Vietnam

Vietnam issued its first draft of a new Personal Data Protection Law (“PDPL”) in September 2024, for public consultation. The PDPL is anticipated to be adopted in May 2025, and it is tentatively scheduled to come into effect on 1 January 2026. The draft PDPL aims to create a more robust framework for data protection in Vietnam by unifying, clarifying, enhancing and supplementing the existing data protection rules set out in Vietnam’s existing Personal Data Protection Decree (“PDPD”). It remains unclear how the PDPD and draft PDPL will work together in practice, although some commentators suggest the PDPL will supersede the PDPD.

In addition to setting out eight personal data protection principles, the draft PDPL focuses on discussing specific compliance requirements for a number of processing activities and industries, including direct marketing, behavioural advertising, big data, AI, cloud computing, employee monitoring and recruitment, financial and credit information, health, insurance and social media. Key highlights proposed in the draft PDPL include (this is not a comprehensive list):

• Extra-territorial effect: the draft PDPL extends the scope under PDPD to cover processing of foreigners’ personal data within Vietnam.
• Consent: like the PDPD, consent remains the key legal basis for data processing, and separate consents are required for specific data processing activities.
• Clarified definitions: the draft PDPL clarifies the distinction between ‘basic personal data’ from ‘sensitive personal data’. New definitions are also introduced, including, amongst others, ‘developers’ and ‘personal data protection organization’. The data protection authority – currently known as A05 – would change its name if the draft PDPL is implemented.
• Updates to DPIA/TIA dossier filings: the now-familiar data processing impact assessment dossiers (“DPIA Dossiers”) for controllers and processors and transfer impact assessment for transferors (“TIA”) would have to be updated upon certain material change to the organisation were the draft PDPL to be implemented.
• Data protection department: companies would be required to have a data protection department overseeing personal data processing (although this could be outsourced to external service providers), as well as an expert (like a DPO) meeting certain eligibility criteria, with an initial short-term (two-year) exemption for new small businesses.
• Certification mechanism: the draft PDPL would introduce a data protection certification scheme, whereby certain organisations could earn trust ratings based on an assessment of their personal data protection practices.
• Breach reporting deadlines: the timescale for notifying authorities of breaches of personal data protection regulations is clarified as being 72 hours.

Malaysia

Significant changes to Malaysia’s Personal Data Protection Act (“PDPA”) were recently passed via the Personal Data Protection (Amendment) Act (subject to royal assent), and are anticipated to come into effect soon. The PDPA is now quite old (first passed in 2010), and so the amendments are largely to update the Malaysia data protection framework, to align it with more modern data protection laws elsewhere in Asia. The key amendments are:

• mandatory breach notification;
• mandatory appointment of DPOs;
• direct obligations on data processors;
• data portability rights for data subjects;
• change of “data user” terminology to the more familiar “data controller”;
• expanding sensitive personal data to include biometric data;
• removing rights of deceased individuals re their personal data;
• increased penalties (now fines of up to MYR1,000,000 and/or imprisonment of up to three years); and
• updating the cross-border data transfer framework, to remove the “whitelist” of approved jurisdictions, and instead allowing transfers to jurisdictions with equivalent standards of protection. 

Besides the amendments to the PDPA, the Commissioner will develop guidelines to supplement the PDPA. The guidelines will cover areas including data breach notification, appointment of data protection officer, data portability, cross border data transfer, data protection impact assessment, privacy by design, and profiling and automated decision making.

Indonesia

Finally, a reminder that Law No.27 of 2022 on Personal Data Protection (“PDP Law”), Indonesia’s first omnibus data protection law, came into full effect, after a two-year grace period, on 17 October 2024. For further information about the compliance obligations introduced by the PDP Law, please see our earlier updates Indonesia: prepare now for the new Personal Data Protection Law | Privacy Matters and INDONESIA: Personal Data Protection Law PDPL Now in Force | Privacy Matters.

Vietnam’s long-awaited, first-ever Personal Data Protection Decree (“PDPD”) has finally been passed and is scheduled to take effect from 1 July 2023 (save limited grace period exceptions).

The PDPD is the first comprehensive data protection regulation consolidating Vietnam’s existing data protection regulatory framework (which is found across various legal instruments).

Given the tight timelines, businesses which engage in or relate to personal data processing activities in Vietnam, are advised to take prompt action to ensure compliance.

The most notable provisions of the PDPD relate to the compliance requirements in general processing and cross-border transfers of personal data.

Highlights of the PDPD

• Consent: the primary legal basis for processing personal data remains to be consent.
• Data Protection Impact Assessment (“DPIA”) Profile: data controllers are required to prepare and maintain DPIA Profiles for their personal data processing activities. In certain circumstances DPIA Profile may need to be submitted to the regulators.
• Cross-Border Transfer of Personal Data: in order to transfer personal data outside of Vietnam, organisations must complete and submit a Dossier of Impact Assessment for Cross-Border Personal Data Transfer (“TIA Dossier”). The regulators may halt data transfers in situations where an organisation violates national security, submits an incomplete TIA Dossier, or loses or discloses personal data of Vietnamese citizens.
• Data Localisation: surprisingly, the PDPD has not addressed the issue of data localisation. This said, organisations should continue to observe developments on this, and follow existing laws and regulations, notably the interaction between PDPD and the Cybersecurity Law (Decree 53).
• DPO: organisations may need to appoint and register its DPO with the authority, especially if sensitive personal data is processed.
• Data subject rights: certain data subject rights are now subject to a 72-hour handling deadline.
• Data incident: data breach incidents must be notified within 72 hours of the occurrence.

What next – practical steps

In view of the tight timescales to ensure compliance with the PDPD, organisations should speed up in brushing up their existing data privacy programmes and remedy any inconsistencies with the PDPD requirements.

Please contact Carolyn Bigg, Venus Cheung, or Gwyneth To if you have any questions or to see what this means for your organisation.