Data protection in Vietnam

I. Introduction

In this post, we examine the data governance framework of Vietnam. We discuss: grounds of processing data and the obligations imposed on organisations (II);rights guaranteed to individuals (III); rules governing cross-border data flows (IV);the penal and enforcement framework (V); and the exemptions given to state agencies (VI). Part VII concludes.

Although the Constitution of Vietnam[1] and its civil procedure code[2] recognise the right to privacy and personal secrets, Vietnam does not have a national data protection law. Data protection norms have been built into various laws,[3] notably the Law on Network Information Security (“LNIS”)[4] and the Law on Cybersecurity (“LCS”).[5] In December 2019, the Ministry of Public Security (“Ministry”) released a Draft Decree Guiding the Implementation of Law on Cybersecurity (“Draft Decree”) for consultation, which is expected to be submitted to the government in 2020.[6] This post will focus on these three laws.

II. Data processing and other obligations

Scope

The LNIS applies to organisations, agencies, and individuals that are processing personal information and are directly involved in or related to network information security activities in Vietnam.[7] The law does not distinguish between data controllers or processors.[8]

The Draft Decree introduces a distinction between data controllers (referred to as Main Personal Data Processor) and data processors (referred to as Authorised Personal Data Processor), although the nature of this difference is unclear.[9]

Notice and Consent

Under the LNIS,[10] consent is required for:

  • Collecting personal information, after explaining the scope and purpose for the collection and use of such data to the data subject;
  • Using the personal information for any purpose separate from the initial purpose; and
  • Sharing the personal information with a third party (unless it is at the request of competent state agencies).

Apart from what has been stated above, there is no additional notification requirement in the LNIS.

The Draft Decree mandates that personal information be (i) collected legally, (ii) to serve a pre-determined purpose, (iii) that has been consented for/registered, and (iv) that any use of the personal information is in accordance with such consent.[11] There is an absolute prohibition on the disclosure of data in certain cases, such as within 30 days of breach of contract.[12]

Storage limitation

Individuals and organisations must delete the personal data stored with them once it has achieved its specified purpose or the storage time has expired. They must notify the data subjects of these actions.[13] Parties can also agree in advance on the period of storage of personal information.[14]

Sensitive personal data

Currently, Vietnamese law does not define, or deal with sensitive personal data. Certain protections, however, are given for state secrets that contain certain types of personal data.[15]

The Draft Decree defines sensitive personal data as including biometric and genetic data, political/religious views, ethnicity/race, health status, gender, sex life, and crime data. Notably, it also introduces a registration regime for the processing of sensitive personal data, although the details are still unclear.[16]

Security

Organisations and individuals processing personal information must take appropriate technical and management measures to protect such information[17]

III. Individual rights

Data subjects have the following rights under the law:

  • Access: Data subjects can access their personal information stored by individuals and organisations.[18]
  • Modification and deletion: Data subjects can seek to update, alter, or cancel/delete their personal information stored by individuals and organisations.[19]
  • Object: Data subjects can object to the collection, use, or processing of their personal information.[20]
  • Confidentiality: Users have a right to confidentiality regarding their information and accounts.

Vietnamese law currently does not require organisations to conduct privacy impact assessments or put in place mandatory accountability measures, nor does it recognise the right to data portability.[21]

Data subjects have no right to data breach notification. In case of any sabotage or network information security incident, only the service provider or the specialised response division have to be informed.[22] In case of technical incidents, organisations and individuals handling personal information only need to take remedial action as soon as possible.[23] Breaches of an information system or of law, also have to be notified to the Cybersecurity Task Force.[24]

The Draft Decree is expected to introduce various additional rights, such as the right to be informed of the processing of personal data, right to deletion and destruction of such data, right to data quality, and right to file a complaint and request for damages.[25]

