Published in Asian-mena Counsel: Data + Cyber Security Special Report 2020


Screenshot 2020-11-19 at 4.41.08 PM

Screenshot 2020-11-19 at 12.17.54 PM


By Sungdo Choi and Ha Thi Tinh, Yoon & Yang



Industry 4.0 era with the rapid growth of advanced technologies and smart digital devices has facilitated the advent of the ‘untact’ (ie, non-contact’) business which requires less in-person interaction. Although the untact business brings huge conveniences in sharing of and access to information, time-saving services and free-distance connection, it has entailed the issue of how to protect personal data and ensure cyber-information security. Most of online service users express their concern about unauthorised disclosure of their personal data and cyber-attacks while using online services.

The Constitution of Vietnam and the Civil Code recognise the inviolable right to personal data protection, and declare principles on protection of private life, personal privacy, family privacy and private communication. However, technical and legal framework designed to ensure prevention of unforeseen, unintended or malevolent use of personal data appears retarded to provide sufficient protection, mainly due to the fact that legal frameworks normally lag behind economic realities.

Screenshot 2020-11-19 at 4.45.11 PM

There are a number of laws and regulations having provisions to protect personal data privacy. These laws include Law on Cyber Information Security, Law on Cyber Security, Law on Information Technology, Law on Electronic Transactions, Law on Consumer Rights Protection, etc. These laws provide regulations on rights of the data subject to store, check, correct or erase personal information in a network environment, security requirements for data processing, obligations of data processors, responsibility of regulatory authorities, exemptions from the data protection rules, and measures required to be taken to protect cyber security. However, the application of these rules in practice is not always clear.

With the increasing number of personal data leakage cases being reported, the goal of the Vietnam Government to develop a more comprehensive legal framework in respect of data protection is explicitly expressed in Resolution of Government No.138/NQ-CP dated 29 September 2020 which approves the proposal of Ministry of Public Security to prepare a Decree on data protection. Accordingly, the proposed Decree will be submitted to Government for review by 1st Quarter of 2021.

Screenshot 2020-11-19 at 4.45.34 PM

The most updated proposed Decree consists of eight (8) chapters, while the specific contents of each chapter and articles have yet to be prepared. The proposed Decree sets out the seven (07) principles of personal data protection, specifically as follows:

  1. Principle of Lawfulness: Personal data shall be lawfully collected.
  2. Principle of Purpose: Personal data shall be collected for the limited purposes as consented or registered
  3. Principle of Simplification: Personal data shall be collected only to the extent of such amount as is necessary to serve for a pre-determined purpose
  4. Principle of Restricted Use: Personal data shall be used only after obtaining the data subject’s consent or at the request of competent authorities
  5. Principle of Data Quality: Personal data shall be updated as sufficient and necessary to serve the purpose of processing such data
  6. Principle of Security: Security measures shall be applied to protect personal data
  7. Principle of Individuality: The data subject shall be notified of all activities pertaining to their personal data

Non-compliance with the data protection laws can be subject to both administrative sanctions and criminal sanctions under the current laws. Penal Code regulates the criminal sanctions on infringement upon secret information, mail, telephone, telegraph privacy, or other means of private information exchange and illegal provision or use of information on computer networks or telecommunications networks. The administrative sanctions spread across various legal documents depending on the nature of the violation. For example, Decree 15/2020/ND-CP regulates monetary sanctions imposed to violations against regulations on cyber information security, and Decree 185/2013/ND-CP regulates monetary sanctions imposed on violation of consumer rights in e-commerce activities. The proposed Decree shall have one chapter which covers a sanction imposed on violation of personal data protection.

At present, many countries have been suffering the outbreak of Covid-19 pandemic, and untact business would become more indispensable to sustain economic activities and to aid economic recovery. Daily operations have been transforming from offline to online and companies have been utilising cyber space in an alternative way to serve their customers. Obviously, the untact business model will continue to develop even after the pandemic finally ends, and legal frameworks for privacy protection and cyber-attacks are expected to continuously evolve with the increasing use of online services.



Screenshot 2020-11-19 at 3.15.16 PM




Official Publication: Asian-mena CounselClick Here to read the full issue of Asian-mena Counsel: Data + Cyber Security Special Report 2020.


Related Articles by Firm
Amendments to three data privacy laws in Korea and the implications
By Kwang-Wook Lee, Helen H. Hwang, Chulgun Lim and Keun Woo Lee of Yoon & Yang ...
Webinar: Debt Financing – Structure and Regulation of Domestic and Foreign Loans in Vietnam
A recording of the presentation by Ji Hoon Cha and Ha Thi Tinh from Yoon & Yang Law (Vietnam) LLC made during In-House Community eCongress Vietnam ...
Yoon & Yang opens Ho Chi Minh City office
Yoon & Yang is opening an office in Vietnam, in the heart of Ho Chi Minh City’s central business district. ...
Recent examples of consent decrees in Korea and their implications
Despite an animated exchange of opinions regarding consent decrees since their introduction in Korea in 2011, expect the system to be used more actively in the future as companies have begun to view it as a viable way to resolve free-trade ...
Regulation of personal information in new fields
Focussing on topics such as big data, cloud computing and healthcare, Wonil Kim, Kwang-Wook Lee and Ji Hye Seol of Yoon & Yang examine how new technologies will affect personal information regulation in South Korea.
Related Articles
Related Articles by Jurisdiction
Reform of regulations on private issuance of corporate bonds in Vietnam
One of the most notable points under Decree 163 is that the requisite conditions for issuing corporate bonds have been significantly liberalised ...
Guidelines for food safety rules further streamlining administrative procedures
On February 2, 2018, the government promulgated Decree No. 15/2018/ND-CP guiding some articles of the Law on Food Safety 2010 (Decree 15) ...
E-commerce in Vietnam
Vietnam has been ranked 15th for Internet users internationally, however only 20 percent of those users in Hanoi and Ho Chi Minh City use the internet for online shopping1. The Vietnam E-Commerce and …
Latest Articles