Although Vietnam has passed various legislation on data privacy and cybersecurity in recent years, the Government has not officially promulgated any specific guidelines. The Ministry of Public Security is collecting opinions from various state agencies and organizations in order to finalize the draft data privacy regulations but there is no certainty around the final date of promulgation.
One consistent key principle throughout the currently effective data privacy legislation is that a data subject must consent to any collection, processing, use and/or transfer (including cross-border transfer) of his/her personal information, and any use of his/her information should be limited to the purposes as informed to and agreed by the data subject.
Although a data subject is permitted to request the deletion of his/her personal data and the data processors must carry out this request in a timely and prudent manner, it may become impossible to do this in respect of personal data stored on the blockchain since such personal data will be permanently recorded in the blockchain ledger.
In the absence of a detailed cybersecurity framework, local authorities have limited flexibility and increased risk exposure. The recent prominent data breach resulting in the disclosure of 17GB of Vietnamese identification card information on Raid Forums was arguably linked with the Know-Your-Customer regime imposed by the digital currency platform Pi Network.[5] Although this particular incident does not directly relate to NFTs, it illustrates the practical implications of data breaches involving offshore elements, where the Government seemingly did not take any specific action against the alleged data breach and the lawful interests and obligations of the relevant parties were left unaddressed.
On 1 October 2022, Decree No. 53/2022/ND-CP providing guidance on implementation of certain articles of the Law on Cybersecurity (2018) (“Decree 53”)entered into effect, requiring domestic entities to localize storage of certain data and requiring foreign entities to do the same upon occurrence of a series of conditions. Decree 53 generally requires that data of organizations and individuals using cyberspace in the Vietnam territory (service users), including personal information of service users, data created by service users and data on relationships among service users, must be stored in Vietnam. However, data localization requirements differ depending on whether an organization is a domestic or a foreign enterprise. Domestic enterprises (which are enterprises established or registered in accordance with Vietnamese law and having their head-offices in Vietnam) must store data within the territory of Vietnam. Foreign enterprises (which are enterprises established or registered in accordance with foreign laws), only have a conditional obligation to store data in Vietnam and to establish a branch or representative office in Vietnam which is triggered if all of the following conditions are met: (i) the products/services provided by the relevant foreign enterprise fall within one of ten categories of regulated services;[6] (ii) a breach of cybersecurity regulations is committed using the services provided; (iii) the enterprise receives a written notice from Vietnam’s Department for Cybersecurity and Prevention of High-Tech Crime under the Ministry of Public Security notifying it of breach(es) under the Law on Cybersecurity and requiring rectification; and (iv) the foreign enterprise fails to comply with the requests set out in the notice, and as a result the Ministry of Public Security issues a decision requiring data localization and establishment of a branch or a representative office within twelve (12) months from the date of the written notice. Decree 53 does not specify whether the data must be stored exclusively in Vietnam, and does not include express provisions restricting cross-border data transfer to servers located outside of Vietnam.
[5] VNExpress: Luu Quy & Phuong Son, Personal data leak affects thousands of Vietnamese
[6] Article 26.3(a) of Decree 53 provides that the ten categories are: (1) telecommunication services; (2) storage and sharing data services on cyberspace; (3) providing national or international domain names for service users in Vietnam; (4) e-commerce; (5) online payment; (6) payment intermediation; (7) transport connection services through cyberspace; (8) social networks and social media; (9) online video games; and (10) provision, administration or operating other information services on cyberspace in the form of messages, audio and video calls, emails, or online messaging Services.