Vietnamese authorities are reining in Big Tech’s access to data in their country, following extensive rules set by other regulators in Europe and China.
Businesses will have to seek state permission if they want to handle sensitive data or transfer data out of the country, thanks to the Decree on Personal Data Protection. They would also need to obtain explicit consent from users before collecting data, such as via pop-up windows on apps and websites.
Representatives from Google, Rakuten, and other firms have expressed their concerns that tighter data rules may hinder Vietnam’s digital progress, according to a Nikkei Asia report. They argue for more practical and productive laws, and that the decree may violate international trade laws.
According to experts, certain parts of the decree may be hard to implement, especially as foreign companies control 80% of the country’s cloud computing.
The decree, however, has more pros than cons. John Berven, director of APAC at Solidatus, said that it is only natural for Vietnam to be in sync with other data privacy legislation as it becomes a digital giant.
Previously, there was no uniform legislation regarding the protection of personal data in Vietnam. Rules and regulations on personal data protection were instead found in several laws.
“The proliferation of said international and locally specific regulation is making the issue of compliance a critical one for large multinational businesses, particularly given the threat of sizable fines for non-compliance. As an idea of scope, Vietnam’s proposed regulation includes a robust set of rules which cover the rights of data subjects, cross-border data transfers, and the processing of sensitive personal information,” Berven added.
The decree will have a significant impact in a country where it has long been the norm to sell phone lists to spammers or transmit bank details via unsecured chat apps, Nikkei Asia further noted.
Le Ton Viet, an associate at Russin & Vecchi (Vietnam), said that the Vietnamese government has slowly introduced an enforcement regime for breaches and violations against personal data and cybersecurity. Previously, the government was not very active in imposing penalties on these types of violations.
“The theory is that companies are motivated to comply and the government is motivated to ignore violations that are not flagrant. In the end, businesses must be prepared to move from the previous lightly regulated legislative landscape of cybersecurity and privacy to a more vigorous environment,” Le Ton Viet said.