Global entities find it difficult to adapt their privacy programs to Vietnam with its unconventional piecemeal approach to data protection.
The General Data Protection Regulation (Regulation (EU) 2016/679 ("GDPR"), which was adopted by the European Parliament in 2016 to replace regulations that dated from 1995, has resulted in a huge reconfiguration of data protection in the EU. In the process it has created a global standard for data protection and privacy. There has been a long effort from international businesses which operate in Vietnam to create or deploy a personal information protection program that complies with both the GDPR and with the data protection and privacy rules of Vietnam. Businesses have had difficulties in doing so:
- the rules for protection of data and privacy in Vietnam are included in several uncoordinated sectoral laws; and
- the regulations to protect personal data are incomplete and are still being developed.
Lack of a national framework for data protection and privacy
Vietnam does not have a national data protection law. The general requirements for data protection can be found in Law No. 86/2015/QH13 on Cyberinformation Security dated 19 November 2015 ("the Law on Cyberinformation Security") and Law No. 24/2018/QH14 on Cybersecurity dated 12 June 2018 ("the Cybersecurity Law"). However, confusion arises because uncoordinated rules on data protection are included in various sectoral laws, including employment, medical treatment, and many more.
The rules on data protection in the sectoral laws mostly conform with those in the Law on Cyberinformation Security. However, there are often additional requirements or conditions that are specific to that sector. Unless corrected, this will affect implementation of a uniform personal information protection program intended to encompass all sectors.
For example, personal information and information that involves the health of a patient cannot be shared or used without the consent of the patient. But there are exceptions. Law No. 40/2009/QH12 on Medical Examination and Treatment provides that in cases where sharing information may improve the quality of the diagnosis, care, and treatment of a patient, then information can be shared among practitioners who treat the patient. Rules like these need to be reconciled.
Regulations to protect personal data are being developed
In February 2021, the Ministry of Public Security ("MPS") published a draft decree ("the Draft Decree") on protection of personal data, intended as a general framework to protect personal data. Following the Draft Decree, it was planned that a Law on Personal Data Protection would be formulated in 2024.
The Draft Decree provides details and seeks to address various ambiguous regulations that have been in place since the Law on Cyberinformation Security was promulgated in 2015. For example, to process personal data, a data processor is currently required to: (i) obtain consent, (ii) publish its privacy policy, and (iii) implement appropriate measures to protect personal data. However, the Law on Cyberinformation Security does not elaborate on what constitutes consent, privacy policy nor are there appropriate implementing measures in place. The standards of the Draft Decree are high. But the current ambiguity and generality create uncertainty. For now, businesses can easily comply with the laws by following the three steps above but eventually, we believe the Government will follow the path of the GDPR and impose more specific requirements. If so, this will dramatically increase the level of protection and will add complexity to the steps necessary to comply.
A certain level of ambiguity in over-arching laws exists in many sectors and this is common in Vietnam. For example, the law states broad principles, and the Government is expected to address ambiguity with implementing decrees and circulars. However, often it takes a long time before the Government finalizes guidance to implement and enforce, and some ambiguity may remain. For example, two years after adoption of the Law on Cybersecurity, a decree with guidance on data localization is not yet in place. Given that some of the requirements of the Draft Decree are being challenged/pushed back by the business community, there is speculation that the Government may adopt a Law on Personal Data Protection with broad principles instead of the more granular Draft Decree. We believe, however, that such a development has a low probability.
Many issues will remain, even after the Draft Decree on protection of personal data comes into effect. Protection of personal data which is in the possession of entities located in Vietnam is relatively easier to manage. But it is less clear how the Government will enforce sanctions against an offshore entity which controls personal data in Vietnam. Indirect methods may be relied upon. In the Draft Decree sanctions for violation of data protection can reach 5% of the revenue of a business. This may provide an incentive to self-enforce. But the path to enforce protection of personal data in Vietnam by offshore entities remains open.
Originally Published by DataGuidance in July 2021, with the title "Difficulties in creating a privacy program in Vietnam".
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.