Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Vietnam: Difficulties in creating a privacy program in Vietnam

With an unconventional piecemeal approach to data protection, global organisations may find it difficult to adapt their privacy programs to the Vietnamese framework. Le Ton Viet, Associate at Russin & Vecchi, discusses this area and its future.

heckepics / Signature collection / istockphoto.com

The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), which was adopted by the European Parliament in 2016 to replace regulations that date from 1995, has resulted in a huge shake-up in data protection in the EU and has created a global standard for data protection and privacy. There have been tremendous efforts from international businesses operating in Vietnam or providing services to Vietnam to create or deploy a personal information protection program that complies with both the GDPR and with the data protection and privacy rules of Vietnam. Businesses have had the following difficulties in doing so:

  • the rules for protection of data and privacy in Vietnam are included in several uncoordinated sectoral laws; and
  • the regulations to protect personal data are incomplete and are still being developed.

Lack of a national framework for data protection and privacy

Vietnam does not have a national data protection law. The general requirements for data protection can be found in Law No. 86/2015/QH13 on Cyberinformation Security dated 19 November 2015 ('the Law on Cyberinformation Security') and Law No. 24/2018/QH14 on Cybersecurity dated 12 June 2018 ('the Cybersecurity Law'). However, confusion arises because rules on data protection are included in various sectoral laws, including employment, medical treatment, and many more.

The rules on data protection in the sectoral laws mostly conform with those in the Law on Cyberinformation Security. However, there are often additional requirements or conditions that are specific to that business sector. Unless corrected, this could affect implementation of a uniform personal information protection program intended to encompass all sectors.

For example, personal information and information that involves the health of a patient cannot be shared or used without the consent of the patient. But there are exceptions. Law No. 40/2009/QH12 on Medical Examination and Treatment provides that in cases where sharing information may improve the quality of the diagnosis, care, and treatment of a patient, then information can be shared among practitioners who treat the patient.

Regulations to protect personal data are being developed

In February 2021, the Ministry of Public Security ('MPS') published a draft decree ('the Draft Decree') on protection of personal data. The decree is intended as a general framework to protect personal data. The MPS has invited the public to comment with the objective to improve the draft. The decree is scheduled to become effective near the end of 2021.

The Draft Decree will provide details and seek to address various ambiguous regulations that have been in place since the Law on Cyberinformation Security was promulgated in 2015. For example, currently, in order to process personal data, a data processor is required to: (i) obtain consent, (ii) publish its privacy policy, and (iii) implement appropriate measures to protect personal data. However, the Law on Cyberinformation Security does not elaborate on what constitutes consent or a privacy policy, nor are there appropriate implementing measures in place. As such, one practice is for a business to adopt international standards of data protection. However, while such standards are high, they do not have the force of law. Naturally, such ambiguity and generality create uncertainty. Currently, businesses can easily comply with the laws by following the three steps above. But eventually, we believe the Government will follow the path of the GDPR and impose more specific requirements. If so, this will dramatically increase the level of protection and will add complexity to the steps necessary to comply.

A certain level of ambiguity in the over-arching law exists in many sectors and this is common in Vietnam. For example, the law states broad principles, and the Government tries to address ambiguity with implementing decrees and circulars. However, it may be a long time before the Government finalises guidance for implementation and enforcement, and some ambiguity may remain. For example, two years after adoption of the Law on Cybersecurity, a decree with guidance on data localisation is not yet in place. Because the rights and requirements of the Government are made clear in the law, businesses are expected to begin to align with the Government in anticipation of comprehensive regulations. This is probably an unrealistic expectation.

However, many issues still remain, even when the Draft Decree on protection of personal data comes into effect as expected at the end of this year. Protection of personal data which is in the possession of entities located in Vietnam is relatively easier to manage. But it is less clear how the Government will enforce its sanctions against an offshore entity which controls personal data in Vietnam. Indirect methods may be relied upon. Sanctions for violation of data protection in the Draft Decree can reach 5% of the revenue of a business. This may provide an incentive to self-enforce. But the path for enforcement of offshore entities of personal data in Vietnam remains open.

Le Ton Viet Associate
[email protected]
Russin & Vecchi, Hanoi