At the present, Decree No. 52/2013/ND-CP regulating e-commerce activities is bound only to Vietnamese entrepreneurs or legal entities based in Viet Nam. Yet, the scope is anticipated to be expanded under the newest draft aiming to amend and supplement this decree. Specifically, the governed subjects will include foreign non-based companies in Viet Nam.
Thus, in addition to conditions on investment and incorporation, regulations on data privacy protection stand an issue that foreign companies must take into serious consideration in the very first place.
1. Vietnamese laws on data privacy
Personal information in the e-commerce field includes names, ages, residential addresses, phone numbers, medical records, transactions and payments, and other information that individual wishes to keep confidential. Nevertheless, this definition is exclusive of business information and other pieces of information that people already disclose on media by themselves.
The definition does not cover data like fingerprints, facial features, or irises, although they are indeed disclosed in non-cash payment or signing in applications quite often. Under the Law on Cyber Information Security 2015, personal data is also defined that attaches to the identification of a specific person. Accordingly, this definition may be interpreted in the way that biological recognition characteristics shall be deemed as personal information.
2. Overview of noteworthy issues
First and foremost, an e-commerce company must proclaim a policy on data privacy (or personal information) protection, which shall include the following contents:
(i) Purposes of collecting, the scope of use, and the storing period. Except being separately agreed between the e-commerce company and a user on the purpose and scope, or for providing products or services at specific requests of the user, or is required by laws, the e-commerce company must not utilize collected data beyond the published purposes and the scope;
(ii) Individuals or organizations who may be entitled to access the data;
(iii) The address of the organization that collect and manage the data, including contact methods so that consumers may inquire about the collection and data process activities;
(iv) Manuals and tools for users to access and edit their data.
The policy must be presented to users before or at the time their data is collected, or displayed at a visible spot on the website of the company.
Secondly, the company must establish a mechanism that allows users to express their consent on the data collection. Such a mechanism may be performed through the website of the company, emails, messages, or other methods agreed between the parties. At the same time, another particular mechanism must be set up which enables users to allow or not allow the company to use their information in the following circumstances:
(i ) Sharing, disclosing, or transferring the information to a third party; or
(ii) Advertising, introducing products or services, and sending other pieces of commerical information.
The third one is that the company must build a complaint settlement mechanism in relation to events where data privacy is utilized beyond the purpose and the scope of the data collection policy. In the case where the information system is attacked, leading to the potential risk that the user’s data is stolen, the company must announce to authorities within 24 hours as the incident is detected. Nonetheless, the announcement is seemingly not a condition upon which the company is exempted from liabilities where the incident causes damages to the users.
An e-commerce company is not required to locate its sever in Viet Nam to store data of Vietnamese users, despite according to laws, an e-commerce company that collects, exploits, analyses, and processes the Vietnamese user’s data must establish a branch or representative office in Viet Nam to store the accumulated data. As a matter of fact, the implementation of the mentioned regulation has been kept silent and awaits guidance enacted by the government of Viet Nam. Accordingly, the draft of the decree detailing the implementation of the Law on Cybersecurity updated to 31 October 2018, an e-commerce company must have a branch or representative office based in Viet Nam to archive data under the following cases:
(i) The company let its users conduct acts of infringing on national security and public order; violating ethics, fine customs and traditions, committing cybercrimes. namely terrorists, raids, espionage, etc., or sabotaging the national security information system; and
(ii) The company directly acts against the operation of the network security force, or illegally disables network security protection measures; or
(iii) The company violates regulations on authentication of user information, or prevents sharing or removing information in violation of legal regulations at the request of competent state agencies.
In conclusion, as the increasingly stricter requirements of the government concerning data privacy, along with the greater awareness of Vietnamese internet users to this issue, e-commerce companies must land a transparent and effective protective system of user’s data to gain a complete trust of users in addition to the quality of products and services. Besides, e-commerce companies may want to consult with licensed local counselors about laws on data privacy prior to launching any project. This is because regulations on this matter are being in the middle of the way to consistency since provisions of the latest sets of legislation and former ones are seemingly overlapped and cause confusion in the application.
If you have any questions or require any additional information, please contact Apolat Legal – An International Law Firm in Viet Nam.
This article is for general information only and is not a substitute for legal advice.