To download the Data Privacy Q&A guide, please click here.
To see other released Data Privacy Q&A guides on separate jurisdictions, please click here.
Is there a data privacy law in the jurisdiction of Vietnam? If yes, is it implemented? If no, what laws are relied on?)
Yes, Vietnam does have data privacy regulations but they are not featured in an omnibus law. Rather, the relevant regulations are scattered across, among others, the Constitution, Civil Code, Criminal Code, IT Law, Cyber Information Security Law, Consumer Rights Protection Law, E-transactions Law, Cybersecurity Law, and their relevant decrees (Vietnamese Data Protection Laws). That said, the laws are currently being revamped into the form of the Draft Personal Data Protection Decree (Draft PDP Decree), which is the first legislative effort to consolidate data protection regulations in a single instrument. The Draft PDP Decree is still currently under government review and pending issuance.
What significant legal instruments relating to data protection are currently pending? If any, what are the timelines?
Since the last version of the Draft Cybersecurity Law Decree was submitted to the Government for review in 2018, it remains pending. No public information is available as to its status and when it will be issued.
As for the Draft PDP Decree, following the close of the consultation phase in April 2021, it was scheduled for submission to the Government by June 2021 pursuant to the Prime Minister’s Decision 889/QD-TTg dated 7 June 2021. However, there is no public information on its current status.
Who do Vietnamese Data Protection Laws apply to?
The scope of application of Vietnamese Data Protection Laws can be interpreted broadly to apply to both offshore and onshore entities involved in the collection, use, storage, and/or transfer of personal data. Data protection-related instruments currently in the pipeline, including the Draft Cybersecurity Law Decree and Draft PDP Decree, are likely to have the same effect. This may be indicative of Vietnam’s intentions for its privacy legislation to have extra-territorial reach.
Who are the relevant regulatory and enforcement authorities in Vietnam with regards to personal data protection?
The Ministry of Public Security (MPS) is the drafter and central authority of the Cybersecurity Law, Draft Cybersecurity Law Decree, and Draft PDP Decree. The MPS guides and monitors the implementation of the abovementioned instruments, handles personal data violations and cybercrimes (e.g., investigating infringements, imposing administrative penalties, prosecuting criminal cases, etc.). The Department of Cybersecurity and Hi-tech Crime Prevention is the specific body under the MPS mainly responsible for these duties.
The Ministry of Information and Communication (MIC) is traditionally responsible for administering and enforcing regulations in cyberspace, including those related to personal data protection. The MIC makes requests to service providers for removal of information in violation of Vietnamese content rules and is to collaborate with the MPS for cybersecurity breaches. The responsible body within the MIC is the Authority for Broadcasting and Electronic Information (ABEI).
The Ministry of Industry and Trade (MOIT) is the drafter and the central authority of the E-Commerce Decree. The MOIT guides and monitors compliance of e-commerce regulations including provisions related to personal data protection, handles disputes around personal data protection in e-commerce activities, and imposes relevant administrative penalties.
We note that overlaps are present with regards to regulations and authorities. That said, we expect further guidance as to how the different ministries/bodies will coordinate and collaborate to carry out their respective roles with the future issuance of the Draft PDP Decree.
How is personal data defined in Vietnam?
Vietnamese Data Protection Laws do not employ a consistent definition of personal data because there is no omnibus law. The definition and specificity vary depending on the sector and their relevant regulations. At a minimum, information that enables identification of an individual is protected by the law. If information not clearly deemed as personal data (e.g., IP addresses, device IDs, and location information, etc.), when combined with other information can identify an individual, it may warrant protection.
Is there a distinction between personal data and sensitive data under the laws?
There is no distinction between personal data and sensitive data because sensitive data is not defined under current Vietnamese Data Protection Laws. That said, the Draft PDP Decree provides for sensitive data for the first time but note that this draft decree is still under government review and subject to further change.
What is the consent requirement in Vietnam?
There is no across-the-board definition nor mandatory form of consent under current Vietnamese laws. Entities collecting, using, storing, and/or transferring personal data must obtain the consent of whom the personal data belongs. This consent may be express or implied depending on the circumstances. In contrast, the Draft PDP Decree proposes a more specific and clearer requirement providing that consent must be in a format that can be printed or copied in writing. This signals a move closer to an active consent requirement, one that requires data subjects to take affirmative action when giving consent, which is more in line with international standards.
What restrictions are there for cross-border transfer of personal data?
As long as the relevant data subjects consent to cross-border transfer of personal data, there are no express restrictions on cross-border transfer of personal data under the current laws. However, the data localization requirement under the Cybersecurity Law may impact cross-border transfer of personal data going forward. We note that this data localization requirement has not yet been applied because the needed guidance/details for implementation will be in the pending Draft Cybersecurity Law. Also, the Draft PDP Decree for the first time proposes specific requirements for cross border transfer of personal data but given its draft status the requirements are subject to further change. Rouse Vietnam will provide updates on future developments in this regard.