Category: Data

Data protection and privacy frameworks are increasingly being developed globally. This is particularly the case in Asia: in the past two years, several key jurisdictions, including China, India, Indonesia and Vietnam have either introduced their jurisdiction’s first-ever comprehensive data protection laws or are updating and reforming their existing privacy laws. These regulations are very much influenced by, or borrow concepts from, the EU General Data Protection Regulation (“GDPR”) and set a high standard of compliance for organisations processing personal data.

Below is a snapshot of China, India, Indonesia, Singapore and Vietnam national approaches to privacy prepared by our Asia data privacy task force.

• Chine – Personal Information Protection Law (PIPL)
• Inde – Digital Personal Data Protection Act (DPDPA)
• Indonesie – Personal Data Protection Law (PDPL)
• Singapour – Personal Data Protection Act (PDPC)

Our Asia data privacy task force. At DS Avocats, we have developed a strong expertise in data protection issues in Asia, enabling us to assist our clients in the development of their operations while taking into account their data compliance obligations. Our knowledge of the GDPR also allows us to bridge the needs of European based headquarters and the local subsidiary in China, India, Indonesia, Singapore and Vietnam.

On 17 April 2023, the Government issued Decree 13/2013/ND-CP on Personal Data Protection (“DPDP”) providing a comprehensive and uniform approach to data protection in Vietnam. The DPDP took effect on 1 July 2023.

A combination between international trend and local governance

Heavily influenced by the GDPR, the DPDP provides a clearer definition of personal data (basic and to-be-considered sensitive ones), responsibility of organisations and individuals that process personal data, as well as the rights of individuals over their personal data.

Despite being influenced by the GDPR, the DPDP provides some unique provisions such as the prohibition of the sale and purchase of personal data through any means, unless otherwise provided by law. This is expected to have a huge effect on the activity of data brokers and other businesses engaged in commodification of personal data. The DPDP also does not recognise the principle of “legitimate interests”.

Children Personal Data Protection

Like the GDPR, the DPDP provides special protection for children’s personal data. However, there’s a difference between the laws in the age threshold for obtaining valid consent. In Vietnam, the DPDP requires the consent of a parent or legal guardian of children aged 7 or older (nothing on age verification), while the GDPR only allows individuals over 16 to give consent independently for processing of their personal data.

The DPDP states that only the child’s parent or legal guardian can withdraw consent for the processing of the child’s data. Though, it remains unclear if the child himself/herself can revoke his/her consent and have his/her data deleted.

Requirements for Cross-Border Transfers of Personal Data

A Dossier of Impact Assessment for a Cross-Border Transfer of Personal Data is to be created before any cross-border transfer of data takes place. This Dossier must also be submitted to Department of Cybersecurity and Hi-Tech Crime Prevention (“DCHCP”) relative to the Ministry of Public Security (“MPS”) within 60 days of the date of processing of the data.

The Vietnamese Ministry of Public Security reserves the right to halt a personal data transfer if: (i) the transferred data is used for activities violating the national interest and security of Vietnam; (ii) the transferor does not comply with requests to supplement the impact assessment dossier; or (iii) there is an incident of leakage or loss of personal data of Vietnamese citizens—it seems this may be applied even if there is no fault of the transferor.

Implication for business

The DPDP regulates data protection in parallel to certain specific legal instruments also regulating data governance in Vietnam such as the Law on Cybersecurity (and its data localization requirements). It is critical for companies to understand and identify their new obligations under the DPDP and assess steps to be taken to comply with the DPDP.

