by Steven Jacob, Foreign Associate

A few weeks ago I wrote about individual user’s data privacy rights in Vietnam. This week I want to write about the service provider’s data privacy obligations in Vietnam. While two sides of the same coin, this side is perhaps even more important because it is where the action takes place. Users can activate their rights, but it is the service providers who must respond with positive acts. This article will examine two elements of these obligations. First, I’ll discuss the law as it relates to who actually has to abide by Vietnam’s data privacy regime and the myriad problems with that jurisdictional claim. Second, I’ll discuss the obligations themselves.

Who is Obliged to Protect Individuals’ Data Privacy?

Scope of Application

The first step is to understand who is obligated to abide by the rules of data privacy in Vietnam. Obviously, these rules apply to Vietnamese citizens and organizations, they are already governed by Vietnamese law so it’s no stretch at all to apply rules of data privacy online to them. Even if they act as a service provider in a foreign jurisdiction they will still be subject to Vietnam’s laws on data privacy. What is less clear is the application of these laws to all foreign individuals and organizations who “are directly involved in or are related to network information security activities in Vietnam.” Network information security means

the protection of network information and information systems against any illegal access, use, disclosure, interruption, amendment or sabotage in order to ensure the integrity, confidentiality and availability of information (italics are mine).

Two more definitions are important to understand in order to comprehend the scope of the data privacy laws. First is the definition of network, which is “the environment where information is supplied, transmitted, collected, processed, stored and exchanged via telecommunication networks and computer networks.” Second is the definition of information systems which are “any assembly of hardware, software and databases which is purposely set up for establishment, supply, communication, collection, handling, storage and exchange of network information.”

What is “information”?

The first problem with defining the scope of application of the rules for data privacy is the definition of information. In the law on network information security, which is where most of the data privacy regulation currently comes from, there is no definition of the term. Going back a step to look at the law on information technology, there is no definition of the term. Both the civil code and the constitution have guarantees and discuss “personal information” but they don’t contain a separate definition of “information.” The only definition that I can find is contained in the law of information access. It defines information as

messages, data contained in texts, dossiers, prepared documents, existing in the form of writing, printing, electronic, paintings, pictures, drawings, tapes, records, image recordings, sound recordings or other forms which originate from an organ of the government.

That seems comprehensive, but it only applies to media produced by government organs. It might apply when dealing with state secrets and state security, but not to “network information” which, according to the body of the relevant laws, obviously includes sources outside the government. Information, then, is undefined and for the purpose of determining whether an individual or organization is involved with “network information” allows the governing authorities to arbitrarily decide when to apply data privacy requirements.

Activities Giving Rise to Obligations

The definitions above suggest that the data privacy rules will apply to foreign individuals or organizations who are conducting activities to protect the information provided online (the environment where information is exchanged) and the use of hardware and software set up for the purpose of using and exchanging such information (e.g., computers, telecommunications channels, and the internet infrastructure). This is relatively straightforward at first blush, but there’s a snag: the verb at the very beginning of the definition of network information security.

Individuals and organizations, Vietnamese or foreign, must be involved in the “protection” of this information and the infrastructure on which it is used. This suggests that in order for this law to apply the service provider must be actively protecting the information on the network. What about someone who doesn’t care about protecting his information and simply puts it out into the world?

It would seem that such a lackadaisical attitude would exclude him from the application of this law. Fortunately, most folks who are involved with the collection and use of information on Networks do have some form of protection in place, if only to maintain their proprietary control over such information, and thus would satisfy the requirement. Assume, then, that if you are involved in the collection, use, and exchange of information–and particularly personal data–you are subject to these rules.

What Does “in Vietnam” Mean?

One final point of contention–and perhaps the most important–on the application of network information security rules is the question of jurisdiction. The scope of these rules applies to foreigners who are involved in information protection activities “in Vietnam.” Does this mean that the information protection activities must occur in Vietnam, or that the information protected is in Vietnam? I am of the opinion that the former is the case.

Looking at the original Vietnamese version, the participation or relationship to information protection activities must take place in Vietnam, this itself implies–as the definition of “network” includes the environment which gives rise to data–that not only the act of protection must occur in Vietnam, but that it must be of data which arises from the data collection environment in Vietnam. This, then, despite my best efforts to bring clarity, remains confusing and difficult to apply in reality. When does an act of protection of data occur in a specific geographical location? When there is an office in which the IT folks type in the information on their keyboards or somewhere in cyberspace when the instructions are carried out on an app? It is a distinction, between the source of network information and the protection of network information security, that is very fine.

Unfortunately, the Ministry of Information and Communications, the Ministry of Public Security, and the People’s Courts are not likely to make such a fine distinction in their application of the written laws. Thus, the smart money is for foreign individuals and organizations who have “network information” or “information systems” in Vietnam to comply with Vietnam’s data privacy rules. But even stating such a simple rule of thumb is fraught with difficulty. While to know if one has “information systems” in Vietnam is fairly straightforward as it involves hardware, physical assets, and IP, knowing whether one has “network information” in Vietnam is an entirely different question.

