If privacy is related to a “network environment” (such as telecom networks, the internet, computer networks, or databases), the privacy issues are generally governed by the Law on Information Technology, Law on Network Information Security, and Law on Cybersecurity. 

Note: The right to privacy and confidentiality of information is a fundamental right recognized by the Constitution of Vietnam. Currently, there is no single comprehensive law governing the collection, storage and use of personal data in Vietnam. Vietnam’s data protection laws are scattered throughout different pieces of legislation. These include the Civil Code, Penal Code, Law on Network Security (“LNIS”), Law on Cybersecurity, Law on Information Technology (“IT Law”), Law on Telecommunications, Law on Consumer Protection, Law on E-Transactions, Decree 52 on E-commerce, Decree 91 on Anti-Spam Messages, Emails and Calls, and Decree 72 on Internet Services and Online Information.

The IT Law, LNIS, and Law on Cybersecurity generally govern privacy issues in a “network environment” such as telecom networks, the internet, computer networks, and databases.

It is also important to note that Vietnam is in the process of reforming its data protection regime under the Draft Decree on Personal Data Protection (“Draft PDPD”), which is anticipated to be completed within 2022. Major changes will happen to the current data protection regime once this new PDPD takes effect, including the requirement of regulatory approval for the processing of sensitive personal data and cross-border transfer of personal data from the Personal Data Protection Committee (“PDPC”), a data protection authority to be established under the Draft PDPD. The PDPC is an organization directly affiliated with the Government, based at the Department of Cyber Security and High-Tech Crime Prevention and Control under the Ministry of Public Security (“MPS”).

Generally, personal information is protected. However, the definition of personal information is problematic as it may include any “information that an individual wishes to keep confidential.” 

Note: In general, data about the private life and personal information of an individual is protected. However, in the consumer protection context, the law is more stringent than in other privacy laws in that it not only protects the personal information of consumers, but it also protects any information about consumers.

“Personal information” is broadly defined in different pieces of legislation, generally to be information contributing to identifying a particular individual, such as the individual’s name, date of birth, home address, phone number, medical information, ID card number, social insurance card number, and credit or debit card numbers; information on personal payment transactions; and “other information that the individual wishes to keep confidential,” a phrase that is problematic in that it seems to give complete subjective discretion to the owners of the information to determine what is considered “personal information.”

The definition of “personal information/data”, however, is set out in more specific detail under the Draft PDPD. Specifically, beside restating that “personal data” means data about individuals or relating to the identification or ability to identify a particular individual, the Draft PDPD newly classifies “personal data” into two categories of “basic personal data” and “sensitive personal data”. Basic personal data includes information such as name, date of birth, gender, nationality, phone number, ID card, etc. Sensitive personal data would include information on political and religious views, sexual orientation, criminal records, financial data, or location data, to name a few.

While the basic condition regarding prior consent from the data subject is applied to both kinds of personal data, the processing of sensitive personal data requires a new additional condition, which is the approval of the PDPC.

In general, both Vietnamese and foreign agencies, organizations and individuals directly involved in or related to privacy activities in Vietnam are subject to the privacy obligations under Vietnamese law. 

Note: The data protection laws mentioned above are very broadly worded and there is little limitation on their application. In general, privacy laws apply to a large number of organizations or individuals. In other words, it is not difficult to find a “jurisdictional hook.” For example: 

• The LNIS applies to Vietnamese agencies, organizations, and individuals and foreign organizations and individuals directly involved in or related to cyber-information security activities in Vietnam.
• The IT Law applies to Vietnamese and foreign organizations and individuals engaged in information technology application and development activities in Vietnam.
• The Law on Cybersecurity applies to organizations and individuals having activities in cyberspace, which impact national security and public order. Unlike other laws, the Law on Cybersecurity notably does not limit its scope to “in Vietnam.”
• Decree 52 on E-commerce applies to traders, organizations and individuals engaged in e-commerce activities in the territory of Vietnam, including (a) Vietnamese traders, organizations, and individuals; (b) foreign individuals residing in Vietnam; and (c) foreign traders and organizations present in Vietnam through investment operations, the establishment of branches and representative offices, or websites with Vietnamese domain names. 
• Decree 72 on Internet Services and Online Information applies to Vietnamese and foreign organizations and individuals engaged in or related to the management, provision, and use of internet services, online information, and online games, and assurance of information security. Note that Decree 72 does not have the limiting language “in Vietnam” that the other laws have.