Summary of the DPDP

Legislation	Decree No. 13/2023/ND-CP dated 17 April 2023 on protection of personal data
Authority	Ministry of Public Security (Department of Cybersecurity and Hi-tech Crime Prevention)
Scope of application	Vietnamese individuals and organizations (including those operating offshore) and also to foreign entities operating in Vietnam, or directly engaging in or relating to personal data processing activities of Vietnamese citizens.
Parties involved in processing data	Personal data controller: organization or individual that decides purposes and means of processing personal data   Personal data processor: organization or individual that processes data on behalf of the Personal Data Controller via a contract or agreement with the Personal Data Controller   Personal data controlling and the processing entity: organization or individual that jointly decides purposes and means, and directly processes personal data
Definition of personal data	Information in the form of symbols, scripts, numbers, images, sounds or any other similar form in the electronic environment, which pertains to a particular individual or facilitates the identification of a particular individual. Personal data includes “basic personal data” and “sensitive personal data”
Personal data protection principles	8 principles: 1. The personal data shall be processed as prescribed by law. 2. The data subject shall be entitled to receive information related to the processing of his/her personal data, unless otherwise provided for by law. 3. The personal data shall be processed for the purposes that have been registered and declared by the Personal Data Controller, the Personal Data Processor, the Personal Controlling And The Processing Entity and the Third Party. 4. The collected personal data shall be appropriate for the scope and purposes of processing. The purchase or sale of personal data shall be prohibited in any form, unless otherwise provided for by law. 5. The personal data shall be updated and added for the processing purposes. 6. The personal data shall be protected and secured throughout the processing. To be specific, the personal data shall be protected from violations against regulations on protection of personal data and prevention of loss, destruction or damage caused by incidents and use of technical measures. 7. The personal data shall be stored within a period of time that is appropriate for the processing purposes, unless otherwise provided for by law. 8. The Personal Data Controller and the Personal Controlling And The Processing Entity shall comply with the rules for data processing in accordance with the laws and prove their compliance.
Rights of the person concerned	11 rights : 1. Right to be informed 2. Right to consent 3. Right of access to personal data 4. Right to withdraw consent 5. Right to erase personal data 6. Right to limit processing 7. Right to obtain personal data 8. Right to object to processing 9. Right to lodge a complaint and take legal action 10. Right to claim damages 11. Right to self-defense
Requirement for consent	The consent of the data subject shall be granted to all activities in the processing of his/her personal data, unless otherwise provided for by law   The consent of the data subject is valid until the data subject has other decisions or the competent authority makes written request.   The withdrawal of consent shall not affect the lawfulness of the processing to which consent was given before it is withdrawn.
Measures to ensure protection of personal data	General protection: Managing and technical measures from the parties relating to the personal data, plus the competent government.   Additional measure for sensitive data: Assignment of data protection department and a data protection officer within the organization/entity
Impact assessment on data processing	The data controller, data processor, and data controlling and processing entity are required to prepare and report the application dossier for assessing the impact of personal data processing the MPS.  Such dossier should be submitted to the DCHCP of the MPS within 60 days of the start of personal data processing.  Any related updates or changes should also be reported.
Cross-border transfer of data and impact on assessment on overseas transfer	Definition of “cross-border transfer of data”: An act of using cyberspace, electronic devices, equipment, or other forms to transfer personal data of a Vietnamese citizen to a location outside the territory of the SRV or using a location outside the territory of the SRV to process personal data of a Vietnamese citizen. To be specific:   a. An organization, enterprise or individual transfers personal data of a Vietnamese citizen to an overseas organization, enterprise or management department in order to process the data for the purposes agreed upon by the data subject;   b. The personal data of a Vietnamese citizen is processed by automatic systems outside the territory of the Socialist Republic of Vietnam of the Personal Data Controller, Personal Data Controlling And The Processing Entity, Personal Data Processor for the purposes agreed upon by the data subject. Condition on cross-border transfer of data: • Data subject’s consent is obtained • A transfer impact assessment dossier is inspected and evaluated by DCHCP of the MPS (within 60 days of the transfer) • A written notification to the DCHCP must be submitted after the data is transferred successfully.
Breach notification	• Timeline: 72 hours from the time of breach event (lateness must be accompanied with explanation) • Authority to receive notification: DCHCP of the MPS
Penalties	• Discipline • Administrative sanction • Criminal punishment

Data protection and privacy frameworks are increasingly being developed globally. This is particularly the case in Asia: in the past two years, several key jurisdictions, including China, India, Indonesia and Vietnam have either introduced their jurisdiction’s first-ever comprehensive data protection laws or are updating and reforming their existing privacy laws. These regulations are very much influenced by, or borrow concepts from, the EU General Data Protection Regulation (“GDPR”) and set a high standard of compliance for organisations processing personal data.

