New Cyber Security Law

Vietnam’s National Assembly recently passed the Law on Cybersecurity, which contains certain additional requirements with respect to data protection. The new law requires that foreign organizations (i) store personal information of users, data on the relationship between service users, and data created by service users in Vietnam; and (ii) in certain cases, set up a commercial presence in Vietnam in the form of a subsidiary or representative office in order to be entitled to store personal data in Vietnam.

The Current Legal Framework

There is no comprehensive privacy and personal data protection legislation in Vietnam. Instead, various laws deal with different aspects of privacy. These include the Civil Code, the Law on Credit Institutions, the Law on Protection of Consumers’ Rights, the Law on E-transactions, the Law on Children, the Law on Cyber Information Security, the IT Law, the Law on Telecommunications, Decree 52 on e-commerce, Decree 90 on anti-spam activities, and Decree 72 on Internet services and online information. Of note, Vietnam’s Labor Code does not contain specific provisions addressing the protection of personal data of employees. However, employee information such as name, age, salary, and other relevant information is classified as personal information under Vietnamese law.

Data Subject Consent Requirement

Generally, the Law on Cyber Information Security requires that an individual provide his or her consent before his or her information can be collected for a specific purpose. This personal information can be used for other purposes only if additional consent is sought from the individual to whom the data relates (i.e., the information subject).

The concept of implied consent of the information subject with respect to personal data collection is not recognized under Vietnamese law. As such, unless the information subject has consented or a request from a competent Vietnamese State authority is made to this effect, the processor of information may not provide, share, or distribute to any third party personal information of the information subject that it collected, accessed, or controlled by the processor.

Processors of personal information must develop and publicize their methods of processing and their measures for protecting personal information. The processor is also responsible for updating, amending, and destroying personal information upon the request of the information subject. This includes destroying personal information when it is no longer required by the processor or if the permitted time period for storing such information has expired. Correspondingly, the information subject must be notified of such destruction.

Regarding the storage of personal data, the law does not impose any specific limitations or restrictions on the period that an organization may (or must) retain records. However, organizations and individuals collecting, processing, and using personal information may retain this information only for a certain period, as agreed to by the information subject.

Data Export Rules

The laws of Vietnam do not provide for clear guidelines on the cross-border transfer of data in cases where personal data is either collected locally or imported but stored locally. However, the following general principles of Vietnamese law need to be considered by data importers and exporters:

Data that relates to state secrets may be exported only upon approval by the competent state authority;
Acts of disseminating, including exporting prohibited works of press, literature, art, or other publications, are prohibited;
Acts of disseminating, including exporting false information that is harmful to the lawful rights and interests of organizations and individuals, are prohibited;
Data that goes against the Socialist Republic of Vietnam and undermines national unity and solidarity may not be collected and/or transferred overseas; and
Generally, data that is lawfully collected in Vietnam and does not relate to national security may be transferred out of Vietnam upon the information subject’s consent.

Comment

Despite the passage of the Law on Cybersecurity, regulations determining the specific term for the holding of information, the information that must be stored, and the types of foreign organizations that must maintain a commercial presence in Vietnam have yet to be enacted by the government. Employers should note that the new law requires employees who engage in cybersecurity activities to obtain special training on how to appropriately manage those activities. Again, these regulations are still pending.

Written by Nguyen Thi Thanh Huyen (legal adviser) of DFDL and Roger James of Ogletree Deakins

Practice Groups

Industry Groups

Insights

Resources

Subscribe

Innovation

Commitment to Diversity

Request webinar recording for New Cyber Security Law

Fill out the below to receive more information on the Client Portal:

Request Transcript

Rates and Rate Structures

Fill out the form below to receive more information on our Rate Structures:

Fill out the form below to receive more information on OD Comply:

Fill out the form below to share the job New Cyber Security Law