In general, the collection, storage, use, processing, publication, disclosure, or transfer of information or materials related to personal information of an individual must be consented to by that person. In addition, a privacy notice having details in accordance with the law must also be provided to such person in advance. Under the Draft PDPD, processing of sensitive personal data is also subject to regulatory approval. 

Note: In general, the collection, storage, use, processing, publication, disclosure, or transfer of information or materials related to personal information of an individual must be consented to by that person, unless otherwise stipulated by law.

If the personal information is collected, processed, or used in a network environment (including telecom networks, the internet, computer networks, and databases), any organizations and individuals collecting, processing, and using such personal information of another person additionally have the following responsibilities:

• To notify such person of the form, scope, place, and purpose of the collection, processing, and use of his or her personal information.
• To use the collected personal information for proper purposes and to store such information only for a certain period as stipulated by law or as agreed upon by the two parties.
• To take necessary managerial or technical measures to ensure that personal information is not lost, stolen, disclosed, modified, or destroyed.
• To immediately take necessary measures upon receipt of a request for re-examination, correction, or deletion from the data subject; and not to supply or use the relevant personal information until such information is corrected.

Organizations and individuals are entitled to collect, process, and use personal information of another person without the consent of the latter in a case where such personal information is used for the following purposes:

• Signing, modifying or performing contracts for use of information, products, or services in the network environment.
• Pricing or calculating charges for use of information, products, or services in the network environment.
• Performing obligations in accordance with the law.

Under the Draft PDPD, the processing of sensitive personal data and cross-border transfer of personal data outside of Vietnam is also subject to regulatory approval from the PDPC.

The use and disclosure of personal information must be in accordance with the purposes agreed to by the data subjects.

Note: Organizations or individuals may only use the collected personal information for proper purposes as stipulated by law or as agreed upon by the two parties and are not permitted to supply personal information of another person to any third party unless otherwise stipulated by law or agreed to by such person.

Personal data can generally be retained up to the period agreed to by the data subject, while “regulated data” must be stored for a period prescribed by the government. Appropriate management and technical measures to protect personal information from being lost, stolen, disclosed, modified, or destroyed must be taken while processing or storing personal information of others. 

Note: In general, organizations or individuals may only store the collected personal information for a certain period as stipulated by law or as agreed upon by the two parties.

The law generally requires that:

• Organizations and individuals processing personal information of another person must take appropriate management and technical measures to ensure that the personal information they have collected and stored is not lost, stolen, disclosed, modified, or destroyed; and comply with standards and technical regulations on the assurance of cyber-information security.
• When a cyber-information security breach occurs or threatens to occur, personal information-processing organizations and individuals must enact remedy and stoppage measures as soon as possible.

However, the Law on Cybersecurity prescribes that domestic and foreign enterprises providing services over telecom networks or the Internet, or value-added services in cyberspace in Vietnam (“Regulated Services”) involving the activities of collecting, exploiting, analyzing, and processing personal data, data on the relationships of service users, or data generated by service users in Vietnam (“Regulated Data”) must store such data in Vietnam for a period prescribed by the government. Foreign enterprises mentioned in this requirement must open branches or representative offices in Vietnam. 

This provision of the Cybersecurity Law is extremely broad, and it is still unclear how it will be practically implemented. The government has assigned the Ministry of Public Security to draft a decree to narrow down the scope of application and provide more detailed definitions relating to Regulated Services and Regulated Data.

Please refer to Question 13 below for more details on this draft decree.
 

Data subjects have the right to check, correct, update, modify, or delete their personal information. 

