To finish up the rather long review of data privacy regulations in e-commerce, including data localitzation and cybersecurity issues, I thought I would share our overview we prepared of relevant commitments in these areas in international agreements to which Vietnam has recently become a member. Without looking at every bilateral treaty, we have reviewed the relevant data privacy issues in the RCEP, the CPTPP, the EV and UKV FTAs, and relevant ASEAN agreements. These agreements are the agreements most likely to affect the application of laws in Vietnam in the near future as Vietnam seeks to bring its legislation into line with technological advancements.
The Regional Comprehensive Economic Partnership dated 15 November 2020 (“RCEP”) and has yet to enter into force. (https://rcepsec.org/wp-content/uploads/2020/11/Chapter-12.pdf)
- Article 12.6 provides for the acceptance of electronic signatures though it allows each party to the RCEP to require that electronic signatures be certified by organizations authorized by that party;
- Other articles provide for the development and publication of regulations for consumer protection and data protection. Most of the language used in Chapter 12 is broad and noncommittal and requires only that a party comply with international standards; and
- Article 12.14, however, provides that “No Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that Party’s territory.” Though it continues and allows for a party to adopt or maintain “any measure that it considers necessary for the protection of its essential security interests. Such measures shall not be disputed by other Parties.”
The Comprehensive and Progressive Agreement for Trans-Pacific Partnership signed on 8 March 2018 and entered into force for Vietnam on 14 January 2019 (“CPTPP”). (https://ustr.gov/sites/default/files/TPP-Final-Text-Electronic-Commerce.pdf)
- The CPTPP provides for e-commerce in Chapter 14, personal information means any information, including data, about an identified or identifiable natural person; While the CPTPP provides that no party may deny the validity of a signature simply because it is electronic, each party is allowed to require that certification of e-signatures occur by an entity accredited by that party;
- Provisions on consumer protection and the development and publication of personal information protection regulations are included. As are basic understandings on cooperation in developing cybersecurity capabilities between the parties;
- Article 14.11 provides that data must be allowed to be transferred cross-border except in cases where to prevent such would serve a legitimate public policy objective, provided that the measure “is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and does not impose restrictions on transfers of information greater than are required to achieve the objective.”; and
- Article 14.13 imposes the same conditions on data localization on each party to the agreement.
The European Union-Vietnam Free Trade Agreement signed 30 June 2019 and entered into effect on 1 August 2020 (“EVFTA”)
While Chapter 8 of the EVFTA covers issues of trade, services, and e-commerce, it does not contain any immediate commitments on issues of e-commerce, data protection, or data localization other than that it calls for the formation of a committee to develop unified principles and regulatory regimes as far as these are concerned.
The United Kingdom-Vietnam Free Trade Agreement signed on 29 December 2020 and entered into effect on 1 May 2021 (“UKFTA”)
The UKFTA largely follows the EVFTA, though it adds a customs restriction that prevents either party from imposing customs duties on the electronic transmissions across borders of the other party. In addition, the UK and Vietnam agree to cooperate on developing e-commerce opportunities including the recognition of certificates of electronic signatures issued to the public and the facilitation of cross-border certification services; the treatment of electronic signatures; unsolicited electronic commercial communications; and consumer protection.
The ASEAN Framework on Personal Data Protection adopted by ASEAN States on 25 November 2016 (the “PDP ASEAN Framework”)
The PDP ASEAN Framework is not, technically, a commitment. It only sets out aspirational principles to which the countries of ASEAN can work towards and agree are desirable. As far as data protection is concerned, it addresses the following areas:
- Consent, notification, and purpose for collecting data;
- Accuracy of personal data;
- Security safeguards;
- Access and correction to personal data collected;
- Cross-border transfers of personal data;
- Retention; and