Possible Precedent

I’ll discuss the law which contains the data privacy rules shortly (the network information security law) but for now, know that it does not include any guidance on this issue and the only other relevant guidance available is in the Cybersecurity Law in its discussion of data localization. But even here the requirement is currently limited to the provision of services “on cyberspace in Vietnam.” There is no explanation of how to determine when “cyberspace” is “in Vietnam”. Otherwise, there are two pieces of legislation that are currently being considered that could give rise to a better definition of when “network information” is in Vietnam.

The first is a decree that will revise the Cybersecurity law. I discussed this in detail in my post about data localization in Vietnam so I won’t discuss it here. Briefly, though, it would only impose a data localization requirement after there have been cybersecurity violations related to the foreign domain or service provider. Thus, cyberspace would only be strongarmed into Vietnam’s jurisdiction if there are problems affecting Vietnam or its citizens.

The second piece of legislation is a law that will revise current rules regarding e-commerce in Vietnam. The contemplated law addresses when Vietnam’s e-commerce regulations apply to offshore providers. They are currently contemplating two strategies for determining such applicability. First, the offshore e-commerce provider uses a .vn domain name, the content of its website is in Vietnamese, or it has at least 100,000 transactions originating in Vietnam within one year. In this case, the service provider will be required to set up a representative office in Vietnam. Second, the offshore e-commerce provider uses a .vn domain name, the content of its website is in Vietnamese, or the number of transactions originating in Vietnam exceeds an as of yet unspecified threshold. In this case, the service provider will be required to appoint a legal representative in Vietnam or open a representative office.

Neither of these approaches defines when “network information” is determined to be “in Vietnam”, but they do provide some understanding of the government’s thinking on how to enforce its rule on foreign service providers. A third piece of legislation currently being drafted is a comprehensive data privacy law that is expected to be ready for the National Assembly’s consideration at its next session. No version of this law has been published yet, though it is being drafted in concert with advisers from the European Union and some think that this means it will reflect the EU’s GDPR. Whatever that new law holds, however, does not help foreign individuals and organizations to understand when they must comply with Vietnam’s data privacy rules if they deal only in “network information” now.

There is no other conclusion, then, than that the law of Vietnam on the localization of “network information” for the purposes of data privacy is uncertain and that the smart foreign service provider will make sure that any “network information” that obviously targets or reasonably relates to the Vietnam market is protected according to the rules discussed below.

Handling Personal Information

Before diving into the specific obligations that lay at the feet of those individuals and organizations handling personal information, it is important to understand what handling personal information means. The law on network information security defines “handling personal information” as the “performance of one or more operations to collect, edit, use, store, supply, share, and disperse personal information in the network for commercial purposes.” Know then that whenever I refer to “handling personal information” or “data” I’m referring to all of those defined activities. And what is “personal information” that it needs handling? Personal information is “information associated with the identity of a specific person.” Again, here, we find a lack of detail on what “information” actually means and must make an assumption that if it is of a nature that it can be “handled” on a “network”. If such is the case then it probably falls within the thresholds of the definitions. All of this is important because, in addition to the above discussion of who must abide by these laws, only those individuals and organizations which handle personal information must fulfill the data privacy obligations I am about to discuss.

Data Privacy Obligations

1. Take Network Information Security Measures

The first obligation of individuals and organizations who handle personal information is to ensure the network information security for the personal information that they handle. Network information security means

the protection of network information and information systems against any illegal access, use, disclosure, interruption, amendment or sabotage in order to ensure the integrity, confidentiality and availability of information.

The law classifies information systems into five different categories depending on the type of information they handle and the purpose for which they handle it. The information classified ranges from publicly available information to state secrets. There is a defined process and authorities for classifying information systems and any individual or organization subject to the network information security law must abide by them. Most individuals and organizations handling personal information in relation to information systems for profit will fall in either category two or category three. Each category has different obligations for the technical standards it must deploy in taking network information security measures. I won’t detail the standards in this article, as they are more technical than legal, but know that those handling personal information will likely be obliged to know, understand, and apply them.

2. Publish a Privacy Policy

The second obligation of parties handling personal information is to develop and publish a policy for the handling and protection of the personal information which arises from organizations and individuals themselves. The way this is written in Vietnamese it is unclear whether the policy must apply to the individuals and organizations that handle personal information or to the individuals and organizations to which the personal information that is handled belongs. The prevailing interpretation is that those handling personal information must develop and publish a policy for the handling of their users’ personal information and this gives rise to the necessity of websites and internet service providers to post a privacy policy on their websites which explains how they handle personal information. Other than compliance with the law, there are no other guidelines for the formulation of this policy.