Note: The law generally provides that:

• Owners of personal information may request personal information-processing organizations and individuals to check, correct, update, modify, or delete their personal information collected or stored by the latter or to stop providing such personal information to a third party.
• Upon receiving a request from an owner of personal information to update, modify, or delete such information or to stop the provision of the information to a third party, a personal information-processing organization or individual must:
  • Carry out the request and notify the owner of the information, or grant the owner the right to access the personal information to update, modify, or delete it him/herself; and
  • Apply appropriate measures to protect the personal information, and notify the owner if the request cannot be carried out for technical or other reasons.
  • Personal information-processing organizations and individuals must delete the stored personal information when they have achieved their use purposes or the storage time has expired, and notify the owners of the personal information of such action, unless otherwise prescribed by law.

Prior consent of the data subject is required prior to cross-border data transfer. Under the Draft PDPD, regulatory approval and compliance with other regulatory conditions are also required. 

Note: Vietnamese law does not specifically distinguish between the transfer of data within or outside of Vietnam. The rules for the transfer of personal information both within and outside of Vietnam are the same. That is, organizations and individuals (if they fall within the scope of applicable law) must refrain from providing, sharing, or spreading to a third party personal information they have collected, accessed, or controlled, unless they obtain the consent of the data owners, or unless it is at the request of the proper state agencies.

The Law on Cybersecurity requires local storage of Regulated Data; however, it is unclear whether mirror copies of such data are prohibited from the cross-border transfer. The draft decree on cybersecurity will hopefully provide clearer guidance on this issue. 

Under the Draft PDPD, however, cross-border transfer of personal data outside of Vietnam is subject to the following requirements:

• Consent must be obtained from the data subjects;
• The original data must be stored in Vietnam;
• The data transferor must have proof that the recipient country has personal data protection at a level equal to or higher than the level specified in the Draft PDPD; and most importantly
• A written approval for transfer must be obtained from the PDPC.

In order to obtain a written approval from the PDPC, an application must include an impact assessment report with an assessment of potential harm and measures to manage, minimize or eliminate such harm. The Draft PDPD provides an exemption to the foregoing requirement when there is: (a) consent from the data subject; (b) approval from the PDPC; (c) a commitment from the data processor to protect the data; and (d) a commitment from the data processor to apply measures to protect the data. However, it is still unclear whether just one or all four of these conditions need to be met.

Yes, providers and users of network services are responsible for notifying the relevant government authorities about any act of sabotage or a network information security incident.

Note: In general, Vietnamese law requires that providers and users of network services are responsible for ensuring information security and must cooperate with the authorities. Cooperating with the authorities includes notifying the relevant government authorities about any act of sabotage or a network information security incident within a certain period (such as five days) from the date the incident was detected and promptly take remedial or blocking measures. In the case of serious network information incidents that may impact national cyber-information security, action plans in accordance with the law must also be implemented.

Entities that could be subject to data breach notification requirements include (i) owners of data systems located in Vietnam; (ii) providers of certain types of online services (regardless of whether the service providers are Vietnamese entities or foreign entities); and (iii) owners of data systems which have been under cyberattacks causing or likely to cause serious damage to the affected persons (regardless of the location of the data system and/or the type of services engaged in by the owner of the compromised data system). 

The main bodies responsible for enforcing data protection legislation are the Ministry of Information and Communications and the Ministry of Public Security. 

Note: The main bodies responsible for enforcing data protection legislation are the Ministry of Information and Communications ("MIC") and the Ministry of Public Security (“MPS”). Powers of the MIC include conducting examination and inspection, settling complaints and denunciations, and handling data privacy violations. Powers of the MPS include conducting examination and inspection, settling complaints and denunciations, and handling cybersecurity violations

An individual is entitled to claim compensation for loss caused by a breach during the supply of personal information.

Note: The law does not set out statutory measures for handling a privacy breach. However, if the privacy breach occurs in association with a violation of data protection provisions by the person processing, storing, or using the personal information of other persons (e.g., does not have necessary managerial or technical measures to ensure that the personal information is not lost, stolen, disclosed, modified, or destroyed), depending on the nature and severity of the violation, the person violating such data protection provisions may be subject to disciplinary actions, administrative sanctions, or criminal penalties.

