Vietnam does not have a comprehensive law on personal data protection and so personal data is not yet truly protected. Witness the rise of online services that collect and process big data from private sources. Protecting personal data presents a significant challenge and is in conflict with another government objective which is to provide national cybersecurity. Insuring cybersecurity can conflict with the protection of individual privacy.
The need for consolidated legislation to provide personal data protection is well recognized. Based on Decision No. 06/QD-TTg, a new law is planned to be issued sometime in 2024. In the interim, the government issued Decree 13/2023/ND-CP on personal data protection (Decree 13), which took effect on 1 July 2023.
Decree 13 makes major additions to Vietnam’s personal data protection framework: (i) designates the Department of Cybersecurity and Prevention of Cyber-Crimes under the Ministry of Public Security to oversee the enforcement and application of personal data regulations, including Decree 13; (ii) creates a unified definition/classification of personal data (including basic and sensitive data); (iii) establishes a framework for cross-border data transfers; and (iv) introduces international concepts such as ‘data controller’ and ‘data processor’, and provides a full set of rules regarding their rights and obligations.
Fundamentally, Decree 13 pursues a soft management approach toward personal data processing/transfer. That is, no prior approval by or registration with the authorities is required. Instead, only an impact assessment of personal data processing/transfer activities must be maintained by data controllers/processors and be reported to the authorities after the processing/transfer occurs.
In line with this development, the Government has also set up a legal framework for cybersecurity, which has an impact on personal data.
Compromises between perfect privacy and perfect cybersecurity are inevitable. New Decree 53/2022/ND-CP introduces regulations on data localisation (ie, storing data inside the country) and mandatory physical establishment in Vietnam of offshore companies that provide certain services in Vietnam (eg, telecommunications, e-commerce, social networks, online games, telephone/video calls, emails, etc.).
Specifically, and subject to certain triggering conditions (eg, violation of the Cybersecurity Law), a foreign service provider (of regulated services) must establish a local branch or a representative office and must store certain regulated data in Vietnam. The data it must store in these circumstances is the personal data of customers in Vietnam and data created by Vietnam-based customers (for example, credit card information, IP addresses and registered phone numbers).
How to regulate and protect personal data is a growing issue, and it is clear that the Vietnamese government intends to develop more rigorous measures to protect privacy. Vietnam, however, must act prudently to avoid imposing administrative burdens on service providers and, thus, restrict its citizens’ access to necessary online services.
Vietnam needs to find a path to balance its objective to protect privacy and the imperative it sees to create a credible cybersecurity shield.