The Law on Data was passed by the National Assembly on November 30 last year and will officially take effect on July 1. The decrees guiding the implementation of the law are under public consultation until the end of this month. Hà Thị Dung, partner at Mori Hamada Vietnam*, speaks to Việt Nam News reporter Bảo Hoa about the highlights of the law, which play an important role in regulating Việt Nam’s digital environment.

Hà Thị Dung, partner at Mori Hamada Vietnam law firm. — Photo courtesy of Mori Hamada Vietnam

What is your general understanding of the Law on Data?

According to the document introducing the draft Law on Data, the goal of the law is to provide a legal basis for Vietnamese State agencies to build a comprehensive national database, which will be a centralised database that can support the State in building a digital Government.

Việt Nam has wanted to build a digital Government for a long time, but has not been able to have all systems and data in sync. The data law is one of the laws that aims to support the Government in collecting and building a consistent national database. It also aims to create a legal basis for State agencies and organisations to collect data and build, manage, operate, connect, share and use that database.

A major focus of the law is on cross-border data transfers. Can you explain what they are?

There are three cases of cross-border data transfers stipulated by the law. They are when data stored in Việt Nam is transferred to data storage systems outside the country, when Vietnamese agencies, organisations and individuals transfer data to foreign organisations and individuals, and when they use platforms outside of Việt Nam to process data.

However, only in cases where the data transferred is ‘core’ and ‘important’ must data transferors submit impact assessment documents before transferring. The criteria for assessing the data are not provided in the law or in the draft decree regulating the implementation of the law, but in the draft decision of the Prime Minister on core and important data.

The criteria in this draft decision are also quite broad, but they do point towards banks, insurance companies, credit organisations, hospitals, e-commerce platforms, intermediary payment services and social media platforms… that will be subject to filing an impact assessment.

What else should be noticed about the law?

Another important point is that this is an official legal document by the State that recognises ownership of data as a property right as prescribed by civil law. This has many impacts and legal implications. It means that parties which own data have the rights of a property owner to buy, sell, give, exchange and decide what to do with the data. It also applies to when a party steals data.

A case in point is when a hacker breaks into a system and steals data. Currently, the legal responsibility of this case is only related to the crime of illegally accessing another person's computer network, telecommunications network or electronic device. But when the data law comes into effect, it can become a type of property theft, and the probability of considering the hacker as having committed a crime is higher – especially since the value of the stolen property doesn't need to be high to constitute a crime. In fact, the value is quite low: only VNĐ2 million (US$78) needs to be stolen. So an individual who steals employee data or corporate data can also be considered for theft of property charges.

There are many implications behind the recognition of data ownership as a property right. This is what the Vietnamese legislature is gearing up for, similar to the draft Law on Digital Technology Industry, which regulates that ownership of digital products can be established as a property right.

Do the cross-border data transfer regulations restrict the flow of data and contradict other laws on the digital economy, especially the Law on Digital Technology Industry, which aims to boost the development of artificial intelligence in Việt Nam, requiring substantial data exchanges?

There are actually no provisions in the Law on Data that prohibit transferring data out of Việt Nam, it just requires data transferors to carry out an impact assessment before transferring. Data transfer will only be stopped when the transferred data is discovered to be used for activities that violate national security and interests, the legitimate interests of organisations and individuals that are the data owners, or when data loss or disclosure occurs. However, if data transferors comply and submit impact assessment documents before transferring, they can still transfer data and will not be restricted.

In my opinion, the Law on Data does not contradict other laws that govern technology development, products using artificial intelligence or the Internet of Things, such as the Law on Digital Technology Industry. But it will increase the cost of compliance for data transferors. They will have to do a data audit and carry out annual or periodic assessments to comply with the law. — VNS

*Mori Hamada Vietnam is part of Mori Hamada & Matsumoto, a law firm headquartered in Tokyo, Japan.