You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

January 5, 2023

Vietnam’s Data Protection Regulations: What to Expect in 2023

Subscribe to Updates

Data protection in Vietnam has been an ever-changing area of law in the last few years, with many legislative and practical developments. From its initiative to build the very first comprehensive Personal Data Protection Decree to meet international standards, to its actions to tackle widespread illegal data processing and trading, the Vietnamese government has shown its determination to strengthen the protection of data, which it has recognized as one of the national key tasks in the Prime Minister’s Strategy for Development of E-Government.

The year 2023 is expected to be another year of many important changes made to the law and practices in this area. This article discusses what we anticipate to be the key upcoming developments in Vietnam’s data protection regime that businesses may wish to keep a close eye on to ensure compliance.

Tightened Rules on Data Collection and Data Transfer

The conditions for personal data processing under the current law are rather sketchily outlined. In general, the data subject’s consent to the scope and purposes of the data processing may be considered sufficient for any collection, use, retention, or sharing of personal data. Explicit consent is not clearly required, except when the data is collected in e-commerce, used for direct marketing purposes, or for other strictly controlled activities. This leads to the practice where data controllers usually do not treat consent as a serious matter. In addition, once consent has been obtained, data controllers tend to comfortably collect whatever data they want, since the law does not require the collection to be “proportionate.”

This situation is expected to change in 2023 with more stringent regulations on personal data processing underway. The first and most influential set of rules on data protection to come out early this year will likely be the much talked-about Personal Data Protection Decree (“PDPD”) developed by the Ministry of Public Security (MPS), which has been in draft form since early 2021. The first public version of the draft PDPD (dated February 2021) proposed ruling out silence by data subjects as a valid form of consent, as well as requiring consent to be expressed in writing with a printable and reproducible format.

These new requirements, once taking force, could render illegal any processing of personal data without explicit consent. Other conditions of consent include that it can be made partially and conditionally, and withdrawn at any time by the data subject. In addition, the draft PDPD also proposed introducing the principle of data minimization (proportionality), according to which personal data collected must be limited to only what is necessary to accomplish the specified purposes.

The Draft Amended Consumers Protection Law (“Draft CPL”), scheduled to be promulgated within 2023, has also proposed tightening the conditions on consent for processing of consumers’ personal data. The Draft CPL requires traders, in obtaining consent for collecting consumer data, to establish a mechanism for consumers to select the types of information that they agree for the traders to collect and express their consent in a suitable form. For special processing purposes like sharing, disclosure, or transfer of personal data to third parties, and use of personal data for sending advertisements and introducing products, the Draft CPL requires a mechanism for the data subjects to clearly opt in to giving or not giving their consent. This requirement is similar to what is currently required for e-commerce websites/applications. In addition, bundled consent, i.e., a clause in a consumer contract or general terms and conditions that makes the conclusion of the contract or the terms and conditions dependent on the consumer’s consent to the collection, storage, and use of his or her data, is likely to be invalid under the Draft CPL.

Interestingly, the Draft CPL provides that collection of personal data that has been publicly disclosed does not require any notification to the consumers. This means scraping of publicly available personal data might be acceptable in Vietnam once the Draft CPL is promulgated and takes effect. However, scraping of non-publicly available personal data is still prohibited and could constitute a crime.

Apart from consent, the regulations on cross-border transfer of personal data will also soon be strengthened. The potential new approach to regulate cross-border transfer of personal data is believed to be revealed by chance in the Draft Decree on Sanctioning Administrative Violations in the Field of Cybersecurity (dated September 2021), which stipulates violations against the draft PDPD. Accordingly, the newly proposed conditions for cross-border data transfer may include only an impact assessment dossier for the transfer, a data transfer agreement between the sender and the recipient, and a post-transfer report to the personal data protection authority.

Compared to the onerous set of conditions for cross-border transfer of personal data that the MPS originally proposed in the draft PDPD, which include among others a state approval prior to the transfer and the storage of the original data in Vietnam, the new conditions appear less burdensome.

