Vietnam

Vietnam has taken large steps to improve its cybersecurity and data protection. The task is not over, and the steps are controversial.

Vietnam has taken large steps to improve its cybersecurity and data protection. The task is not over, and the steps are controversial.

Cybersecurity and data protection are governed by the Cybersecurity Law, the Law on Network Information Security (LNIS) and the Law on Information Technology (LIT), with the former two more relevant to cybersecurity and protection of data.

Unclear and Confusing Environment

Since the Cybersecurity Law came into effect in 2019, there has been an ongoing conversation largely opposing the requirement of data localization, that offshore entities must have a local presence and the government’s ability to censor “inappropriate” Internet content. Strict enforcement, it is feared, will disrupt the continuous flow of data, so crucial for commercial development.

However, the government has not clarified or even enforced the law yet. Business continues to operate in the shadow of the law while awaiting guidance. The circumstances are further clouded by the broad language of the law. But lack of clarity and selective enforcement are not new in Vietnam, and they often serve the government’s purpose of indirect control.

For businesses, this means past practices in a lightly-regulated environment can be voluntarily and incrementally modified. But with no detail, this is unlikely. The muddled situation may soon change. The past 12 months has seen active development of new draft legislation to clarify the current law but also focus on implementation and enforcement of current requirements.

Recent Developments in Cybersecurity Legislation

In early 2020, the Ministry of Information and Communications (MIC) proposed to amend Government Decree No. 72/2013 on the provision, management and use of services and information on the Internet. The draft regulations introduced a host of new and compulsory licenses and requirements for content management, social networks and application distribution platforms. Later in 2020, the MIC proposed to amend Decree No. 181/2013 to regulate cross-border advertising services.

These drafts drew much criticism from the business community. In a letter to the MIC, the Asia Internet Coalition said some of the new requirements are “impossible or unduly onerous to comply with,” are “discriminatory against foreign organizations and individuals” and violate Vietnam’s national treatment obligations in WTO and CPTPP commitments. These drafts represent the government’s focus on gaining control, ensuring the security of Vietnam’s cyberspace and enhancing the overall technical capabilities of its cyberinfrastructure. However, businesses depend on the free flow of information and their voices cannot be ignored.

Sweeping Changes in the Protection of Personal Data

Meanwhile, the Ministry of Public Security is drafting a decree to deepen the protection of personal data (PDPD). The decree will extend the scope of what it means to “process personal data” to cover “collection, recording, analysis, storage, alteration, disclosure, grant of access, retrieval, recovery, encryption, decryption, copy, transfer, deletion and destruction of personal data or other related actions.”

The PDPD would also separate personal data into “basic personal data” and “sensitive personal data.” Processing sensitive personal data will be subject to additional requirements. The overall principle of PDPD is “privacy by design,” which requires companies and individuals to integrate the security of personal data into their core systems. Of some relief, the regulations of the PDPD are broadly based on the principles of the EU’s General Data Protection Regulation (GDPR). Companies that have already adopted or are guided by GDPR standards will be prepared to adapt to the PDPD.

Conclusion

Over the past few years, few cases have resulted in penalties for violating existing personal data and cybersecurity standards. However, the government has also slowly introduced an enforcement regime for the violation of rules on the protection of personal data and on cybersecurity. This includes administrative sanctions and, in extreme cases, authority to revoke the company’s right to process data.

Will the government actively enforce its regulations? We do not know. But controlling conduct through a threat of enforcement is often a conscious government strategy. In theory, companies are motivated to comply and the government is motivated to ignore violations that are not flagrant.

In the end, businesses must prepare to move from the previous lightly-regulated legislative landscape of cybersecurity and privacy to a more vigorous environment.


 

Disclaimer: All views are personal and do not reflect that of the organization. The views shared are not intended for any legal advice and are for general information and education purposes only.


 

LTViet_portraitLe Ton Viet

LTViet@russinvecchi.com.vn

Viet is a member of the Asia Data Protection & Security Practice
Group of Meritas. He has a particular focus on data security,
marketing and advertising practices, international data transfer
and other privacy and cybersecurity matters. He counsels a broad
range of clients on data privacy regulation and breach response.
Additionally, he represents clients in various transactions in
the field of hotel management, real estate and insurance.

Russin&Vecchi

Russin & Vecchi
russinvecchi.com.vn
Vietcombank Tower 5 Me Linh Square Ho Chi Minh City, Vietnam

 

* This article was first published in the October 2021 issue of the IHC Magazine. You can read/download the magazine here.

IHC-Magazine for LinkedIn 211020a

 

Latest Updates
Related Articles
Related Articles by Jurisdiction
Opening the doors to investment in Vietnam
Vietnam has made considerable progress in recent years to make the country a more attractive investment destination, confirm partner Giles Cooper and special counsel Mark Oakley of Duane Morris Vietnam LLC, yet there is still work ...
Navigating a shifting landscape
In the ongoing transformation of Asian capital markets, money flows are changing direction and new industries are rising across the region. But Hong Kong and Singapore regulators still set the pace, reports Eric J. Brooks.
Brave new worlds
Asia’s emerging economies continue to play bigger roles on our increasingly integrated world stage. Melinda Finch investigates the rising stars of India, Indonesia, Malaysia and Vietnam and considers the impact of their ascension on the legal industry.
Latest Articles