Decree 13 on Personal Data Protection, additional tool to strengthen legal framework governing cyber

(VOVWORLD) - The Government Decree on Personal Data Protection, known as Decree 13, took effect at the beginning of this month. After the 2018 Law on Cybersecurity and Decree 53, Decree 13 is the third legal document to strengthen the governing of cyberspace. It provides more detailed data protection and cybersecurity obligations with respect to personal data processing activities. In this week’s Q&A, Hoang Viet Tien, Deputy General Secretary of the Vietnam Digital Communications Association (VDCA), will give an insight into the newly-promulgated Decree.

Decree 13 on Personal Data Protection, additional tool to strengthen legal framework governing cyber - ảnh 1Hoang Viet Tien, Deputy General Secretary and Chief of Office of Vietnam Digital Communications Association (VDCA)
 Bao Tram: Thank you, Mr. Tien, for joining us on VOV24/7. First of all, tell us what is Decree 13 about?  

Viet Tien: In fact, Decree 13 sets out many data subjects and data handlers who have the right to process data. Essentially, there are 8 principles with which businesses in personal data processing must comply and 11 rights of data subjects.

Bao Tram: Among the 11 rights of the data subjects, which rights should enterprises pay special attention to?

Viet Tien:  Among these rights, enterprises should pay special attention to the right to restrict data processing, and the right to object to data processing, as compliance in these areas are subject to a 72-hour rule. Restriction of data processing must be carried out within 72 hours after the request of the data subject, for all personal data that the data subject requests be restricted, unless otherwise provided by law. It means all the personal data can only be used on one app, banking app for example and the bank is not allowed to sell the data to others.

Bao Tram: Decree 13 is said to provide more detailed data protection and cybersecurity obligations. What are some of these protections and obligations?

Viet Tien: Decree 13 revolves around processing, updating information, editing data, deleting data, and protecting data, but in fact, none of those things are new. The key point here is that this decree refines the data processing process and makes the implementation better. There are a lot of recommendations in the Decree and we’re waiting for state policy management agencies to promulgate circulars giving guidance to personal data processors. Take personal data deletion when the data subject requests it, for example. The personal data collected by a business to build customer profiles for the prediction of preferences, needs, and behaviors, is called derivative personal data after analysis. In fact, building such profiles helps businesses improve their operations. A bank, for example, can use the data of your monthly salary to analyze your hobbies and suggest better insurance packages or credit packages for you. In that case, the personal data is used to improve service to the customer. But if the customer requests that his or her derivative personal data be deleted, should the personal data be comprehensively deleted under Decree 13 or not? Deletion of derivative personal data or new personal data created from the original data has not yet been specified in Decree 13. This is one of numerous suggestions/recommendation made by VDCA members.

Bao Tram: There isn’t much time between promulgating the Decree and the Decree taking force. What should data subjects and data handlers do to ensure compliance with the new Decree?

Viet Tien: To answer your question, I want to take Windows products as an example. We already have Win 98, Win 2000, Win XP, and more to come in the future. The mission of Microsoft is to launch products to the market, and the market will decide whether or not they are suitable. The customers will give feedback and suggestions for the products. It's the same as what we're doing today. State functional agencies are in charge of promulgating Decree 13 and putting it into operation. Through professional associations, seminars and discussions will be organized to disseminate the Decree and get feedback. Today’s talk is for the same purpose of helping state policy management agencies improve the Decree. What businesses need to do immediately is honor their obligations in personal data protection by, for example, using encryption and de-identification techniques to justify that the data is used out of necessity or upon emergency request.

Bao Tram: While waiting for another document to guide the implementation, what should businesses do to comply with Decree 13?

Viet Tien: The simplest thing businesses can do is add some functions on their existing applications to bind the relationships between the data subject, the controller of the personal data, and the party processing the personal data. I’ve seen a number of businesses that have taken actions in applying Decree 13. For instance, when you access an app, such as buying movie tickets, there is a pop up notice asking whether or not you agree for them to process your personal data. If the data subject consents, they will have the right to use the data. In my opinion, in the end it’s the data subject who must understand that they must protect themselves first. Then come state policy management agencies that promulgate decrees or circulars on sanctions for infringements, or misuse of the personal data.

Bao Tram: Perhaps a lot of adjustments will be needed before the Decree is perfect. But we acknowledge the efforts to strengthen the legal framework governing cyberspace. Thank you, Mr. Hoang Viet Tien, Deputy General Secretary of the Vietnam Digital Communications Association, for taking the time to talk to VOV.

Viet Tien: Thank you for having me on the show. Thank you.