Intensified Regulatory Scrutiny

Despite the data protection regulations in place, reports on actual enforcement in practice have been rather limited. One possible reason is that regulatory inspectors have not been focusing on personal data in their activities. Things may change shortly with the recent message from the Ministry of Information and Communications (MIC) on its enforcement plan in this area (source).

In particular, the minister of the MIC announced that the MIC would conduct comprehensive inspections into companies’ compliance with the regulations on collection, processing, and protection of customers’ personal data in the coming time. Telecommunications carriers are said to be the first enterprises to be inspected, followed by postal companies and social networking platforms.

The issue of consent for data processing was notably highlighted by the minister in his discussion. Therefore, compliance in obtaining customer consent can be anticipated to be key in the MIC’s inspection scope. The implementation of technical and managerial measures to protect personal data according to the law is also likely to be scrutinized.

Continued Assertive Action against Illegal Data Trading

Vietnam has for years been a hotspot for the unauthorized trading of personal data, according to recent reports by the MPS and the MIC. The most common violation is where the infringing companies or their employees sell packages of customers’ identity and contact information including phone numbers, email addresses, and ID card information to third parties without authorization. Most of these data buyers would use the personal information for marketing purposes, including to make advertising calls or to send spam SMS or email advertisements to the information subjects. The violators may even use the personal data to commit financial fraud, including to obtain bank loans under the name of the data subject victims, or to impersonate state authorities or acquaintances of the victims to request money transfers (source). Data crimes therefore have been and will continue to be under the enforcement focus of the high-tech police at both the central and provincial levels.

The police are also likely to take a strict view and initiate a criminal prosecution against any act of illegal data trading. The most recent actions reported in the media include two cases where the police of Phu Tho Province prosecuted five individuals for the criminal act of “trading, exchanging, giving […] lawfully private information of an organization or individual on the computer or telecommunications network without the consent of the information owner” under Article 288 of the Criminal Code.

In one of the cases, two individuals were found using self-developed software to collect personal data of over 2 million people by scanning and capturing the data from Facebook and Google accounts, and selling the data. The other case involved three individuals’ collection and sale of more than 400,000 personal information records containing phone numbers and addresses, generating about VND 1.1 billion (approx. USD 47,000) from the illegal business (source). With the government’s determination to tackle data crimes, more criminal actions like these are expected to be seen in 2023.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

