Luu Tien Ngoc, Le Tuan Anh, Vuong Son Ha Vision & Associates[1]
 |
| Inside the Vietnam Post and Telecommunications Group’s Internet Data Center at Hoa Lac Hi-Tech Park, Hanoi__Photo: VNA |
This article introduces highlights of Data Law 60/2024/QH15 adopted by the National Assembly on November 30, 2024, particularly defining for the first time categories of data, data owner and its rights to data, and data products and services.
Currently, in Vietnam, there are many laws regulating databases, including national databases and specialized databases. They are the Law on E-Transactions, Law on Cyber Security, Law on Cyberinformation Security, Law on Telecommunications, and Law on Information Technology. However, existing laws do not specifically or consistently regulate activities in the process of data processing and management, such as data collection, digitization, quality assurance, data storage, etc.; the development platform and application of high technology in data processing; and the creation of databases compiled from national databases and specialized databases. They also fail to cover the products and services related to data which are developing in the world such as data exchanges, data intermediary services, data analysis and synthesis services, etc. Meanwhile, the establishment of a data market, the formation and development of products and services related to data in Vietnam today play a very important role. It is considered a breakthrough factor to gradually create and promote the opening of the data market in Vietnam, using the data market as a driving force for data development, promoting digital transformation (not only for state agencies but also for enterprises) in all sectors and fields in Vietnam.
For the above-mentioned purposes, along with collection of public opinions to finalize the draft Law on Personal Data Protection, on November 30, 2024, the National Assembly passed Data Law 60/2024/QH15 (Data Law). The Data Law will take effect on July 1 this year and applies not only to: Vietnamese agencies, organizations and individuals; and foreign agencies, organizations and individuals in Vietnam; but also foreign agencies, organizations and individuals directly participating in or related to digital data activities in Vietnam.
Within the scope of this article, we would like to summarize some notable contents of the Data Law.
Interpretation
The Data Law provides several new definitions such as:
(a)“Digital data” which means data about objects, phenomena, events, including one or a combination of sounds, images, numbers, writings, symbols expressed in digital form (below referred to as data);
(b) “Open data” which means data that any agency, organization, or individual, if necessary, can access, share, exploit, and use;
(c) “Original data” which means data created during the operation of an agency, organization, or individual or collected and created from digitizing original documents, papers, and other forms of material;
(d) “Important data” which means data that can impact national defense, security, foreign affairs, macroeconomics, social stability, health, and public safety on the list issued by the Prime Minister;
(e) “Core data” which means important data that directly affects national defense, security, foreign affairs, macroeconomics, social stability, health and public safety on the list issued by the Prime Minister;
(f) “Data administrator” which means an agency, organization or individual that carries out activities of building, managing, operating and exploiting data at the request of the data owner;
(g) “Data owner” which means an agency, organization or individual that has the right to decide on the building, development, protection, administration, processing, use and exchange of the value of the data it/he/she owns;
(h) “Data owner’s rights to data” which means property rights as prescribed by civil law.
Among these definitions, some are different from those specified in Decree 13/2023/ND-CP of July 14, 2023, on personal data protection, such as “data subject” which means an agency, organization, or individual reflected by data; and “data processing” which refers to the process of receiving, converting, organizing data, and other activities related to data to serve the operations of agencies, organizations, or individuals.
Principles of application
The Data Law stipulates that in case another Law promulgated before the effective date of the Data Law has provisions that are not contrary to the principles of this Law, the provisions of that Law will prevail. If such Law has provisions different from those of the Data Law, it is necessary to specifically identify the issues that are required and not required to comply with the Data Law and those that will comply with that other Law. Thus, the Data Law does not provide for handling the cases where other laws enacted before the effective date of the Data Law contain the provisions contrary to the principles of the Data Law.
Data processing
Data collection and creation
The Data Law stipulates that:
(a) Data is collected and created from sources, including: direct creation; and digitization of documents, papers and other forms of material. The original data created has the same value as the original documents, papers and other forms of material that are digitized.
(b) Organizations and individuals have the following rights and responsibilities regarding data collection and creation activities: (i) collecting and creating data to serve their activities in accordance with law; (ii) having the rights of data owners protected according to the Data Law, civil law and other relevant laws; and (iii) being held responsible for the data they collect and create according to law.
Data classification
Data owners and data administrators who are not state agencies must classify data according to the importance of the data into: core data, important data, and other data; and classify data according to other criteria. The Government will prescribe criteria for determining core data and important data.
Provision of data to state agencies
Organizations and individuals must provide data to state agencies when requested by competent authorities without the consent of the data subject in one of the following cases: responding to a state of emergency; when there is a threat to national security but not to the extent of declaring a state of emergency; disaster; and preventing and combating riots and terrorism. The state agencies receiving data, for their part, will have the responsibilities to use the data for proper purpose; ensure data security, data protection, and other legitimate interests of data subjects, organizations, and individuals providing data in accordance with law; destroy data immediately when the data is no longer necessary for the requested purpose and notifying the data subjects and organizations or individuals providing the data thereof; and notify the storage and use of data upon request of organizations and individuals providing the data, except in cases of protecting state secrets and work secrets.
Data certification and authentication
Data certification is performed by the data owner, data administrator or electronic authentication service provider. Certified data has the value of proving the existence, time and storage location of data in the cyberspace according to the Data Law and other relevant laws.
Data authentication is performed by the data owner or data administrator who creates the original data, electronic authentication service provider, or the National Data Center. Authenticated data has the same value as the original data stored in the national database, specialized database or other database within a certain scope and time.
