Global entities find it difficult to adapt their privacy programs to Vietnam with its unconventional piecemeal approach to data protection.
The General Data Protection Regulation (Regulation (EU) 2016/679 (“GDPR”), which was adopted by the European Parliament in 2016 to replace regulations that dated from 1995, has resulted in a huge reconfiguration of data protection in the EU. In the process it has created a global standard for data protection and privacy. There has been a long effort from international businesses which operate in Vietnam to create or deploy a personal information protection program that complies with both the GDPR and with the data protection and privacy rules of Vietnam. Businesses have had difficulties in doing so:
- the rules for protection of data and privacy in Vietnam are included in several uncoordinated
sectoral laws; and
- the regulations to protect personal data are incomplete and are still being developed.
Lack of a national framework for data protection and privacy
Vietnam does not have a national data protection law. The general requirements for data protection can be found in Law No. 86/2015/QH13 on Cyberinformation Security dated 19 November 2015 (“the Law on Cyberinformation Security”) and Law No. 24/2018/QH14 on Cybersecurity dated 12 June 2018 (“the Cybersecurity Law”). However, confusion arises because uncoordinated rules on data protection are included in various sectoral laws, including employment, medical treatment, and many more.
The rules on data protection in the sectoral laws mostly conform with those in the Law on Cyberinformation Security. However, there are often additional requirements or conditions that are specific to that sector. Unless corrected, this will affect implementation of a uniform personal information protection program intended to encompass all sectors.
For example, personal information and information that involves the health of a patient cannot be shared or used without the consent of the patient. But there are exceptions. Law No. 40/2009/QH12 on Medical Examination and Treatment provides that in cases where sharing information may improve the quality of the diagnosis, care, and treatment of a patient, then information can be shared among practitioners who treat the patient. Rules like these need to be reconciled.
Regulations to protect personal data are being developed
In February 2021, the Ministry of Public Security (“MPS”) published a draft decree (“the Draft Decree”) on protection of personal data, intended as a general framework to protect personal data. Following the Draft Decree, it was planned that a Law on Personal Data Protection would be formulated in 2024.
A certain level of ambiguity in over-arching laws exists in many sectors and this is common in Vietnam. For example, the law states broad principles, and the Government is expected to address ambiguity with implementing decrees and circulars. However, often it takes a long time before the Government finalizes guidance to implement and enforce, and some ambiguity may remain. For example, two years after adoption of the Law on Cybersecurity, a decree with guidance on data localization is not yet in place. Given that some of the requirements of the Draft Decree are being challenged/pushed back by the business community, there is speculation that the Government may adopt a Law on Personal Data Protection with broad principles instead of the more granular Draft Decree. We believe, however, that such a development has a low probability.
Many issues will remain, even after the Draft Decree on protection of personal data comes into effect. Protection of personal data which is in the possession of entities located in Vietnam is relatively easier to manage. But it is less clear how the Government will enforce sanctions against an offshore entity which controls personal data in Vietnam. Indirect methods may be relied upon. In the Draft Decree sanctions for violation of data protection can reach 5% of the revenue of a business. This may provide an incentive to self-enforce. But the path to enforce protection of personal data in Vietnam by offshore entities remains open.
This article appeared in DataGuidance in July 2021, with the title “Difficulties in creating a privacy program in Vietnam”. It also appeared in Mondaq in August 2022.