Cyber Law at Vietnam
Vietnam has been rapidly developing its cyber law framework, driven by a desire to protect national security, ensure social order, and safeguard personal data in the digital realm. This has resulted in a complex and evolving landscape, with new laws and decrees frequently being introduced or updated.
Here's an overview of the key pillars of cyber law in Vietnam:
1. Cybersecurity Law (Law No. 24/2018/QH14, effective January 1, 2019, and the upcoming Draft Consolidated 2025 Cybersecurity Law):
This is the cornerstone of Vietnam's cybersecurity regime. Its primary objective is to protect national security, maintain social order and safety in cyberspace, and protect organizations' and individuals' legitimate rights and interests.
Key provisions and requirements include:
Cybercrime Prevention and Control: Prohibits acts such as:
Organizing, inciting, or training people to oppose the State.
Distorting history, denying revolutionary achievements, undermining national solidarity, or discriminating based on religion or gender.
Cyberattacks, cyberespionage, and cyberterrorism.
Using cyberspace to commit crimes like fraud, gambling, or property appropriation (these are also covered by the Criminal Code).
Obligations for Service Providers (both domestic and foreign): The 2018 law controversially mandated data localization (storing certain regulated data in Vietnam) and, in specific circumstances, requiring foreign entities to establish a local presence (subsidiary or representative office).
Note on the Draft 2025 Cybersecurity Law: A draft of the consolidated 2025 Cybersecurity Law, currently undergoing public consultation and expected to take effect on January 1, 2026, removes the mandatory local office and general data localization requirements. However, businesses that collect, exploit, analyze, or process personal data of Vietnamese citizens must still comply with the new Personal Data Protection Law (discussed below).
The draft 2025 law introduces new obligations for service providers to:
Verify user identities.
Report cyberattacks within 24 hours.
Cooperate with authorities (e.g., suspending accounts, blocking websites involved in violations).
Prevent and address illegal online information (spam, fake news, infringing content).
Classification and Protection of Information Systems: Requires classification of IT systems based on their importance and the implementation of appropriate protection measures. National important information systems (e.g., in energy, finance, telecommunications) have stricter requirements.
Cybersecurity Standards and Technical Regulations: Sets out standards and regulations for IT products, services, and network equipment.
International Cooperation: Framework for cooperation with other countries on cybersecurity matters.
2. Personal Data Protection Decree (Decree No. 13/2023/ND-CP, effective July 1, 2023):
This is Vietnam's first comprehensive legal document specifically regulating personal data protection, marking a significant step towards aligning with international data privacy standards like the GDPR.
Key aspects include:
Extraterritorial Scope: Applies to Vietnamese and foreign entities directly involved in or related to personal data processing activities in Vietnam.
Definitions: Introduces key definitions such as "personal data," "sensitive personal data," "data controller," and "data processor."
Consent Requirements: Emphasizes explicit, voluntary, and informed consent from data subjects for processing their personal data. Silence or non-response is not considered consent.
Data Subject Rights: Grants data subjects rights to be informed, consent, access, withdraw consent, delete data, and restrict data processing.
Impact Assessments: Requires Data Controllers and Data Processors to conduct and submit Personal Data Processing Impact Assessments (PDPIA) to the Ministry of Public Security. Cross-border Transfer Impact Assessments (TIA) are also required for overseas transfers of personal data.
Prohibition on Data Trading: Strictly prohibits the buying and selling of personal data, unless otherwise permitted by law.
No Legitimate Interest Basis: Unlike GDPR, it does not recognize "legitimate interest" as a legal basis for processing data without consent, making consent even more crucial.
Supervising Authority: The Department of Cybersecurity and High-tech Crime Prevention within the Ministry of Public Security (MPS) is responsible for enforcing the decree.
3. Data Law (Law No. 60/2024/QH15, effective July 1, 2025):
This relatively new law, fast-tracked through the legislative process, aims to establish a comprehensive framework for digital data governance in Vietnam, covering both personal and non-personal data.
Key features include:
Broader Scope: Regulates digital data in general, including concepts like "digital data," "important data," and "core data."
Data Ownership and Management: Recognizes data ownership for the first time and provides a basis for government control over "core data" and "important data" transfers across borders.
National Databases: Aims to establish a National Data Center and a National Comprehensive Database.
State Access to Data: Allows state agencies to request and decrypt data without owner/administrator consent in specific emergency or national security situations.
4. Other Relevant Laws:
Law on Information Technology (2006): One of the earlier laws addressing IT and some aspects of data protection.
Law on Network Information Security (2015): Focuses on the security of information systems and data protection.
Criminal Code (2015): Contains provisions criminalizing cyber-related offenses like cyber fraud, using computer networks for property appropriation, and other high-tech crimes. Penalties can be severe, including lengthy prison sentences and fines.
Law on E-Transactions (2023): Regulates electronic transactions and digital signatures.
Law on Protection of Consumers' Rights (2023): Includes provisions related to consumer data protection.
Challenges and Considerations for Businesses:
Evolving Landscape: The rapid pace of legislative change requires constant monitoring and adaptation for businesses operating in or dealing with Vietnamese data.
Ambiguity and Implementation: New laws often come with a need for guiding decrees and circulars, which can cause initial uncertainty regarding practical implementation.
Compliance Burden: The strict consent requirements, impact assessments, and reporting obligations under Decree 13/2023/ND-CP place significant compliance burdens on entities processing personal data.
National Security Focus: Vietnam's cyber laws have a strong emphasis on national security and social order, which can lead to broad interpretations and potentially impact freedom of expression and data flow.
Enforcement: The Ministry of Public Security plays a central role in enforcing these laws, and businesses face significant penalties, including fines and potential criminal liability for senior managers, for non-compliance.
Companies operating in or targeting Vietnamese users must ensure their data processing, cybersecurity, and online content practices strictly comply with Vietnam's complex and increasingly stringent cyber law framework. Consulting with local legal counsel is highly advisable.
RELATED Blog
0 comments