Notice: Temporary Pause on December News Briefings – Returning December 30, 2024
Dear Readers, We regret to inform you that due to an operational adjustment impacting our human resources, The Vietnamese Magazine
This article was written in Vietnamese by Trinh Huu Long and previously published in Luat Khoa Magazine on February 18, 2021. The translation was done by the author.
It’s been almost three years since Vietnam’s National Assembly passed the highly controversial Cybersecurity Law. No guidance on the law’s implementation has been given as the central government usually does in the case of decrees, circulars, and decisions.
A draft decree was made available to the public for comments back at the end of 2018, but it quickly disappeared after receiving huge backlash from domestic and international actors.
Earlier this month, the Ministry of Public Security’s website announced another draft decree which was to address personal data protection.
You can find the full text of this document in Vietnamese here (Google Drive link). The draft decree is available for public consultation from February 9 to April 9.
We have taken a look at the text and below are nine takeaways.
The draft decree categorizes personal data as two types: basic and sensitive.
Basic personal data includes information about personal identification, such as name, date of birth, place of birth, address, nationality, ethnicity, marital status, and ID number. One thing, however, is unclear: “data containing online activities and history.”
Sensitive personal data includes political and religious opinions; health, genes, sex, biometrics; finances; sexual life; residence; social networking; and others.
Individuals have a wide range of rights regarding their personal data as follows:
According to Article 10, all personal data, regardless of being basic or sensitive, is subject to being processed (collection, storing, and use) without consent in the following circumstances:
The last circumstance, “other circumstances according to the law,” is a loophole that is widely used in the legal system of Vietnam to give the government’s executive branch, especially ministries, an almost unlimited ability to interpret laws and regulations using circulars and executive decisions.
According to the draft decree, the owners of personal data are normally informed should their data be processed by government agencies or other legal actors.
However, there are three exceptions to the rule, and the most concerning is the second one (Item b, Section 3, Article 11): “In case the processing of personal data is constituted by the law, international agreements, and international treaties.”
This is another loophole in an important matter relating to the transparency of personal data processing.
A new government agency called the Committee on Personal Data Protection is going to be established. It will be set up under the central administration.
The Ministry of Public Security (MPS) can appoint no more than six members to the Committee upon the cabinet’s approval.
The Committee is closely tied to the MPS Department of Cybersecurity and Hi-Tech Crimes Prevention as it is headquartered at the department and chaired by the department’s head officer.
Article 20 requires that parties who want to process sensitive personal data must register with the Committee on Personal Data Protection.
However, the Article excludes activities by government agencies relating to law enforcement, judicial procedures, heath, social security, and scientific research. That means these agencies don’t need to register. Also, the Article leaves another loophole for other authorities to exploit by attaching a clause saying “other activities according to the law.”
What remains after excluding the above-mentioned government agencies? Enterprises and non-governmental organizations, both domestic and international ones. Services such as social media, banking, and healthcare must register with the Committee.
This is directly related to foreign services operating in Vietnam or domestic services operating in other countries, especially technology companies.
Article 21 states that four conditions must be met before a party can make a cross-border transfer of personal data:
The second and third conditions can be waived should the data processing party provide statements regarding their commitment on protecting the data.
The data processing party must archive records of data transferring within three years, and stop transmitting data should data leaks or abuses occur, or should they no longer have sufficient capacity to protect the data, or the data owner is incapable/ having difficulties protecting his/her rights and interests.
The Committee on Personal Data Protection will routinely inspect data transmitting parties once a year.
The requirement of storing data’s original copy in Vietnam will likely make it a bit more difficult for foreign social networks, email services, and e-commerce activities to operate in Vietnam. According to Google expert Duong Ngoc Thai, Facebook is unlikely to store users’ personal data in Vietnam but rather just cache data to make access to its services faster.
Those who violate the regulations on personal data protection are subject to fines of 50 million dong or 5 percent of their total revenue in the Vietnam market.
Simultaneously, violators can also be banned from processing personal data for 1 to 3 months and may have their data processing licenses revoked.
If not allowed to collect, store and use users’ personal data, online services will probably not be able to function the way they do currently.
The decree doesn’t specify how the government can prohibit online services from processing personal data, but the Cybersecurity Law provides the government with the authority to order the telecommunications companies to block services and sources of information that are deemed to be harmful to society.
The draft decree is expected to take effect on December 1, 2021, as stated in the document.
Vietnam's independent news and analyses, right in your inbox.