IV. Cross-border data flows

Domestic and foreign cyberspace service providers[26] who collect/process/use/analyse personal data (including the data generated by service users and about their relationships) in Vietnam must store this personal information in Vietnam for a period that will be specified by the government. Any foreign enterprise that is covered under provision, must have a branch office in Vietnam.[27] The government can frame regulations to provide further clarity to this provision.[28]

Newspaper reports indicate that the Ministry will be narrowing the reach of these provisions – thus, for an entity to be subject to data localisation norms, it will have to additionally fulfil the following three conditions:

  • The company provides services on telecom networks, the internet, and cyber space;
  • The company collects/analyses/processes personal information and user-generated data in Vietnam, and
  • The company has been notified that its services have been used to violate Vietnamese law, but has not taken any action or has resisted/obstructed government investigation.[29] Since the scope of the above two conditions is very broad, this condition plays an important role in actually limiting the scope of the data localisation requirement.

The Draft Decree requires the cross-border transfer of personal data to be registered, although the term ‘registration’ has not been defined. If registration is interpreted as requiring government approval for transfer, it would impede the free flow of data.[30]

V. Penal and enforcement framework


Penal framework

Non-compliance with data protection laws can lead to administrative fines and civil penalties, which are prescribed by the government decrees, rather than through primary legislation.[31]

For instance, the illegal collection, utilisation, spreading, or trading of personal information of others is prohibited under law. Similarly, the collection or exploitation of personal information by abusing the weaknesses of information systems is also prohibited.[32] The violation of the law is punished by disciplining the violators, administratively sanctioning them, or imposing fines for causing damage,[33] although no further information is provided in the LNIS.

Similarly, while the LCS imposes various obligations on domestic and foreign cyberspace service providers, the consequences of non-compliance have not been spelt out in the law.[34]

Enforcement framework

Vietnam does not have a national data protection authority. Hence, the task of policy making and regulation in the field of information technology has been left with the Ministry of Information and Communications (“MIC”).[35] The MIC generally examines, inspects, settles complaints, and handles violations of the law.[36]

The Draft Decree provides for the establishment of a State Authority for data protection, although no further details are available as yet.[37]

VI. Exemption given to state agencies

Cybersecurity

Authorities can exercise the following powers while working to secure the cyberspace, i.e. to prevent, detect, avoid, and deal with acts that infringe cybersecurity:[38]

  • Collecting e-data relevant to acts in cyberspace that infringe national security, social order and safety, or the lawful rights and interests of others.
  • Requiring the deletion, access to, or removal of unlawful or false information in cyberspace which infringes national security, social order and safety, or the lawful rights and interests of others.
  • Stopping or suspending the provision of network information or the establishment/use of telecom networks or the internet.
  • Freezing or restricting the operation of information systems or withdrawing domain names in accordance with law.

In addition, the Cybersecurity Task Force, under the control of the Ministry, has the following powers:

  • It can require domestic/foreign telecom service providers, internet service providers, and value-added service providers to provide user information related to violation of the law.[39]
  • It can require organisations and entities, in certain cases, to open up their information systems, as well as the information stored, processed, and transmitted on such systems for inspection.[40]
  • It can request system administrators to implement managerial or technical measures to prevent, detect, stop, remove information in cyberspace that is untruthful; propaganda against the country; causes public disorder or embarrassment or is slanderous; violates economic management order.[41] This information has to be deleted within 24 hours of receiving a request from the competent authorities.[42]

Decryption

‘Users’ of civil cryptographic products, i.e. encrypted products, have a responsibility to:

  • Provide necessary information relating to the encryption keys to state agencies on their request.
  • Coordinate with state agencies to prevent the use of encryption products for illegal purposes.
  • Declare the encryption products that are not provided by licensed enterprises to the Government Cipher Committee[43]

VII. Conclusion

Vietnam is unique amongst the APAC countries since unlike several of them, it does not have a data protection law. The Draft Decree that has been released by the Ministry is still short of many details, and has already been subject to criticism.[44]