Below is a snapshot of China, India, Indonesia, Singapore and Vietnam national approaches to privacy prepared by our Asia data privacy task force.

• Chine – Personal Information Protection Law (PIPL)
• Indonesie – Personal Data Protection Law (PDPL)
• Singapour – Personal Data Protection Act (PDPC)
• Viêt Nam – Personal Data Protection (DPDP)

Our Asia data privacy task force. At DS Avocats, we have developed a strong expertise in data protection issues in Asia, enabling us to assist our clients in the development of their operations while taking into account their data compliance obligations. Our knowledge of the GDPR also allows us to bridge the needs of European based headquarters and the local subsidiary in China, India, Indonesia, Singapore and Vietnam.

Since the Supreme Court of India declared the “right to privacy” a fundamental right in a landmark 2017 judgment and urged the national government to establish a data protection regime, policymakers have worked toward passing central legislation to protect privacy. As a result of this effort, the Digital Personal Data Protection Act, 2023 (“DPDPA”) was finally passed on August 11^th 2023.

The DPDPA replaces a set of rules made under section 43A of the Information Technology Act, 2000 — which superficially resemble a data protection law.

The DPDPA aims at regulating the processing of digital personal data in a manner that recognizes both the rights of individuals to protect their personal data and the need to process such personal data for lawful purposes.

GDPR and DPDPA

The DPDPA has been partially modelled off the GDPR and data protection laws in Singapore and Australia.

While the GDPR employs an extraterritorial approach, meaning it applies to businesses worldwide that process personal data of EU data subjects, regardless of their geographical location and grants extensive rights to individuals (including the right to data portability, the right to erasure, the right to rectification, and the right to object), the DPDPA primarily focuses on data collected, processed, and stored within India. It has a national scope and applies to Indian citizens, as well as foreign companies processing their data.

Philosophically, the GDPR is grounded on the principles of fundamental individual rights, especially the right to privacy. It places data protection as a fundamental right of the individual and centers the importance of preserving the confidentiality of personal data. Conversely, the Indian approach highlights data sovereignty and the need to promote the economic development of the country. It seeks to strike a balance between personal data protection and the country’s development interests, including facilitating business and fostering innovation and the digital economy.

In summary, the GDPR focuses on safeguarding fundamental individual rights and the preservation of privacy, while the DPDPA emphasizes data sovereignty and striking a balance between data protection and economic development. These differences reflect the values and priorities unique to each region, but both regulations share the common goal of ensuring the protection of personal data.

