Data protection in Vietnam has been an ever-changing area of law in the last few years, with many legislative and practical developments. From its initiative to build the very first comprehensive Personal Data Protection Decree to meet international standards, to its actions to tackle widespread illegal data processing and trading, the Vietnamese government has shown its determination to strengthen the protection of data, which it has recognized as one of the national key tasks in the Prime Minister’s Strategy for Development of E-Government.
The year 2023 is expected to be another year of many important changes made to the law and practices in this area. This article discusses what we anticipate to be the key upcoming developments in Vietnam’s data protection regime that businesses may wish to keep a close eye on to ensure compliance.
Tightened Rules on Data Collection and Data Transfer
The conditions for personal data processing under the current law are rather sketchily outlined. In general, the data subject’s consent to the scope and purposes of the data processing may be considered sufficient for any collection, use, retention, or sharing of personal data. Explicit consent is not clearly required, except when the data is collected in e-commerce, used for direct marketing purposes, or for other strictly controlled activities. This leads to the practice where data controllers usually do not treat consent as a serious matter. In addition, once consent has been obtained, data controllers tend to comfortably collect whatever data they want, since the law does not require the collection to be “proportionate.”
This situation is expected to change in 2023 with more stringent regulations on personal data processing underway. The first and most influential set of rules on data protection to come out early this year will likely be the much talked-about Personal Data Protection Decree (“PDPD”) developed by the Ministry of Public Security (MPS), which has been in draft form since early 2021. The first public version of the draft PDPD (dated February 2021) proposed ruling out silence by data subjects as a valid form of consent, as well as requiring consent to be expressed in writing with a printable and reproducible format.
These new requirements, once taking force, could render illegal any processing of personal data without explicit consent. Other conditions of consent include that it can be made partially and conditionally, and withdrawn at any time by the data subject. In addition, the draft PDPD also proposed introducing the principle of data minimization (proportionality), according to which personal data collected must be limited to only what is necessary to accomplish the specified purposes.
The Draft Amended Consumers Protection Law (“Draft CPL”), scheduled to be promulgated within 2023, has also proposed tightening the conditions on consent for processing of consumers’ personal data. The Draft CPL requires traders, in obtaining consent for collecting consumer data, to establish a mechanism for consumers to select the types of information that they agree for the traders to collect and express their consent in a suitable form. For special processing purposes like sharing, disclosure, or transfer of personal data to third parties, and use of personal data for sending advertisements and introducing products, the Draft CPL requires a mechanism for the data subjects to clearly opt in to giving or not giving their consent. This requirement is similar to what is currently required for e-commerce websites/applications. In addition, bundled consent, i.e., a clause in a consumer contract or general terms and conditions that makes the conclusion of the contract or the terms and conditions dependent on the consumer’s consent to the collection, storage, and use of his or her data, is likely to be invalid under the Draft CPL.
Interestingly, the Draft CPL provides that collection of personal data that has been publicly disclosed does not require any notification to the consumers. This means scraping of publicly available personal data might be acceptable in Vietnam once the Draft CPL is promulgated and takes effect. However, scraping of non-publicly available personal data is still prohibited and could constitute a crime.
Apart from consent, the regulations on cross-border transfer of personal data will also soon be strengthened. The potential new approach to regulate cross-border transfer of personal data is believed to be revealed by chance in the Draft Decree on Sanctioning Administrative Violations in the Field of Cybersecurity (dated September 2021), which stipulates violations against the draft PDPD. Accordingly, the newly proposed conditions for cross-border data transfer may include only an impact assessment dossier for the transfer, a data transfer agreement between the sender and the recipient, and a post-transfer report to the personal data protection authority.
Compared to the onerous set of conditions for cross-border transfer of personal data that the MPS originally proposed in the draft PDPD, which include among others a state approval prior to the transfer and the storage of the original data in Vietnam, the new conditions appear less burdensome.
Intensified Regulatory Scrutiny
Despite the data protection regulations in place, reports on actual enforcement in practice have been rather limited. One possible reason is that regulatory inspectors have not been focusing on personal data in their activities. Things may change shortly with the recent message from the Ministry of Information and Communications (MIC) on its enforcement plan in this area (source).
In particular, the minister of the MIC announced that the MIC would conduct comprehensive inspections into companies’ compliance with the regulations on collection, processing, and protection of customers’ personal data in the coming time. Telecommunications carriers are said to be the first enterprises to be inspected, followed by postal companies and social networking platforms.
The issue of consent for data processing was notably highlighted by the minister in his discussion. Therefore, compliance in obtaining customer consent can be anticipated to be key in the MIC’s inspection scope. The implementation of technical and managerial measures to protect personal data according to the law is also likely to be scrutinized.
Continued Assertive Action against Illegal Data Trading
Vietnam has for years been a hotspot for the unauthorized trading of personal data, according to recent reports by the MPS and the MIC. The most common violation is where the infringing companies or their employees sell packages of customers’ identity and contact information including phone numbers, email addresses, and ID card information to third parties without authorization. Most of these data buyers would use the personal information for marketing purposes, including to make advertising calls or to send spam SMS or email advertisements to the information subjects. The violators may even use the personal data to commit financial fraud, including to obtain bank loans under the name of the data subject victims, or to impersonate state authorities or acquaintances of the victims to request money transfers (source). Data crimes therefore have been and will continue to be under the enforcement focus of the high-tech police at both the central and provincial levels.
The police are also likely to take a strict view and initiate a criminal prosecution against any act of illegal data trading. The most recent actions reported in the media include two cases where the police of Phu Tho Province prosecuted five individuals for the criminal act of “trading, exchanging, giving […] lawfully private information of an organization or individual on the computer or telecommunications network without the consent of the information owner” under Article 288 of the Criminal Code.
In one of the cases, two individuals were found using self-developed software to collect personal data of over 2 million people by scanning and capturing the data from Facebook and Google accounts, and selling the data. The other case involved three individuals’ collection and sale of more than 400,000 personal information records containing phone numbers and addresses, generating about VND 1.1 billion (approx. USD 47,000) from the illegal business (source). With the government’s determination to tackle data crimes, more criminal actions like these are expected to be seen in 2023.