Vietnam, along with Japan (covered in our last post) has signed the Osaka Declaration, the e-commerce chapter of the Regional Comprehensive Economic Partnership (“RCEP”), as well as the recent Comprehensive and Progressive Agreement for TransPacific Partnership (“CPTPP”). All these international documents broadly endorse the free flow of data and information across borders.[45] However, Vietnam’s domestic law, especially the LCS and the Draft Decree seem to be in conflict with its international commitments inasmuch as they impose certain data localisation/registration requirements on the cross-border transfer of data. These contradictions will have to be resolved in the coming days if the promise of the Osaka Declaration is to turn to reality. That, however, will also depend on the actions of other countries, especially Indonesia, which also did not sign the Osaka Declaration and is the focus of our next post.

Authored by the Ikigai team.

[1] Article 21 of the Vietnamese Constitution, 2013, states among other things that “The security of information about private life, personal secrets or family secrets shall be guaranteed by law”, available at http://vietnamlawmagazine.vn/the-2013-constitution-of-the-socialist-republic-of-vietnam-4847.html.

[2] The rules for the collection, storage, processing, use, disclosure, and publication of personal data are also set out in Article 38 of Vietnam’s Civil Code 2015.

[3] Other laws governing principles of collection, storage, use, transfer of personal data include the Criminal Code; Law on Information Technology; Law on Protection of Consumer Rights; Law on Children; and Law on E-Transactions. A list of some of these laws can be found here.

[4]Law on Network Information Security, 2015 (or Law on Cyberinformation Security), Law No. 86/2015/QH13, which came into force on 01.07.2016.

[5] Law No. 24/2018/QH14 on Cybersecurity, 2018, which came into force on 01.01.2019.

[6] No English translation of the Draft Decree seems to be available on the internet (see here for the updates in Vietnamese) Hence, all the comments regarding the Draft Decree, are based on third party reports available online. The Draft Decree reportedly does not contain a lot of detail, and is still in a skeletal form. Interestingly, the Draft Decree is alternatively called the Draft Decree on Personal Data Protection and the Draft Decree Guiding the Implementation of the Law on Cybersecurity. See  Baker McKenzie, Vietnam: Draft Decree on Personal Data Protection, available at https://www.bakermckenzie.com/en/insight/publications/2020/04/draft-decree-on-personal-data-protection. See also Asia Internet Coalition (AIC), Comments on Outline of Draft Decree on Personal Data Protection, available at https://aicasia.org/wp-content/uploads/2020/02/AIC-Comments-on-Outline-of-Draft-Decree-on-Personal-Data-Protection-EN.pdf.

[7] Article 2 read with Article 16, LNIS. ‘Network Information security’ has been defined under Article 3 to mean the protection of network information and information systems in (which involves telecommunication and computer networks).

[8] Globally, data protection laws such as the GDPR distinguish between data controllers and data processors. Simply speaking, data controllers (alternatively called ‘data fiduciaries’ in India’s draft Personal Data Protection Bill, 2019 or ‘data users’ in Malaysia’s Personal Data Protection Act (“PDPA”), 2010) are the entities that make decisions on how and why data of individuals (data subjects) should be processed. Data processors are the entities that process the personal data on behalf of, and on the instructions of, the data controller.

[9] Although the law defines Main Personal Data Processor and Authorised Personal Data Processor, most of the provisions of the Draft Decree use the generic term ‘personal data processor’. See Asia Internet Coalition (AIC), Comments on Outline of Draft Decree on Personal Data Protection, available at https://aicasia.org/wp-content/uploads/2020/02/AIC-Comments-on-Outline-of-Draft-Decree-on-Personal-Data-Protection-EN.pdf.

[10] Articles 17(1) read with 18(1), LNIS.

[11] Baker McKenzie, supra note 6.

[12] AIC, supra note 8.

[13] Article 18(3), LNIS.

[14] Article 21(2)(b), Law on Information Technology.