3. Notify Owner of Scope and Purpose of Collection

Third, those handling personal information must, before collecting personal information, inform the owner of the personal information why they are collecting it and what they intend to use it for. They must also obtain the personal information owner’s consent. While it is not specifically stated that this must be an affirmative consent, the anti-spam laws require, and the authorities have regularly interpreted the law to require that such consent cannot be obtained through passive means. In other words, a website cannot state only that its continued use will signal consent, it must include a method for the user to actively agree such as an opt-in button. This, and many of the other data privacy obligations can be dispensed with by including them in the privacy policy and obtaining the users consent to the privacy policy prior to using a website.

4. Notify Owner of Changes in Purpose of Use

The fourth obligation, however, cannot be dispensed with by general statements in the privacy policy. If those handling personal information change the purpose for which they use the personal information from that originally stated when they first obtained the personal information owner’s consent, they must obtain a subsequent consent to such change. It is not enough for the privacy policy to state that the purpose may change and that the initial consent covers any such changes, a separate consent must be obtained.

5. Maintain Control of Information

The fifth obligation comes in due course. Those handling personal information cannot share that information with any third party, except in a few specific cases: upon request from a competent state authority, they have obtained the consent for the same from the personal information owner, or they may share collected personal information for the purposes of billing and preparation of invoices with organizations with which the handler has a written contract. These issues can easily be disposed of in the privacy policy.

6. Provision of Personal Information Collected

The sixth obligation requires those handling personal information to provide the information they’ve collected to the owner of the personal information upon his request. What form this provision must take is unclear. There is no provision stating whether a secured digital copy is sufficient or whether a hard copy or some other form is required.

7. Altering Personal Information Upon Request

The seventh obligation requires those handling personal information to comply with requests from the personal information owner to update, change, or delete the personal information collected from the personal information owner. They must also cease providing the personal information to previously approved third parties upon the request of the personal information owner. Again, how all of this is to be accomplished remains uncertain, as well as what constitutes “updating”, “changing”, or “deletion”. In traditional databases this should not be an issue, but for service providers utilizing blockchains to handle personal information, the specific definition of these terms is vital.

Once those handling personal information receive a request to update, change, delete, or stop providing information as outlined in the last paragraph, they must not only make the requested alteration but then must notify the personal information owner that such alteration has been accomplished. If they are unable to make such alteration for “technical or other factors” they must notify the personal information owner of the same. Whether this broad exception would include the foreseeable difficulties of blockchains in amending or deleting information is uncertain as untried. The law on network information security is six years old after all.

8. Deleting Personal Information

The eighth obligation is for those handling personal information to delete the stored personal information at the expiration of any information storage requirement. This requirement changes depending on the purpose of collecting the information and the industry of those handling personal information. For specific guidelines look at the relevant laws governing specific sectors.

9. Maintain Managerial and Technical Standards

The ninth obligation is to take “appropriate” measures to ensure that the management of handled personal information and the technical standards for such handling are sufficient as to protect the personal information that is collected and stored. Any individual or organization that has an information system must either appoint a manager to ensure network information security or, if there is no such manager, then direct the IT staff to specialize in information security. Whoever is ultimately in charge of information security for the information system must ensure that the information system has been properly classified as to the nature of its information system (see discussion under point 1 above) and organize the implementation of network information security according to such classification’s requirements, organize the inspection and assessment of safety measures and risks to the information system, provide training to those involved with network information security, and coordinate with the Ministry of Information and Communications regarding network information security infrastructure. The technical standards are also defined according to the classification of the information system and are rather technical so I won’t go into them here.

10. Remedy Technical Incidents and Risks

The tenth and final obligation involves “technical incidents or risks.” Whenever a technical incident occurs or a risk is discovered, those handling personal information must take remedial action and “blocking measures” as soon as possible. There is no requirement to notify the owners of personal information, or even the government authorities of any such technical incident or risk. The only requirement is to remedy the problem.

Conclusion

Often times it is difficult to know what the law requires. Coming from a Common Law background where such ambiguities in the statutes could be interpreted by courts, it is particularly difficult to understand what the legislature of Vietnam intends. In trying to figure out who has to comply with data privacy laws the difficulties are immense. Poor drafting and vague language make it unclear who has to comply with the rules. This is particularly vexing for service providers based outside the territory of Vietnam that have customers or users inside Vietnam. Do they need to comply with Vietnam’s privacy laws or don’t they? Unfortunately, the answer is unclear and as the law stands, the government can pick and choose when it wants to apply the law.

Sure, there are three changes to the law under consideration that could clarify this confusion for various sectors, but they aren’t law yet and for service providers operating in the now, the status of compliance remains under a cloud.

But if it is determined that a service provider falls within the scope of the law and must comply with Vietnamese regulations on data privacy, then there are ten specific obligations by which they must abide. From technical standards to consent requirements to preservation, and ultimately the destruction of data service providers can know their duties. Those are clear and, in fact, rather minimal. Unlike the EU’s GDPR or California’s Consumer Privacy Act, Vietnam’s existing data privacy laws are lax and outdated. As I mentioned above a new law is currently in the drafting stage and should revolutionize the country’s data privacy regime. But for now, service providers must live with the uncertainty of the law on network information security and not knowing whether they are “protecting” “information” “in” Vietnam or not.