Summary of the DPDPA

Legislation	India Digital Personal Data Protection Act 2023 Expected to come into effect in early 20244
Regulator	Data Protection Board of India (DPBI)
Scope	• Any entity that processes digital personal data within Indian territory. • Extraterritorial jurisdiction: covers data processed outside of India, if done with the intent to offer goods and services to individuals within India.   Exclusion: does not apply to Indian companies providing outsourcing services. Processing of data in India but these data have been collected abroad and does not affect data principal from India.
Concept of personal data	• The DPDPA applies uniformly to all types of personal data — defined as “any data about an individual who is identifiable by or in relation to such data.” • The DPDPA does not contain any provisions on special category data (i.e. sensitive data) But “significant data fiduciary” (classified as such based on volume and sensitivity of the personal data and other prescribed criteria) is subject to higher compliance burden.   Exclusion: • Non-digitised data. Unlike the GDPR, the DPDPA does not seek to regulate a processing operation or activity that is wholly manual or non-automated • Personal data processed for personal or domestic purposes or aggregated personal data collected for research and statistical purposes which is not used for any decision specific to a data • Personal data made publicly available
Parties involved in data processing	Data fiduciary: any person that decides on the purposes and means of processing of data (data controller) Can be significant data fiduciary Data processor: any person who processes personal data on behalf of the data fiduciary Data principal: individual to whom personal data relates (data subject)   Unlike the GDPR, the DPDPA does not impose obligations directly on the data processor but instead expects data fiduciaries to ensure compliance by data processors they engage through data processing agreements.
Rights and duties of data subjects	• Right to access • Right to correction • Right to erasure • Right to grievance redressal • Right to nominate • Not to impersonate another person • Not to suppress material information • To furnish only verifiably authentic information • Not to make frivolous complaints.   Unlike the GDPR, no right of data portability. Indian citizens can exercise their rights by the methods prescribed by the data fiduciaries. Data fiduciary must establish an effective mechanism for grievances by data personals.
Data localisation	While it doesn’t impose strict localisation requirements, it grants the government powers to mandate local storage for certain types of data in the interest of national security.
Power of the state	• Disclosure of personal data by data fiduciaries to the State/agents of the State (“State”) under a legal obligation: ‘legitimate use’, no consent or intimation required.   • State exempted from seeking consent (and other obligations under the DPDP Act, including that of erasure of personal data in its records) while processing personal data for the performance of any legal function, is in the interest of security, sovereignty and integrity of India or is to maintain public order.   • Indian government responsible for the appointment of the members of the DPBI.   The DPDP Act does not include conditions covering contractual necessity or legitimate interests. A previous version of the DPDP bill contained an exemption for processing in the public interest, but this has since been modified to only apply to the State.
Security	Data controller must implement reasonable security safeguards and appropriate technical and organisational measures to ensure compliance with the DPDPA and prevent personal data breaches.
Requirement for consent	Data processing requires explicit users’ consent, unless data can be processed based on another legal basis. Consent must be: • Free: The data principal must not feel coerced or pressured to give consent. • Unconditional: The consent cannot be made conditional on anything else, such as providing a product or service. unambiguous: The data principal must be clear about what they are consenting to. • Specific: The consent must specify the purpose for which the data is being collected and processed. • Informed: The data principal must be given enough information about how their data will be used so that they can make an informed decision about whether to consent.   Data fiduciary must issue notice explaining purpose and means of data processing. Data fiduciary shall give the data principal the option to access the contents of the notice in English or any of the 22 languages specified in the Eighth Schedule to the Constitution   Data principal has the right to revoke their consent at any time.   Processing of children’s (below 18 years of age) data requires the verifiable consent of a parent or a guardian. Any tracking and behavioural monitoring of children or targeted advertising towards children is prohibited.
Impact assessment on data processing	Only the significant data fiduciaries are required to conduct a Data Protection Impact Assessment (DPIA).
Cross-Border transfer of data and impact on assessment on overseas transfer	Unlike the GDPR, transfer of personal data for processing outside India is generally permitted under the DPDPA.   The Indian government can identify specific countries to which data transfers are prohibited. At present, the government has not given any indication of the countries that may feature on this list.   If the PDPDA provisions on international data transfer conflict with other Indian laws, the law which provides a higher degree of protection or restriction on cross-border transfers will prevail (i.e. sector-specific regulations, such as the RBI’s data localisation mandate with respect to payment system data, will continue to apply)
Breach notification	1. Report a breach to the DPB within 72 hours of becoming aware of the breach 2. Information of the data principals affected by the breach 3. Data principals who are harmed by a data breach may be able to sue the data fiduciary in breach for damages
Penalties	Fines: • Failure by a data controller to take reasonable security measures: fines up to INR 250 crore (Euro 2,800,000) • Failure to notify a personal data breach or comply with children’s data protection requirements: fines up to INR 200 crores (Euro 2,240,000) Fines are determined by the DPB, depending on the nature of the offense.

