New Law on Cyber Information Security and its impact on data privacy in Vietnam

Currently Vietnam does not have a unified law regulating data privacy. Instead, it is governed by different laws and decrees including the Civil Code, the Law on E-Transactions, the Law on Information Technology, the Law on Protection of Consumer Rights, Decree 52/2013/NĐ-CP on E-Commerce and Decree 72/2013/NĐ-CP on Management, Provision and Use of Internet Services and Online Information.

Therefore, in the latest effort to strengthen the legal framework of information security, Vietnam enacted the Law on Cyber Information Security (“the CIS Law”) on 19 November 2015. The CIS Law will come into effect on 1 July 2016 in the hope of regulating activities of information security in cyberspace, responsibilities of individuals, organisations for ensuring information security, civil cryptographic products, standards of information safety in cyberspace, business of information safety in cyberspace and the government's role in implementing this law.

In respect of data privacy, the law provides, amongst other things, the definition of personal information and a set of articles presenting principles of data privacy protection, regulations on the collection, use, revision, removal of private information along with responsibilities of the government to protect private data. Consistent with the other legal instruments mentioned above, the CIS Law expressly requires consent from the owner of the personal information before processing (which includes collecting, editing, utilising, storing, providing, sharing or spreading) of personal information. Furthermore, the processor of personal information shall be responsible for the security of the said information and should publish the policy of use and protection for the processed information (Articles 3.17, 16.3, 17.1 & 17.2 of the CIS Law).

Additionally, when it comes to the balance between privacy and national security, Vietnam shows a deference to the latter. According to Article 17.1.c of the CIS Law, providing, sharing or spreading personal information to a third party without consent of the owners of such personal information is legitimate if it is processed at the request of competent state agencies. Similarly, Article 16.5 of the CIS Law provides an exception that personal information processing serving the purpose of ensuring national security and public order is governed by other regulations of the relevant laws. Under the CIS Law, it is also mandatory for civil cryptographer and cybersecurity service provider to postpone or stop their business for the sake of national security and public order upon request from relevant governmental agencies (Articles 35.6 and 46.5 of the CIS Law).

The CIS Law raises data privacy to a higher bar by setting clear principles and relevant requirements for the protection of personal data. However, we however still look forward to a comprehensive law which codifies all relevant regulations to provide a full and consistent legal framework on data privacy. Meanwhile, we also look forward to detailed regulations on the “governmental request exception” to prevent any practical abuse which may affect the constitutional right to privacy. In this respect, a possible guiding decree may tell us more about how far the government will move the matter forward.