March 27, 2024
Two notifications on the cross-border transfer of personal data, issued by Thailand’s Personal Data Protection Committee (PDPC), came into effect on March 24, 2024. These notifications, which we detailed in a previous update, set out the criteria governing the cross-border transfer of personal data offshore, specifically focusing on situations where appropriate personal data protection standards are in place. Of particular importance is the role of binding corporate rules (BCRs) in enabling the cross-border transfer of personal data among affiliated businesses or within the same group of undertakings. The implementation of BCRs requires a comprehensive review and approval process by the Office of the PDPC, strictly in accordance with the criteria set out in one of the two notifications. With the notifications now fully enforceable, the Office of the PDPC has begun accepting BCRs for review. Data controllers and data processors intending to adopt BCRs as a means for transferring data to offshore affiliates or group companies must initiate the BCR submission process promptly. Failure to comply with PDPA requirements concerning the cross-border transfer of personal data could result in substantial penalties. Organizations involved in cross-border personal data transfers should be proactive in complying with the prescribed criteria to avoid these regulatory penalties and maintain the data protection standards mandated by the PDPA. For more information on these cross-border personal data transfer regulations, or on any aspect of complying with Thailand’s data protection laws, please contact Nopparat Lalitkomon at [email protected], Gvavalin Mahakunkitchareon at [email protected], or Wilin Somya at [email protected].
Read More
March 27, 2024
The Bank of Thailand (BOT) has opened a public comment period on their consultation paper titled “Criteria for Supervising Virtual Banks” from March 19, 2024, to April 17, 2024. The consultation paper reveals that the BOT intends to apply traditional commercial bank supervisory standards to virtual banks. However, the BOT also explains that the wholly digital nature of the services offered by virtual banks necessitates additional regulatory supervision. Additional Supervisory Criteria for Virtual Banks Financial business group: If a virtual bank is within the same financial business group as other financial institutions, its parent company must structure the virtual bank to be under its own sole consolidated financial business group. After the virtual bank has undergone the “restricted phase” in its initial years of operation (see below), other financial institutions within the group are prohibited from extending credit to or engaging in transactions similar to lending activities with the virtual bank. Shareholding structure: If the increase in the financial institution system capital is higher than the actual capital injection resulting from the bank’s shareholding structure, the BOT aims to issue an additional regulation to supervise the capital of the virtual bank and financial institution system to prevent double counting. Operational risk: Virtual banks must not use a trademark or logo that bears resemblance to or implies association with other financial institutions or financial institution groups. Governance: Virtual banks must have at least one director and chief technology officer (CTO) with at least three years of experience in IT or digital service. Additionally, the CTO must work full-time for the virtual bank and may not be an employee of another legal entity. Restriction on related lending and related-party transactions: Virtual banks must obtain prior unanimous approval from their boards of directors before engaging in transactions with major shareholders or businesses
Read More
March 27, 2024
Last year, the government of Vietnam issued the Personal Data Protection Decree (PDPD), which took effect on July 1, 2023. The Department of Cybersecurity and High-Tech Crime Prevention and Control (referred to as “A05”) under the Ministry of Public Security (MPS) is tasked with implementing and enforcing the requirements under the PDPD. While a decree on sanctioning provisions for noncompliance with the PDPD is still pending issuance, further movements from the MPS/A05 indicate that it aims to start conducting its first inspections into PDPD compliance. This is the first time that companies and government agencies have been officially questioned by the MPS about their compliance with the PDPD. The purposes of this inspection program are (1) to evaluate the compliance status of a group of selected companies and government agencies and to understand challenges in complying with the PDPD requirements; (2) to propose sanctions for noncompliance; and (3) to collect information and comments for the development of the upcoming Personal Data Protection Law—not to spot noncompliance with the PDPD specifically. This round of inspection includes a number of companies in 14 sectors (including e-commerce, aviation, telecom, banking and finance, intermediary payment, insurance, gaming, education, healthcare, real estate, data processing services, ride hailing, etc.). The companies targeted by this inspection program must: (1) submit a report on compliance to the MPS/A05 by May 30, 2024 (this report is different from the data protection impact assessment (DPIA)/transfer impact assessment (TIA) submission requirements); and (2) coordinate with the MPS/A05 on any further investigation actions from June to August 2024. The inspection results will be available by September 2024. Key information to be reported includes, among others: (1) a description of the activities and measures carried out to implement the PDPD (such as protecting data subjects’ rights, performing administrative procedures, preventing violations, etc.)
Read More
March 18, 2024
Vietnam’s new Telecom Law 2023 was promulgated on November 24, 2023, and will take effect on July 1, 2024, for most telecom services. For three newly introduced telecom services—OTT telecom services, internet data center services, and cloud computing services—implementation and compliance will be delayed until January 1, 2025. These new services will be explored briefly below. The Ministry of Information Communication (MIC) is currently in the process of developing a number of decrees and circulars that will detail the implementation of the Telecom Law 2023, including one main decree that guides the new law in general. This decree is scheduled for prompt promulgation to coincide with the law’s effective date of July 1, 2024. The draft version of this decree, dated February 22, 2024 (“Draft Decree”), was shared for consultation with international organizations, associations, and enterprises by the Vietnam Telecom Agency (VNTA) in early March 2024 to gather feedback. The Draft Decree is expected to undergo further revisions before being sent to relevant state agencies for input and submission to the Ministry of Justice for assessment by the end of March 2024. The MIC anticipates submitting the subsequent version to the government by April 15, 2024.   New Telecom Services: OTT Telecom Services, IDC Services, and Cloud Computing Services In comparison to the Telecom Law 2009, the Telecom Law 2023 has three new telecom services: Basic telecommunications services on the internet (OTT telecom services) are defined as services whose primary functions including the sending, transmission, and receipt of information between two persons or a group of people using telecommunications services on the internet (Article 3.8 of the Telecom Law 2023). By incorporating the term “primary functions” into the definition, the Telecom Law 2023 aims to exclude services such as ride-hailing platforms where the primary function is transportation, not telecom
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2023 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Legal Notice