Data protection and privacy frameworks are increasingly being developed globally. This is particularly the case in Asia: in the past two years, several key jurisdictions, including China, India, Indonesia and Vietnam have either introduced their jurisdiction’s first-ever comprehensive data protection laws or are updating and reforming their existing privacy laws. These regulations are very much influenced by, or borrow concepts from, the EU General Data Protection Regulation (“GDPR”) and set a high standard of compliance for organisations processing personal data.

Below is a snapshot of China, India, Indonesia, Singapore and Vietnam national approaches to privacy prepared by our Asia data privacy task force.

• Chine – Personal Information Protection Law (PIPL)
• Inde – Digital Personal Data Protection Act (DPDPA)
• Indonésie – Personal Data Protection Law (PDPL)
• Viêt Nam – Personal Data Protection (DPDP)

Our Asia data privacy task force. At DS Avocats, we have developed a strong expertise in data protection issues in Asia, enabling us to assist our clients in the development of their operations while taking into account their data compliance obligations. Our knowledge of the GDPR also allows us to bridge the needs of European based headquarters and the local subsidiary in China, India, Indonesia, Singapore and Vietnam.

The Personal Data Protection Act of Singapore 2012 (PDPA) came into effect on 2 July 2014 and provides a baseline standard of protection for personal data in Singapore. The PDPA’s main purpose is to protect privacy rights of individuals and regulate the collection and treatment of personal data by private organisations.

GDPR and PDPA:

While the GDPR is grounded in the philosophy of individual fundamental rights, particularly the right to privacy, and places a strong emphasis on data protection as a fundamental right of the individual positioning the safeguarding of privacy at the core of its concerns and recognizing the importance of preserving the confidentiality of personal data, the PDPA seeks a balance between data protection and facilitating business and acknowledges the significance of innovation and economic development while concurrently safeguarding privacy.

Both laws are comprehensive and provide a similar personal and extra-territorial scope. They both create a supervisory authority with wide-ranging investigation and corrective powers and the possibility to condemn actors to significant monetary fines in case of non-compliance. However, compliance with the PDPA does not necessarily mean the organisation is in compliance with the GDPR as there are differing requirements under the two regimes[1].

Below is an infographic developed by the Personal Data Protection Commission of Singapore (PDPC) illustrating the broad comparison between the PDPA’s exceptions to consent and the GDPR’s legal bases for processing of personal data.

[1] However, with the amendments introduced in the enhanced PDPA that came into effect on 1 February 2021, the exceptions to consent under the PDPA have been streamlined and categorised broadly in ways that are similar to the EU GDPR’s six legal bases for processing of personal data.

Other differences are:

• While the PDPA excludes public agencies and organisations acting on behalf of it, the GPDR applies to both private and public bodies.
• The PDPA grants a narrower protection to individual compared to the GDPR.
• While the GDPR applies to all businesses that process personal data of EU data subjects, regardless of where they are located, the PDPA applies to any organisation, excluding public agency, that process personal data in Singapore.
• Although both legislations grant people the right to be informed of the conditions under which their data is collected and used, the right to object to the collection of their data, the right to access data that has been collected and to modify it, the RGPD goes further by notably allowing people to obtain the deletion of their personal data that has been collected. The PDPA for its part remains silent on this point. Thus, companies that have collected data are not required to delete the data collected if requested to do so.

