Highlights from Rouse Webinar with Lexology & Global Data Review

Following Part 1 in this series of our Webinar wrap-ups, Part 2 comprises questions and answers regarding employee data, regulators’ access to and management of personal data, and the consent requirement.

5. Will employee data be exempted from the data protection law requirements and is employee’s consent required for transferring employees’ data to overseas headquarter?

In short, employee data is not exempted from data protection law requirements. Employee data that identify specific individuals warrants protection under both existing laws and the Draft PDP Decree.  Exceptions to the rule may include cases of data processing by competent authorities and data processing to ensure national security, defence and public order.[1]

Intragroup transfer of employee data to overseas HQ would generally require consent if the data pertains to and can identify a specific individual both under both the current laws and the Draft PDP Decree. The Draft PDP Decree defines cross-border data transmission as the use of cyberspace or electronic devices to transfer personal data of Vietnamese citizens to a place outside the territory of Vietnam. This would effectively include the intragroup transfers of data.

6. Under the current regulations whether / how local regulators can access personal data of non-citizens or residents / citizens if personal data is stored locally / outside Vietnam, and what changes (if any) would we see under the Draft PDP Decree?

Under the Cybersecurity Law, the MPS cybersecurity forces can request service providers to hand in users’ personal data for their investigation of cybersecurity violations.[2]  This rule is applied to data of all online service users in Vietnam regardless of their citizenship.  The obligation to comply are imposed on all domestic or overseas companies providing online services in Vietnam’s cyberspace, regardless of where their users’ data is stored.  According to the Draft Cybersecurity Law Decree, non-compliance with the Government requests to hand in users’ data is one of the criteria that trigger the data localisation requirements. There have been no publicly reported cases of which a company was requested to provide their user data based on the Cybersecurity Law.  Further, we note that the procedure relating of requesting for and accessing personal data by the MPS is not specified in the Cybersecurity nor the Draft Cybersecurity Law Decree.

Another basis for access can be the Cyber Information Security Law, which allows local government regulators to access locally personal data of both citizens/residents and non-citizens/residents in certain circumstances. Organizations/individuals processing personal data are restricted from provision, sharing to a third party that they have collected/accessed/processed, unless they have the consent of the data subject or at the request of the competent state agencies. Given the scope covers Vietnamese and offshore entities/individuals involved in or related to cyber information security activities (here which would be having the data stored in Vietnam), this would effectively allow local regulators to access locally stored data.

The Draft PDP Decree is consistent with existing regulations.  The provisions that the data controllers must store the original personal data in Vietnam for cross-border transfer of such data, and that personal data can be processed without consent for the purpose of investigation and handling of law violations, can further facilitate access to personal data by government authorities. 

7. How is Personal Data shared with government authorities dealt with, and whether this is addressed in the Draft PDP Decree?

There are no specific rules on the handling of personal data by government authorities under the Draft PDP Decree.  Under the current legislation, general PDP rules are also applied to state agencies in their processing of personal data.  This issue is regulated under several instruments. Some examples are as follows:

  • Decree 47/2020/ND-CP dated 9 April 2020 on Management, Connection and Share of Digital Data of Regulatory Agencies provides for the principle that the sharing of data between state agencies shall not infringe upon data privacy.
  • Law on Access to Information 2016 provides that the head of a state agency may, where necessary, decide the provision of personal data held by such agency to others for the purpose of protecting interests and health of the community as regulated by relevant laws without asking for consent.

Further, the Draft Cybersecurity Decree has a chapter on cybersecurity within state agencies (Chapter IV), which details requirements on establishment of policies on use of internal networks and plans for ensuring network securities, responding to and overcoming cybersecurity incidents imposed on government authorities.  In addition, according to the proposed amendment of the Law on Electronic Transactions, there will be a chapter dealing with the sharing of data among Government agencies, including personal data. The main focus of the amendment is to facilitate the electronic transactions between Government agencies and organizations/individuals and among Government agencies themselves to effectively implement the electronic public services and the e-Government (via the e-Government portal).

8. Are you aware of any cases where data controllers were imposed liability for damage of users’ data in cybercrimes?

There have been no publicly reported cases where data controllers have been found liable.  Vietnamese current laws and practice focus on penalizing those who directly conduct the crimes as opposed to data controllers.  Failure to apply protection measures may cause data controllers to suffer administrative fines.  However, opinions that liabilities of data controllers should be heightened have been raised recently.    

9. How would the consent requirement change with the Draft PDP Decree?

Under the current laws, there is no mandatory form of consent. Entities collecting, using, storing, and/or transferring personal data must obtain the consent of whom the personal data belongs. This consent may be express or implied depending on the circumstances. As such, consent obtained with the browse-wrap method[3] is technically valid in Vietnam.

The e-commerce context is an example of when explicit consent for personal data must be obtained. That said, the E-commerce Decree does not define “explicit consent”.  The E-commerce Decree is currently applicable to companies that have physical presence in Vietnam.  However, the draft Amendment of the Ecommerce Decree has proposed to extend the governing scope to foreign companies doing ecommerce activities in Vietnam.  If that becomes the case, this explicit consent requirement may have broader geographical effect.

The Draft PDP Decree proposes a stricter and clearer requirement regarding consent. Specifically, consent must be able to be printed or copied in writing.  Accordingly, consent obtained with the browse-wrap method may no longer be valid and need to be replaced by the opt-in method requiring data subjects to give consent through an affirmative action.