Vietnam has taken large steps to improve its cybersecurity and data protection. The task is not over, and the steps are controversial.
Cybersecurity and data protection are governed by the Cybersecurity Law, the Law on Network Information Security (LNIS) and the Law on Information Technology (LIT), with the former two more relevant to cybersecurity and protection of data.
Unclear and Confusing Environment
Since the Cybersecurity Law came into effect in 2019, there has been an ongoing conversation largely opposing the requirement of data localization, that offshore entities must have a local presence and the government’s ability to censor “inappropriate” Internet content. Strict enforcement, it is feared, will disrupt the continuous flow of data, so crucial for commercial development.
However, the government has not clarified or even enforced the law yet. Business continues to operate in the shadow of the law while awaiting guidance. The circumstances are further clouded by the broad language of the law. But lack of clarity and selective enforcement are not new in Vietnam, and they often serve the government’s purpose of indirect control.
For businesses, this means past practices in a lightly-regulated environment can be voluntarily and incrementally modified. But with no detail, this is unlikely. The muddled situation may soon change. The past 12 months has seen active development of new draft legislation to clarify the current law but also focus on implementation and enforcement of current requirements.
Recent Developments in Cybersecurity Legislation
In early 2020, the Ministry of Information and Communications (MIC) proposed to amend Government Decree No. 72/2013 on the provision, management and use of services and information on the Internet. The draft regulations introduced a host of new and compulsory licenses and requirements for content management, social networks and application distribution platforms. Later in 2020, the MIC proposed to amend Decree No. 181/2013 to regulate cross-border advertising services.
These drafts drew much criticism from the business community. In a letter to the MIC, the Asia Internet Coalition said some of the new requirements are “impossible or unduly onerous to comply with,” are “discriminatory against foreign organizations and individuals” and violate Vietnam’s national treatment obligations in WTO and CPTPP commitments. These drafts represent the government’s focus on gaining control, ensuring the security of Vietnam’s cyberspace and enhancing the overall technical capabilities of its cyberinfrastructure. However, businesses depend on the free flow of information and their voices cannot be ignored.
Sweeping Changes in the Protection of Personal Data
Meanwhile, the Ministry of Public Security is drafting a decree to deepen the protection of personal data (PDPD). The decree will extend the scope of what it means to “process personal data” to cover “collection, recording, analysis, storage, alteration, disclosure, grant of access, retrieval, recovery, encryption, decryption, copy, transfer, deletion and destruction of personal data or other related actions.”
The PDPD would also separate personal data into “basic personal data” and “sensitive personal data.” Processing sensitive personal data will be subject to additional requirements. The overall principle of PDPD is “privacy by design,” which requires companies and individuals to integrate the security of personal data into their core systems. Of some relief, the regulations of the PDPD are broadly based on the principles of the EU’s General Data Protection Regulation (GDPR). Companies that have already adopted or are guided by GDPR standards will be prepared to adapt to the PDPD.
Over the past few years, few cases have resulted in penalties for violating existing personal data and cybersecurity standards. However, the government has also slowly introduced an enforcement regime for the violation of rules on the protection of personal data and on cybersecurity. This includes administrative sanctions and, in extreme cases, authority to revoke the company’s right to process data.
Will the government actively enforce its regulations? We do not know. But controlling conduct through a threat of enforcement is often a conscious government strategy. In theory, companies are motivated to comply and the government is motivated to ignore violations that are not flagrant.
In the end, businesses must prepare to move from the previous lightly-regulated legislative landscape of cybersecurity and privacy to a more vigorous environment.
Disclaimer: All views are personal and do not reflect that of the organization. The views shared are not intended for any legal advice and are for general information and education purposes only.
|Le Ton Viet
Viet is a member of the Asia Data Protection & Security Practice
Russin & Vecchi
Vietcombank Tower 5 Me Linh Square Ho Chi Minh City, Vietnam
* This article was first published in the October 2021 issue of the IHC Magazine. You can read/download the magazine here.