Personal Data Leaks in Vietnam

Indochine Counsel

25th May 2021

Personal data leaks, cyberattacks, Vietnam's cybersecurity law and its stalled implementing decree, and the lack of guidance on cyberattacks is discussed.

According to an article in VN Express International’s website (see Personal data leak affects thousands of Vietnamese) the news of a major leak of personal data was announced. (Other articles covered the news in the Vietnamese language, but for purposes of discussion, the English language story will work best.) The data, which comprised 17 GBs of personal data, was posted on a notorious hacker site that is known for the sale of personal data and other illegal activities. The data allegedly came from the Pi Digital Currency, or a related site, and consisted of Know Your Customer data that had been collected from Vietnamese users in registering to mine the cryptocurrency.

This gives rise to a goodly number of issues.

First, per Vietnam’s cybersecurity law, a cyberattack includes among other things, acts of:

Infiltrating, harming or appropriating data stored or transmitted on a telecom network, the Internet, a computer network, information systems, information processing and control systems, database or e-facility;

Thus, if the illegal appropriation of data occurred in Vietnam, it would be deemed a cyberattack and the appropriate response would be meted out. That response, according to law, would include–according to the cybersecurity law–action on the part of the cybersecurity task force to coordinate with the system administrators to determine the origin of the cyberattack and collect evidence. System administrators are required to promptly and completely comply with requests for information from such a task force. Lovely law that it is, the cybersecurity law does not actually contain a prohibition against cyberattacks and the only penalty is imposed for violations of the law. More useful, perhaps is the law on network information security which requires that administrators who discover a data breach must act quickly and decisively to fix the breach.

While the law on network information security has been the subject of some implementation legislation–none of which actually addresses this issue–the cybersecurity law’s implementing decree has been bogged down in consideration for nearly two years. There is minimal guidance for actually dealing with a cyberattack and, even then, it must either be in relation to national security or “cause serious harm to social order and safety” before the cybersecurity task force will even begin an investigation. It is estimated that this week’s data leak only affected approximately 10,000 individuals. Whether this constitutes serious harm to social order and safety is a good question and may result in minimal or no action on the part of the government to address the leak.

A second consideration that is very relevant is the source of the leak. Per the article, the individuals whose data was leaked were all mining cryptocurrency for an internationally located blockchain. This gives rise to a couple of issues. First, as the Pi Digital Currency is not located in Vietnam, the ability of the Vietnamese government to take any action against the entity which collected the personal data is basically nonexistent. This, despite numerous legislative attempts to improve the reach of Vietnam’s jurisdictional control in cyberspace, proves Vietnam’s ineffectiveness in dealing with cross-border violations of its laws when those providers fail to comply with Vietnam’s laws. In draft form at the moment are provisions that would allow the government to block such sites from access to Vietnamese cyberspace upon repeated violations, but in the absence of a Chinese-style control of the country’s internet, there is little Vietnam’s government can do to prevent access to Vietnamese data by foreign providers.

The additional issue that the leak’s source raises is that of cryptocurrency itself. While the government has repeatedly made it clear that Vietnam does not allow cryptocurrency as a means of payment and does not deem digital currency as legal tender, Vietnam is in the forefront of global cryptocurrency adopters. One report stated that over half of the cryptocurrency transactions come from three countries in Asia, one of which was Vietnam. By refusing to acknowledge cryptocurrency as a means of payment the Vietnamese government has also failed to deal with the large number of its citizens involved with mining cryptocurrency and holding cryptocurrency assets in electronic wallets and other e-locations offshore. As this data leak demonstrates, Vietnam is all in when it comes to cryptocurrency despite what its government says and, if the government truly wishes to protect its citizens, should address the issues revolving around cryptocurrency rather than sticking its head in the sand like some Southeast Asian ostrich.

And for the sake of consistency, I’ll repeat my frequent argument one more time. Technology is progressing at a rapid pace and the Vietnamese legislative model is glacial. If the government truly wishes to prevent abuse and to regulate, and ultimately tax, the technology that is becoming profuse globally and locally, then they need to develop some means to tackle fast-moving issues in an equally rapid way. They have recently approved a pilot program for digital money targeting the unbanked and poor, and have a longstanding proposal for a regulatory sandbox in the fintech area (that excludes cryptocurrency) but there has been no concrete action. These ideas remain as pilot schemes or proposals, and have been so for quite some time. Something needs to change if the government doesn’t want to be left behind by a citizenry eager to capitalize on technological advancements that promise new means for wealth acquisition and equal efforts to abuse and defraud.

Please Login or Register for Free now to view all updates and articles

Login Sign Up

In addition to free-to-view updates and articles, you can also subscribe to the full Legal Centrix Vietnam Service including access to:

Overview notes on the law
Thousands of high quality translations of legislation covering all key business areas
Legal and tax updates
Articles on important legal and tax issues
Weekly email alerts
Sophisticated web platform and search

Legal Centrix is trusted by top law and accounting firms.

Indochine Counsel

Vietnam
www.indochinecounsel.com

Established in October 2006, Indochine Counsel is a leading commercial law firm in Vietnam. Offering services throughout Vietnam, Indochine Counsel is ideally positioned to assist international investors and foreign firms to navigate the legal landscape in one of Asia's most dynamic and exciting countries. We also take pride in our services offered to domestic clients in searching for opportunities abroad. With over 45 lawyers and staff in two offices, Ho Chi Minh City and Hanoi, Indochine Counsel offers expertise in a dozen practice areas and provides assistance throughout the entire life cycle of your business.

Based on the principles of Excellence, Professionalism and Ethical Lawyering, Indochine Counsel strives to give clients quality service in a timely manner. Our lawyers have been trained all over the globe and have experience with both local and international law firms. Indochine Counsel takes pride in its people and works hard to ensure that they have the support and training necessary to work at the peak of excellence.

Indochine Counsel’s objective is to provide quality legal services and add value to clients through effective customized legal solutions that work specifically for the client. The firm represents local, regional and international clients in a broad range of matters including transactional work and cross-border transactions. The firm’s clients are diverse, ranging from multinational corporations, foreign investors, banks and financial institutions, securities firms, funds and asset management companies, international organizations, law firms to private companies, SMEs and start-up firms.

Click here to view the author's profile