Data encryption and decryption
Data classified as state secrets must be encrypted using cryptographic codes when stored, transmitted, received, and shared on computer networks. The data owner or data administrator decides to encrypt and decrypt data using one or more encryption solutions and encryption and decryption processes appropriate to their data administration and management activities. However, the competent state agencies are entitled to apply measures to decrypt data without the consent of the data owner or of the data administrator in one of the following cases: state of emergency; when there is a threat to national security but not to the extent of declaring a state of emergency; disaster; and prevention and control of riots and terrorism.
Cross-border transfer of data
Agencies, organizations and individuals may freely transfer data from abroad to Vietnam, process foreign data in Vietnam, and have their legitimate rights and interests protected by the State in accordance with law. The cross-border transfer and processing of core data and important data, including: transferring data stored in Vietnam to data storage systems located outside the territory of Vietnam; Vietnamese agencies, organizations and individuals transferring data to foreign organizations and individuals; and Vietnamese agencies, organizations and individuals using platforms outside the territory of Vietnam to process data must ensure national defense, security, protect national interests, public interests, and lawful rights and interests of data subjects and data owners in accordance with Vietnam’s law and treaties to which Vietnam is a contracting party.
Identification and management of risks arising in data processing
Risks arising in data processing include: privacy risks, network security risks, identification and access management risks, and other risks implied in data processing. Data owners who are not state agencies have to self-assess, identify risks, and implement measures to protect data; promptly remedy risks that arise and notify to data subjects, relevant agencies, organizations, and individuals. Owners of core data and important data must periodically conduct risk assessments for such data processing activities according to the regulations and notify to specialized units in charge of cyber security and information security under the Ministry of Public Security, Ministry of National Defence, and relevant agencies to coordinate in implementing data security protection.
Other activities in data processing
Data oners and data administrators who are not state agencies are responsible for establishing procedures and implementing measures and methods to retrieve, delete or destroy data at the request of data subjects.
Data protection
Data protection measures are applied throughout the entire data processing process, including: (a) developing, and organizing the implementation of, data protection policies and regulations; (b) managing data processing activities; (c) developing and implementing technical solutions; (d) training, further training, developing, and managing human resources; and (e) other data protection measures as prescribed by law.
Data owners as well as data administrators managing core data and important data must comply with the data protection regulations.
Data exploitation
Data in the National General Database has the same value of exploitation and use as original data. Organizations and individuals other than Party agencies, state agencies, socio-political organizations, and data subjects may freely exploit and use open data; personal data of others, provided they obtain the consent of the National Data Center and individuals who are the subjects of exploited data; and other data with the consent of the National Data Center. Data exploitation and use are carried out through connecting and sharing data between national databases, specialized databases, databases, information systems other than the National General Database; the National Data Portal, National Public Service Portal, portals, and information systems for processing administrative procedures; the electronic identification and authentication platform; the national identification application; and equipment, means, software provided by the National Data Center, and by other methods.
Organizations and individuals exploiting and using their own data in the National General Database and other databases managed by state agencies are not required to pay fees. Organizations and individuals other than Party agencies, state agencies or socio-political organizations exploiting and using data of other organizations and individuals in the National General Database and other databases managed by state agencies must pay fees in accordance with the law on charges and fees.
Data products and services
The Data Law for the first time defines data products and services, including:
(a) Data intermediary: Data intermediary products and services are products and services that establish commercial relationships between data subjects, data owners and users of products and services, through agreements for the purpose of exchanging, sharing, accessing data, and exercising the rights of data subjects, data owners and data users. Organizations providing data intermediary products and services must be registered for operation and managed in accordance with the law on investment, except cases of providing data intermediary products and services within the organizations.
(b) Data analysis and synthesis: Data analysis and synthesis products are the result of the process of analyzing and synthesizing data into useful in-depth information at different levels according to the requirements of the product users. Data analysis and synthesis services are the activities of analyzing and synthesizing data according to the requirements of the service users. Organizations that trade in data analysis and synthesis products and services that may cause harm to national defense, security, social order and safety, social ethics, and community well-being must register their operation and be managed according to the law on investment.
(c) Electronic authentication: Electronic authentication services perform data authentication in national databases, specialized databases, the electronic identification and authentication system provided by public non-business units and the state enterprises that meet the conditions for provision of this service.
(d) Data exchanges: The organization providing data exchange services is a public non-business unit or state enterprise that meets the conditions for provision of this service and is licensed to be established in accordance with law. Data that is not allowed to be traded includes: (i) data that is harmful to national defense, security, foreign affairs, and cryptography; (ii) data that is not agreed to by data subjects, unless otherwise provided by law; and (iii) other data that is prohibited from being traded in accordance with law; and will be specified by the Government.
In addition, the Data Law also stipulates the rights and obligations of organizations providing data products and services. Accordingly, organizations providing data intermediary products and services, data analysis and synthesis services enjoy the same incentives as enterprises operating in the fields of high technology, innovation, creative startups, and digital technology industry. Meanwhile, organizations providing data intermediary products and services, data analysis and synthesis services, and data exchange services also have a number of responsibilities such as: providing services to organizations and individuals on the basis of agreements in service provision contracts; ensuring information receipt channels and smooth and continuous use of services; and monitoring behaviors that may affect data protection; etc.-
Hanoi Office
Add: Unit 308-310, Floor 3, Hanoi Towers
49 Hai Ba Trung St., Hoan Kiem Dist., Hanoi, Vietnam
Tel: +84-24-3934 0629 Fax: +84-24-3934 0631
Email: vision@vision-associates.com
Ho Chi Minh City Office
Add: Unit 905, Floor 9, CitiLight Tower
45 Vo Thi Sau St., District 1, HCMC, Vietnam
Tel: +84-28-3823 6495 Fax: +84-28-3823 6496
Email: hcmvision@vision-associates.com
Website: http://www.vision-associates.com
