Internet users in Vietnam may see more pop-ups the next time they access TikTok or Amazon after Hanoi follows Europe and China in enacting extensive rules governing how companies use and move data.
Vietnam’s draft Decree on Personal Data Protection will force businesses to receive state approval if they want to process sensitive data or transfer data overseas. Businesses also would need to ask users for explicit consent to collect data, such as through windows that pop up on apps or websites.
An internet group representing Google, Rakuten, and others warns this could “damage” Vietnam’s digital ambitions and that more practical measures are needed, while the decree also could run afoul of free trade rules.
Observers say that parts of the regulation would be hard to implement—particularly with 80% of the country’s cloud computing controlled by foreign companies—but that it also strengthens data privacy in a country where it has long been the norm to sell phone lists to spammers or send bank details via unencrypted chat apps.
The decree, slated to take effect on December 1, follows Europe’s watershed General Data Protection Regulation and a similar law in China that went into force on November 1.
But unlike many governments, Hanoi takes a centralized approach to sensitive data, which it defines much more broadly. Any data related to health, finances, politics, location, life, and social relationships can be considered sensitive under the proposed rules.
This “very extensive” view of what constitutes sensitive data is critical, says Graham Greenleaf, professor at the University of South Wales in Sydney, because it means companies will have to register in order to process just about any data they wish to collect. The powerful Ministry of Public Security, which also enforces the controversial cyberlaw, will handle registrations.
For technology companies especially, the decree’s focus on the “principle of minimization” means organizations must collect only necessary data for a limited time and purpose, enforced with a fine of 5% of domestic revenue.
“The positive for individuals is they’ll have more rights [and] businesses will be more accountable,” said Nguyen Quang Dong, director of the Institute for Policy Studies and Media Development in Hanoi, noting the state’s duty to protect individuals from the “power or information asymmetry” that favors business.
But the proposal’s “compliance burden” will be a “big cost” to companies, so Vietnam should amend the rules to be more realistic, Dong said in an interview. Moreover, the large impact of the pending decree on US tech giants risks retaliatory tariffs from Washington, Dong said.
Greenleaf, meanwhile, expressed doubts in a recent paper that the government would be able to process all registrations in the 20 days required, considering that nearly all companies collect sensitive data under the draft’s broad definition.
As in many countries adopting their own forms of GDPR, Vietnam’s proposal would create a Personal Data Protection Commission, require companies to encrypt and anonymize data, and allow people to ask that their data be deleted or not sent to third parties.
The Asia Internet Coalition, whose members include Twitter, Yahoo, Booking.com, and Line, urged Vietnam to align “with global approaches” to avoid “unintended consequences.”
“Many of the provisions in earlier drafts would significantly restrict how data can be processed digitally,” AIC Managing Director Jeff Paine told Nikkei Asia. “This would damage Vietnam’s plans for digital transformation and to build a vibrant digital economy.”
Some of the draft’s strictest rules could run afoul of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP). The successor to the TPP trade deal obliges a party to “allow the cross-border transfer of information by electronic means” and not to “require a covered person to use or locate computing facilities in that party’s territory,” under the e-commerce chapter.
The draft decree does not conform to either point, but the CPTPP makes an exception for “a legitimate public policy objective,” depending on the interpretation of members.
“There is also a big question as to whether the prospective requirement on regulatory approval for cross-border data transfer under the draft decree would be considered ‘imposing restrictions on transfer of information greater than are required to achieve the objective’ in view of other member states,” Tilleke & Gibbins law senior associate Waewpen Piemwichai told Nikkei Asia.
CPTPP states, which range from Japan to Australia to Peru, can sue fellow members for imposing undue restrictions. However, countries have agreed “not to sue Vietnam if Vietnam’s cybersecurity regulations are deemed to be inconsistent with the CPTPP agreement (specifically, the obligations concerning free cross-border information flow and server localization in the e-commerce chapter) within five years,” the trade ministry said.
Facebook said it did not “have anything new” to add about the regulation except to point to its earlier letter to Nikkei warning that Asia’s rules are “threatening the free flow of data across borders.”
Alibaba said it would not comment as the decree “is not yet finalized,” while Google, Gojek and Amazon Web Services—the latter believed to hold top market share in local cloud services—declined to comment. TikTok and ride-hailing startups Be Group and Grab did not respond to interview requests.
Waewpen said “big changes are coming” as companies likely must update contracts with staff, clients, vendors, and other partners to make sure there are no inconsistencies with the decree.
She also said it would be “more feasible [and] pragmatic” if companies had to register with the data commission only once, rather than each time they process sensitive data. It is currently unclear which route the government intends to take on this point.
The European Chamber of Commerce in Vietnam, one of many chambers that gave Hanoi input on the draft, agrees. EuroCham digital sector committee chair Bruno Sivanandan Roques de Borda said some businesses will not be able to afford all the compliance costs, including repeated licensing from the commission.
“There’s a massive amount of companies that will have to get that license,” he said in an interview.
His country, France, weighed similar rules but ultimately found them cumbersome. “It was too expensive to enforce,” he said.