Vietnam is now proposing to enact a comprehensive data privacy law for the first time. A draft Decree on Personal Data Protection (‘Decree’) released for public consultation by the Ministry of Public Security (MPS). This article analyses this proposed law by comparison with international standards, and previous Vietnamese practice.


Processing personal data without the person’s consent (including for secondary processing) is only allowed in various situations of public interest, emergencies, for statistics or research after de-identiJication, and where ‘according to the provisions of law’ (art. 10). One criticism of this last exception is that it is ‘a loophole that is widely used in the legal system of Vietnam to give the government’s executive branch, especially ministries, an almost unlimited ability to interpret laws and regulations using circulars and executive decisions’. There are no ‘legitimate interest’ exceptions allowing such processing.