Présentation du PDPA

Legislation	Personal Data Protection Act 2012 (No.26 of 2012) (“PDPA”)   Specific guidelines for certain sectors: telecommunications/real estate agencies/ educations / healthcare / social services / transport services / management corporation /   Specific regulations for certain sectors: banking/ healthcare / life insurance
Regulator	Personal Data Protection Commission (PDPC)
Scope	Applies to all organisations (including any individual, company, association or body of persons, corporate or unincorporated, whether or not formed or recognized under the laws of Singapore) that carries out activities involving personal data in Singapore, unless they fall within the category of organisations expressly excluded from the application of the PDPA: • Individuals acting in a personal or domestic capacity; • Employees acting in the course of his or her employment with an organisation; • Public agencies; and • Organisations in the course of acting on behalf of a public agency in relation to the collection, use or disclosure of personal data.
Definition of personal data	“personal data” means data, whether true or not, about an individual who can be identified — (a)  from that data; or (b)  from that data and other information to which the organisation has or is likely to have access;”   PDPA does not define special categories of data   PDPC have considered in several decisions the concept of more sensitive data, including: medical data, financial data, bankruptcy status, drug problems and infidelity
Obligations under the PDPA	Personal data protection principles: • The consent obligations (sections 13 to 17) • The purpose limitation obligation (section 18) • The notification obligations (section 20) • The Access and Correction Obligations (sections 21, 22 and 22A • The Accuracy Obligation (section 23) • The Protection Obligation (section 24) • The Retention Limitation Obligation (section 25) • The Transfer Limitation Obligation (section 26) • The Data Breach Notification Obligation (sections 26A to 26E) • The Accountability Obligation (sections 11 and 12)
Parties involved	Data controller: the PDPA does not use the term ‘data controller’. Instead, it uses the more general term ‘organisation’ to refer to the entities that are required to comply with the obligations prescribed under the PDPA. The term ‘organisation’ broadly covers natural persons, corporate bodies (such as companies) and unincorporated bodies of persons (such as associations), regardless of whether they are formed or recognised under the law of Singapore, or are resident or have an office or place of business in Singapore   Data processor: the term ‘data processor’ is not used in the PDPA, but an equivalent term ‘data intermediary’ is used. A ‘data intermediary’ is defined as an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation. For more information on the obligations of data intermediaries, see also section on personal scope above
Rights of data subjects	Provide individuals access to and correct errors to their personal data
Security	Security arrangements reasonable and appropriate in the circumstances to protect personal data and prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risk
Requirement for consent	Consent obligation (sections 13 to 17): organisations are required to obtain individuals’ consent to collect, use, or disclose their personal data unless such collection, use, or disclosure is required or authorised under the PDPA or any other written law   Consent is not required for the collection, use, and disclosure of personal data where the specific exceptions in the First Schedule and the Second Schedule to the PDPA apply, for example where the collection, use, or disclosure of personal data about an individual is: • Necessary for any purpose which is clearly in the interests of the individual, and (i) consent for the collection, use, or disclosure cannot be obtained in a timely way; or (ii) the individual would not reasonably be expected to withhold consent • Publicly available • In the national interest • In the legitimate interests of the organisation or another person, and the legitimate interests of the organisation or other person outweigh any adverse effect on the individual   An organisation is further required to state the purposes for which it is collecting, using, or disclosing the data under the Notification Obligation   Individuals can be deemed to have given consent when they voluntarily provide their personal data for a purpose, and it is reasonable that they would voluntarily provide such data. The PDPA provides for three different forms of deemed consent: • Deemed consent by conduct • Deemed consent by contractual necessity • Deemed consent by notification.   Consent should be written or in electronic form   Consent can be withdrawn at any time by an individual upon reasonable notice to the organisation
Impact assessment on data processing	Cross-border transfer of data and impact on assessment of overseas transfer Organisation may transfer data if: • They comply with the PDPA while the transferred data remains in their possession; • The recipient is bound by legally enforceable obligations to provide protection comparable to that under the PDPA
Breach notification	PDPC’s Guide to Managing Breaches 2.0   Organisations are advised to notify the PDPC and/or affected individuals of data breaches that is of a significant scale or is more likely to result in significant harm or impact to the individuals to whom the information relates
Sanctions	Fines not exceeding S$1,000,000 or 10% of the annual turnover if it exceeds S$10,000,000