For administrative sanctions, the remedies include but are not limited to (i) monetary fines; (ii) confiscation of material evidence and facilities used to commit the breach; and (iii) suspension of business activities and seizure of gains from the activities.

In addition, the data subject is entitled to claim compensation for damages caused by a breach during the supply of his/her personal information.

Advertising emails, text messages and phone calls can only be sent or made after obtaining clear prior consent from the intended recipients. The details of each advertising email and text message must include opt-out information permitting recipients to decline receiving further advertising emails or text messages. 

Note: The new Decree 91 on Anti-Spam sets out regulations regarding unsolicited messages sent by email and mobile phone (text messages and phone calls). In general, advertising emails, text messages and phone calls can only be sent after obtaining clear prior consent from the intended recipients. No more than three advertising emails may be sent to an email address in a 24-hour period unless otherwise agreed by the recipient. The details of each advertising email and text message must include opt-out information permitting recipients to decline receiving further advertising emails or text messages. Advertising emails must be labeled with “QC” or “AD” at the beginning of the subject line. There must be information about the advertiser and, in the case of advertising chargeable services, complete information about the fees/charges. Senders must immediately cease sending advertising emails and text messages once they receive a notice of refusal from the recipient.

The government of Vietnam is working on: (i) a draft decree providing guidance on the implementation of the Cybersecurity Law; and (ii) a draft decree on personal data protection ("Draft PDPD").  

Note:

Draft Decree on Cybersecurity

The draft decree on cybersecurity, which guides a number of articles of the Law on Cybersecurity, sets out conditions on data localization and local establishment requirements that will be applicable to domestic and foreign entities providing online services to customers in Vietnam, notably:

• The scope of Regulated Services is narrowed down to only include:
  • Telecom services;
  • Services of data storage and data sharing in cyberspace;
  • Services of the provision of national or international domain names for users in Vietnam;
  • E-commerce services;
  • Online payment;
  • Payment intermediary services;
  • Transportation connection services through cyberspace;
  • Social network services and social communication services;
  • Online game services; and
  • Email services. 
• Services that are used to commit acts that violate “any laws of Vietnam” would trigger the data localization and local establishment requirements, provided that the service provider failed to undertake measures to stop and apprehend those violating acts or resisting, obstructing, or ignoring requests from the relevant authorities.  
• Regulated Service providers will have a six-month grace period upon receiving a request from the authorities to comply with the data localization requirement. 

Draft PDPD

On February 9, 2021, the MPS released a complete draft of the Decree on Personal Data Protection (Draft PDPD) for public consultation, with an ambitious goal for it to be promulgated and take effect by December 2021. However, due to several extremely sensitive issues it introduced, the Draft PDPD received tremendous negative comments from the public and foreign governments. One year after the release of the draft, the Draft PDPD has not yet been finalized or promulgated. Nevertheless, it is anticipated that the Draft PDPD might be promulgated and take effect within 2022.

The Draft PDPD is divided into six chapters and 30 articles, providing comprehensive coverage of personal data protection and some brand-new requirements. Notable contents of the Draft PDPD include the following:

• Re-categorization of personal data into basic personal data and sensitive personal data;
• New data processing requirements, including new legal bases for data processing and disclosure without consent; specification of the forms of consent; regulations for data processing for research and statistical purposes and automated data processing; and time limits for data retention;
• New data protection measures, including de-identification/encryption requirements, appointment of data protection officers, data accessibility from government authorities, and registration for processing of sensitive data and cross-border transfer of data;
• Establishment of the PDPC under the MPS; and
• New administrative sanctions for violations, including fines of up to 5% of the revenues earned from violating activities.

Among the various newly introduced requirements proposed in the Draft PDPD, Article 20 (Registration of Processing of Sensitive Personal Data) and Article 21 (Cross-Border Transfer of Personal Data) are notably problematic, and seem infeasible for the operation of various businesses and industries.