Quick Overview of Data Protection Regulations in Vietnam
In the era of information and communications technology (ICT), use of cyberspace by businesses (such as websites, social networks, mobile applications, etc.) is critical for rapid development. As part of the business in such context, collecting, storing, transmitting and processing personal data belonging to customers and cyberspace users are each indispensable. On the flip side of this digital era, the use of cyberspace in business is nevertheless vulnerable to leakage of personal information due to cyber-crimes that might cause unexpected damage to data subjects.
Therefore, to mitigate such a risk, each jurisdiction has its own regulations to protect the data subject (e.g., EU General Data Protection Regulation, UK Data Protection Act, Japan’s Personal Information Protection Act) and entity compliance with such regulations is strictly required. Similar to any other jurisdictions, Vietnam has its own legal framework to regulate personal data protection matters. This article will provide readers with a quick overview and some essential points concerning the legal framework on personal data protection in Vietnam.
No Unified Regulation
Unlike other countries, Vietnam has no unified act to regulate data protection. Data protection regulations are currently spread across various acts and the relevant guiding legal documents (i.e., the Civil Code (2015), the E-transactions Law (2005), the Information Technology Law (2006), the Consumer Rights Protection Law (2010), the Cyber Information Security Law (2015), the Cybersecurity Law (2018), decrees on e-commerce and circulars). Given such non-unification, the correct identification of applicable subject and governing scope is not always an easy task for data controllers and processors.
Personal Data, Data Subject, and Target Entity
Since there are many applicable legal documents, the definitions of personal data and data subject are referred to by different terms such as “private life”, “private secret”, “personal information”, “customer’s information”. However, readers might generally understand those terms as follows:
(i) “personal data” is information on an identifiable individual that may include his/her name, address, race, ethnicity, education, financial circumstances, employment history and other information; and
(ii) “data subject” is a person who can be identified from such personal data.
Those definitions are relatively close to international standards; thus, readers might be familiar with them.
Similarly, the target entities who are required to comply with those regulations are relatively broad and identified differently in various applicable laws. They generally include individuals and organizations dealing (i.e., collecting, storing, and processing) with personal data in Vietnam, which may include foreign entities.
Rights of Data Subject
In Vietnam, the data subject has the following rights over its personal data, (i) to request that the target entity furnish it with the provided personal data and (ii) to request that the target entity check, correct, and delete the personal data or stop providing the data to a third party.
The target entities are generally required to comply with the following obligations:
(i) Seeking consent of the data subject before collecting, sharing, disclosing or transmitting such personal data to a third party. If personal data is transmitted to and processed by a third party, then in a contract with the third party, there must be provisions that clearly define the responsibility of each party to comply with the relevant regulations on data protection;
(ii) Preparing a privacy notice and making sure that it is easily accessible by the data subjects;
(iii) Taking prompt remedies and stoppage measures in the case of personal data leakage;
(iv) Deleting or destroying the personal data upon request of the data subject, completion of use for purpose or expiry of retention period;
(v) Taking all necessary measures to ensure the safety of personal data that they have collected and stored. However, for the target entity being an information system (IS) owner (who has competence to directly manage the information system), it is required to comply with technical standards that are compatible with international standards (i.e., ISO/IEC) and regulations on assurance of cyber-information security that include, among others, the following key requirements:
- Grading IS level as required by law (from Level 1 to 5). An increase in the IS level results in an increase in safety measures and requirements;
- Inspecting compliance with information security and assessing the efficiency of applied management measures and techniques, etc.; and
- Assisting the competent authority in controlling and ensuring information security upon request.
Although there are a number of personal data protection regulations that seem to cover a wide range of target entities, the application of and compliance with such laws are still quite limited as:
(i) There is no official reporting and statistical system in which the application and compliance with those regulations are recorded;
(ii) Information on public sources (via news, articles only) shows that the regulations in relation to data protection in Vietnam have not been highly estimated as illustrated by a low information security index. As confirmed by the Vietnam Information Security Association - VNISA, the information security index of Vietnam in 2018 only reached 45.6%. The index was even lower than 2017 (46.8%). This shows that Vietnamese target entities’ awareness of cyber information security is still limited, and many of them are neither concerned about nor have knowledge about protecting cyber and information security; and
(iii) Non-compliance in this area might be subject to sanctions (even criminal ones), depending on the severity. Although the dataprotection regulations provide for many obligations that the target entities must follow, the regulations on handling non-compliance have not been updated yet. As a result, there is the scenario where non-compliance is subject to no sanctions. Therefore, the relevant authority’s enforcement of data protection regulations does not seem to be very effective in practice.
Preparation by Target Entities
Given the current situation surrounding data protection regulations of Vietnam, there might be many subsequent changes to adopt to bring it up to the international level and enhance legal enforcement. It is therefore advisable to keep track of any updates on the regulations on data protection and actively contact, report, and request help from authorities (such as the Ministry of Public Security or the Ministry of Information and Communication of Vietnam) if there is an incident.