[15] See generally, Decree 33/2002/ND-CP (March 28, 2002). See also, Linklaters, Data Protected: Vietnam, available at https://www.linklaters.com/en/insights/data-protected/data-protected—vietnam.

[16] Linklaters, supra note 17; Baker McKenzie, supra note 6. See also Yen Vu, New Draft Decree on Personal Data Protection in Vietnam, The Rouse Magazine (January 2020), available at  https://www.rouse.com/magazine/news/new-draft-decree-on-personal-data-protection-in-vietnam/

[17] Article 19(1) read with Article 23, LNIS and Article 21(2)(c), Law on Information Technology.

[18] Article 17(3), LNIS.

[19] Article 18(1), LNIS.

[20] Article 17(1), LNIS.

[21] Linklaters, supra note 17.

[22] Article 15(2), LNIS

[23] Article 19(2), LNIS.

[24] Article 24(3), LCS. See also Article 72, Decree on E-Commerce, 2013.

[25] Baker McKenzie, supra note 6; Yen Vu, supra note 18.

[26] Article 26(3), LCS defines cyberspace service providers as domestic and foreign entities providing telecommunication services, internet services, and value-added services.

[27] Article 26(3), LCS

[28] Article 26(4), LCS.

[29] For further details see Data localisation requirements narrowed in Vietnam’s cybersecurity law, Business Times (October 2019), available at

https://www.businesstimes.com.sg/asean-business/data-localisation-requirements-narrowed-in-vietnams-cybersecurity-law

[30] Article 27 of the Draft Decree deals with Registration of transfer of personal data [of Vietnamese citizens] overseas. AIC, supra note 8.

[31] For instance, Government Decree No. 185/2013/ND-CP (Nov. 15, 2013) is on administrative penalties concerning commercial production activities and consumer protections provides the following administrative penalties. Similarly, Decree 15/2020 / ND-CP prescribes sanctions against administrative violations in the fields of post, telecommunications, radio frequency, information technology and delivery, electronic translation. See Provisions on sanctioning administrative violations in the fields of post, telecommunications, radio frequency, information technology and electronic transactions available athttp://bocongan.gov.vn/tin-tuc-su-kien/quy-dinh-xu-phat-vi-pham-hanh-chinh-trong-linh-vuc-buu-chinh-vien-thong-tan-so-vo-tuyen-dien-cong-nghe-thong-tin-va-giao-dich-dien-tu-t27235.html. See also Data Protection in Vietnam: An Overview, Practical Lawyer, available at https://www.amchamvietnam.com/wp-content/uploads/2019/05/Data-Protection-in-Vietnam-Overview-April-2019.pdf for a list of some of the sanctions and remedies for non-compliance with data protection laws.

[32] Article 7(5), LNIS.

[33] Article 8, LNIS.

[34] See generally, ICLG, Vietnam: Telecom, Media & Internet 2020, available at https://iclg.com/practice-areas/telecoms-media-and-internet-laws-and-regulations/vietnam

[35] Ministry of Information and Communications, Main Functions, available at https://english.mic.gov.vn/Pages/ThongTin/114253/Main-Functions.html.

[36] Article 52(2)(h), LNIS. For the exceptions, see Article 52(3)-52(6), LNIS.

[37] Linklaters, supra note 17.

[38] Article 5(h)-(l), LCS.

[39] Article 26(2)(a), LCS.

[40] Article 24(1), (2), and (4), LCS.

[41] Article 16, LCS.

[42] Article 26(2)(b), LCS.

[43] Article 36, LNIS.

[44] See for instance, AIC, supra note 8.

[45] Arindrajit Basu, The Retreat of the Data Localization Brigade: India, Indonesia and Vietnam,  The Diplomat (January 2020), available at https://thediplomat.com/2020/01/the-retreat-of-the-data-localization-brigade-india-indonesia-and-vietnam/

RELATED WRITING

Challenge
the status quo

Challenging the status quo...