Developments in Vietnam:
On April 17, 2023, the Government of Vietnam issued a long-awaited regulation on data privacy, through Government Decree No. 13/2023/ND-CP ("Decree 13"). Until now, Vietnam did not have a comprehensive legislation regulating the collection and processing of personal data. Instead, rules and regulations on personal data protection were present in general laws such as the Civil Code 2015 and the Law on Cyber Information Security No. 86/2015/QH13.
Decree 13, much like the European Union's General Data Protection Regulation ("GDPR"), incorporates the concepts of data processor, data controller and data subject. It classifies personal data as "basic personal data" and "sensitive personal data" and outlines personal data processing principles, including lawfulness, transparency, purpose limitation, confidentiality, accountability, and storage limitation. Similar to the GDPR, Decree 13 stipulates data subjects' rights, including the right to be informed, the right to consent, access, opt-out, erasure, restriction of processing, data portability, and the right to claim damages. Decree 13 also imposes restrictions on cross border data transfers and provides that a transfer impact assessment must be done for outbound transfers of personal data from Vietnam. There are also special provisions relating to data processing for marketing and advertising which require data subject's consent.
Decree 13 is expected to clear the ambiguity around data privacy regulation and advance Vietnamese individuals' right to privacy. It will also have considerable and wide-reaching implications on companies collecting and processing the personal data of Vietnamese citizens.
Developments in Nepal:
The Nepal Telecommunications Authority ("NTA") on April 22, 2023, released a regulatory framework for Internet of Things ("IoT") and Machine to machine ("M2M") service providers ("Framework"). The regulatory Framework unveiled by NTA covers the issuance of licenses to IoT and M2M service providers. Recognizing the significance of data privacy and security, the Framework directs IoT/M2M service providers to follow industry best practices and the applicable laws of Nepal for data security. While dealing with personal data, the Framework mandates personally identifiable information of the IoT/M2M users to be properly encrypted and to not be accessible to third parties under any circumstance. The Framework further restricts the transfer of data and specifically requires that personally identifiable information of IoT/M2M Users should be stored within Nepal. With respect to data storage and maintenance, the Framework directs IoT/M2M service providers to follow existing data telecommunication rules. Incidents of data breach are required to be reported to the relevant authority immediately and prompt technological and/or legal actions are required to be taken.
In 2015, Indian government had released a draft 'Internet of Things Policy' to promote the creation of an IoT ecosystem and development of IoT products specific to Indian needs. In February 2022, the Department of Telecommunications (DoT) issued guidelines for registration of M2M service providers. However, to date India does not have a comprehensive law regulating the IoT and M2M technologies. The rising use of IoT devices raises serious privacy concerns as IoT devices such as e-health devices, smart watches and trackers contain sensors which collect and transfer data about an individual's daily habits, activities and preferences. It is essential to regulate the manner in which such devices use and maintain data security. It is high time the Indian policy and regulatory framework catches up with these emerging technologies.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.