This article was first published in Asian-mena Counsel: Cyber Crime & Data Protection Special Report 2019 and on www.inhousecommunity.com on 2 December 2019.
Thanks to the invention of the Internet, enterprises can now use cyberspace as an effective tool to sell goods and provide services. With high Internet and smartphone penetration rates, Vietnam – the 15th most populous country in the world – can arguably be called a land of opportunities for domestic and foreign e-commerce companies. As many other jurisdictions, the laws of Vietnam require enterprises to protect personal data that they collect during the course of online business. However, compliance with this requirement may prove a challenge due to the lack of a single comprehensive legislation which contains all relevant regulations.
This article presents some of the key takeaways in this area of which enterprises should be aware.
Enterprises’ obligations to protect personal data on cyberspace under the laws of Vietnam
The legal framework on protection of personal data is scattered across many legal instruments, among which the Law No. 86/2015/QH13 on Cyber-Information Security (“Law on Cyber-Information Security”) is considered the general legal document. Other rules could be found in the Law No. 67/2006/QH11 on Information Technology (“Law on Information Technology”), the Law No. 51/2005/QH11 on E-transactions (“Law on E-transactions”), Decree 52/2013/ND-CP on E-commerce (“Decree 52/2013/ND-CP”), the Law No. 59/2010/QH12 on protection of consumers’ rights (“Law on protection of consumers’ rights”), etc. In addition, the recently promulgated Law No. 24/2018/QH14 on Cyber-security (“Law on Cyber-security”) also provides for additional obligations for enterprises processing personal data on the Internet.
Under the Law on Cyber-Information Security, “personal data” is defined as information associated with the identification of a specific person (Article 3.15) and “processing personal data” means the performance of one or more of the following operations: collecting, editing, utilizing, storing, providing, sharing or spreading personal information on cyberspace for commercial purposes (Article 3.17). These are arguably the only legal definitions of the terms, given that they are not clearly defined in any other legal documents.
In general, obligations that enterprises need to pay attention to when “processing personal data” on the cyberspace can be summarized as follows:
a. Collecting personal data
All of the above legal instruments state that any enterprise wishing to process personal data on cyberspace shall obtain prior consent of the data owners.  Each instrument, however, provides for different consent requirements. For instance, the Law on Cyber-Information Security requires that the consent shall include the scope and purposes of personal data collection and usage, while the Law on Information Technology asks enterprises to inform the data owners of the form and place of processing data in addition to the content above.
There are nonetheless exemptions from the prior consent requirement. Under the Law on Information Technology, an enterprise is not required to obtain consent where the collected information is used for the following purposes:
- Signing, modifying or performing contracts on the use of information, products or services in the network environment;
- Pricing [or] calculating charges for use of information, products or services in the network environment;
- Performing other obligations in accordance with laws.
Furthermore, e-commerce businesses (i.e. businesses conducting some or all of their commercial activities by electronic means connected to the Internet, mobile telecommunications network or other open networks) are not required to obtain data owners’ consent where the collected information is already published on e-commerce websites; or where the information is being collected to conclude or perform sale or purchase contracts, or to calculate prices or charges for use of information, products and services online. 
b. Using personal data
Issuing a policy
Personal data shall generally be used in accordance with the scope and purposes identified by the enterprises processing the data when obtaining consent of the data owners, except where the enterprise (i) has an agreement to the contrary with the data owners; (ii) is providing services/goods as requested by the data owners; or (iii) fulfilling other obligations as required by laws.
Under the Law on Cyber-Information Security, enterprises processing personal data on cyberspace are required to create and issue data security regulations in using information systems. However, currently there is no specific guidance on this legal instrument.
Decree 52/2013/ND-CP provides more detailed guidance on the requirement of building a data security policy, and specifies the mandatory provisions as follows:
- Purpose(s) of collecting personal information;
- Scope of information use;
- Duration of information storage;
- Persons or organizations that may access such information;
- Address of the information collection and management unit, indicating how consumers can ask about the collection and processing of information relevant to them;
- Method and tools for consumers to access and modify their personal data on the e-commerce system of the information collection unit.
Other legal instruments do not set out any security policy requirement.
In addition to the security policy, enterprises processing personal data shall also apply suitable managing and technical methods to protect the collected data.
Sharing with a third party
The Law on Cyber-Information Security, the Law on Information Technology, the Law on E-transactions, the Law on protection of consumers’ rights as well as Decree 52/2013/ND-CP prohibit enterprises from sharing, disclosing or transferring personal data to any third party except with prior approvals of the data owners or otherwise required by laws.
Rights of the data owners
The data owners are entitled to request the data collecting enterprises to review, update, modify or delete their own data. Such enterprises shall comply with the request of the data owners and accordingly review, update, modify or even delete their information.
Law on Cyber security
Along with providing for duties of competent authorities, this set of law also sets out a number of additional obligations for enterprises, the most notable of which are:
- Storing data in Vietnam
Article 26.3 requires that domestic and foreign providers of services on telecom networks and on the Internet and other value added services on cyberspace in Vietnam [cyberspace service providers] which collect, utilize, analyze and process their users’ relationship information shall store data in Vietnam for a period [to be] specified by the Government. It is worth noting that the Law on Cyber-security stipulates that the data shall be stored in Vietnam but does not clearly mention the server. Thus, it is arguable that enterprises may place their servers outside of Vietnam.
- Establishing commercial presence in Vietnam
Remarkably, offshore entities which collect, utilize, analyze and process user’s data are required to establish a branch or representative office in Vietnam. On a literal interpretation, this requirement would apply to all cyberspace service providers such as Google, Facebook, or Sephora, etc. and may present operational challenges.
Waiting for the Decree guiding the Law on Cyber-security
Implementation of the above obligations under the Law on Cyber Security awaits further guidance from the Government. Such guiding Decree is expected to clarify key issues such as what types of data shall be stored in Vietnam and when, whether the server shall be located in Vietnam, and provides detailed guidance on the requirement that offshore enterprises must establish a commercial presence in Vietnam.
However, in light of the Government’s increasingly stringent approach to cyberspace security, from now on any enterprise that processes personal data should stay up-to-date with relevant regulations to ensure compliance with the laws of Vietnam.