data by state agencies for public interests such as national defense and security,
• Execution of a contract, and,
• Serving activities of state agencies specified by sector-specific laws.

Vietnam's proposed cookie requirements bear a strong resemblance to those set out in the GDPR, which allows for six lawful bases for data processing, including consent and legitimate interests. However, it remains to be seen whether Vietnam's new data protection legislation will adopt a similar approach.

The new law on personal data protection is expected to be passed in 2023, providing companies with a grace period to adapt to the new requirements. Once the law is in place, companies that target Vietnamese residents will need to ensure that their data processing practices are compliant. Penalties for non-compliance have not yet been announced, but if Vietnam follows the GDPR's example, businesses could face significant fines for failing to comply with the new regulations.