Vietnam has taken large steps to improve its cybersecurity and data protection. The task is not over, and the steps are controversial. Cybersecurity and data protection are governed by the Cybersecurity Law, the Law on Network Information Security (“LNIS”) and the Law on Information Technology (“LIT”), with the former two more relevant to cybersecurity and protection of data.
The Current Unclear and Confusing Environment
Since the Cybersecurity Law came into effect in 2019, there has been an ongoing conversation largely opposing the requirement of data localization, the requirement that offshore entities must have a local presence, and the Government’s ability to censor ‘inappropriate’ Internet content. Strict enforcement, it is feared, will disrupt the continuous flow of data, so crucial for commercial development.
While this conversation has gone on, the Government has not taken any real steps to provide clarification or even to enforce the Law. Business continues to operate in the shadow of the Law, while awaiting further guidance. The circumstances are further clouded by the fact that the language of the Law is broad, and there is no guidance. But lack of clarity and selective enforcement are not new in Vietnam, and they often serve the Government’s purpose of indirect control.
For businesses, this means that past practices in a lightly regulated environment can be voluntarily and incrementally modified over time. But with no detail, this is unlikely. The muddled situation may soon change. The past year has seen active development of new implementing draft legislation, which would clarify current law but also focus on implementation and enforcement of current requirements.
Recent Developments In Cybersecurity Legislation
In early 2020, the Ministry of Information and Communications (“MIC”) proposed to amend Government Decree No. 72/2013 on the provision, management, and use of services and information on the Internet. The draft regulations introduced a host of new and compulsory licenses and requirements for content management, social networks and application distribution platforms. Further, in the second half of 2020, the MIC proposed to amend Decree No. 181/2013. These amendments would regulate cross-border advertising services.
These drafts have drawn much criticism from the business community. In a letter to the MIC, the Asia Internet Coalition stated that some of the new requirements are ‘impossible or unduly onerous to comply with’, are ‘discriminatory against foreign organisations and individuals’ and are in violation of the national treatment obligations in Vietnam’s WTO and CPTPP commitments. These drafts represent the Government’s focus on gaining control, ensuring the security of Vietnam’s cyberspace, and enhancing the overall technical capabilities of Vietnam’s cyberinfrastructure. However, the voice of business which depends on the free flow of information cannot be ignored. Their views, it would seem, will need somehow to be taken into account.
Sweeping Changes in the Protection of Personal Data
Much more is going on. At the same time, the Ministry of Public Security is drafting a decree to deepen the protection of personal data (“PDPD”). The decree will extend the scope of what it means to ‘process personal data’ to cover “collection, recording, analysis, storage, alteration, disclosure, grant of access, retrieval, recovery, encryption, decryption, copy, transfer, deletion, and destruction of personal data or other related actions”.
The PDPD would also separate personal data into ‘basic personal data’ and ‘sensitive personal data’. Processing sensitive personal data will be subject to additional requirements. The overall principle of PDPD is ‘privacy by design’, which requires companies and individuals proactively to integrate the security of personal data into their core systems. Of some relief, the regulations of the PDPD are broadly based on the principles of the EU’s General Data Protection Regulation (“GDPR”). Companies that have adopted or seek to be guided by the standards established by the GDPR will likely be prepared to adapt to the PDPD.
Conclusion
During the past few years, there have been very few cases in which penalties were imposed on violation of existing personal data and cybersecurity standards. However, these years have witnessed the Government’s slow introduction of an enforcement regime for the violation of rules on the protection of personal data and on cybersecurity. It includes administrative sanctions and, in extreme cases, authority to revoke the company’s right to process data.
Will the Government actively enforce its regulations? We do not know, but as we mentioned above, controlling conduct through threat of enforcement is often a conscious Government strategy. The theory is that companies are motivated to comply and the Government is motivated to ignore violations that are not flagrant.
In the end, businesses must be prepared to move from the previous lightly regulated legislative landscape of cybersecurity and privacy to a more vigorous environment.