5.1.1. Political narratives

In Vietnam, cybersecurity and data control have been the prominent fronts by which the state exercises surveillance and manages the population while protecting state sovereignty in cyberspace (Bui, Reference Bui2015, p. 98). Since 2012, the party-state has introduced administrative decrees with strict measures to force foreign content providers to increase cooperation with Vietnamese authorities by removing illegal content and potentially housing data centres within the country (Bui, Reference Bui2015, p. 98). However, since 2018, the state has subtly incorporated data protection policies into the cybersecurity policy. This part explores how the state has constructed a semantic data privacy domain within the broader cyberspace regulation architecture.

Data privacy regulation has been constructed as a semantic subset of public security and national interests in three ways. Firstly, the viral news of massive global data breaches in mid-2018 had been widely portrayed by Vietnamese state-sponsored media agencies as a threatening risk. The widespread messages reached the audience through mediated channels, generating public worries about the danger that the lack of data protection rules would bring to civilian lives. Secondly, public discourse has subtly included the epistemic link between mass citizen data protection and national sovereignty interests. Thirdly, the “imperative-compliance” logic has been constructed through the apparent choice of words related to criminal law and administrative measures. These constructive discourses generated a canvas against which the dialogues regarding data privacy are deployed.

Since the outbreak of global privacy concerns, with repeated news on large-scale breaches and threats in mid-2018, the information security problem has received effervescent social interest. In Vietnam, state-controlled and private media agencies reported major data infringement cases in alerting tones, igniting discussions on social media posts and private conversations.

The media’s propaganding efforts consolidated awareness of data protection as a matter of public security in Vietnam. While many news and media agencies operate simultaneously in Vietnam, news and messages reported by state-sponsored agencies such as Nhân Dân or VTV News often represent the official party-state opinion. These articles send clear and authoritative signals of the seriousness of the issue. In these reports, personal data processing by non-state and foreign entities is portrayed as a high-risk practice that could affect civil safety and people’s ordinary lives. In addition, strict controlling measures for personal data management are depicted as the only effective tool to confront the risks. As this news received flaming attention, state-based and private agencies swiftly called for implementing the Law on Cybersecurity, justifying the need for state control over the internet to ensure national security. A People (Nhân Dân)’s article bluntly declared in its title that “Protecting Cybersecurity is for the interest of the nation and the interests of the people” (Nhân, Reference Nhân2018a; Nhân, Reference Nhân2018b; Nhân, Reference Nhân2020a).

The security discourse was soon extended to include national sovereignty. For example, an article published on Tuoi Tre, a major media agency under the authorities of the Ho Chi Minh Communist Youth Union, stated bluntly, “To protect personal data is to protect national sovereignty in cyberspace.” In the Tuổi Trẻ article, data breaches are “calamities” (vấn nạn) that should be “eliminated” (xóa sổ) (Tuổi Trẻ News, 2023). In the Vietnamese language, social issues are often referred to as “problems” (vấn đề). The term “calamity” is only used when referring to serious social problems, such as crimes that must be controlled and moderated by public security forces. Within a broader cybersecurity framework, data is regarded as a form of civil information that, once mined by powerful entities, will cause collective harm to the people. In a closed meeting with various stakeholders, a high-class cadre who assumes superior leadership in the Department of Radio, Television and Electronic Information under the MoIC claimed that the “information problem” was “a problem of ideology” that needed effective state control. This discourse is later extended by floods of news and report articles on many governmental news agencies.

5.1.2. The PDPD drafting program: Timeline, major events

The preparation of the PDPD started in early 2019. Initially, communications of regulatory ideas were done in a highly open and formal manner, and a first draft was issued for public consultation after one and a half years of preparation. However, after the COVID-19 outbreak, the drafting and deliberating processes went into a stagnated period. Since mid-2021, all regulatory communications have been highly confidential; the number and content of the drafts circulated between 2021 and 2023 were unknown to the public. It was only on the promulgation date that the final draft was released to the public, and formal exchanges were allowed again.

Two major events with significant social impact occurred during the drafting period—first, COVID-19 and relevant social distancing measures. Between early 2020 and mid-2022, several COVID-19 outbreaks led to extensive social distancing and preventive measures. Although the “new normal” policy (bình thường mới) introduced softened community rules starting in 2022, citizens, especially those residing in urban areas, have been used to communitarian thinking and behavioural adjustment in compliance with governmental control.

Second, the 13th National Congress of the Communist Party of Vietnam. Among other highlights, the 13th Congress was marked by its specific focus on cyberspace policies. The Resolution of the 13th Congress emphasises grand objectives such as “Building and developing national data infrastructure synchronously, forming a system of national data centres, regional and local data centres with synchronous and unified connections, forming reliable and stable data systems for the State and enterprises. Invest in equipment systems for collecting, storing, processing, and protecting public data.” More than a stipulation of a political objective, the cyberspace regulatory agenda requires a change in the “perception,” as publicly called by the Prime Minister in the Decision 749/QD-TTg “Introducing Program for National Digital Transformation by 2025 with Orientations towards 2030.” The state’s aim at changing public perception towards cyberspace regulation makes up an important task for the PDPD regulators to contextualise dialogues and generate consensus about cybersecurity. Figure 1 demonstrates the key milestones that led to the enactment of Decree 13/2023/ND-CP on Personal Data Protection.

Figure 1. A timeline of the promulgation of the Decree 13/2023/ NĐ-CP Personal Data Protection in Vietnam

5.2.1. Firms as data controllers and processors: From “developmental subjects” to “fellow travellers”

In parallel with the security discourse, the tech-for-development (tech-dev) narrative shared by market players systematically scaffolded the normative belief in the state’s authority to impose control over the use and control of population data. Since 2018, the term “fourth industrial revolution” has been popular among state-owned and private digital service providers to refer to the necessity of implementing a state-wide digitalisation agenda, incorporating developmental goals with security measures under the state’s central direction. The regulatory signals from the highest central authorities generated an ideological tenet for this approach. For instance, Resolution 52-NQ/TW promulgated by the party legitimised state control upon data management activities, scaffolding the cybersecurity and enhancing infrastructure into narratives of data regulation. The Prime Minister, in Decision 749, also stipulated the objective of

A large-scale National Summit on Industry 4.0 was held in 2018 and has been held annually under the direction of the CPV Central Committee’s Economic Commission. As the implementing force of the party, the MoIC organised the translation, publication, and dissemination of Klaus Schwab’s works, including “The Fourth Industrial Revolution” and “Shaping the Future of the Fourth Industrial Revolution: A Guide to Building a Better World” (co-authored with Nicholas Davis). The books were published by the National Political Publishing House (nhà xuất bản Chính trị Quốc gia Sự thật), the official political publisher of the CPV and the Socialist Republic of Vietnam (SRV).

In the epistemic tenet constructed by the governmental entities, the “digital infrastructure” consists of a large bulk of population, industrial, and other profitable data. Because personal data exist inseparable from this shared data pool, the government publicly emphasised the need to construct a wide-span legal right system applied to “digital data” (dữ liệu số), but it avoided any direct reference to the discourse of a right to privacy towards personal data. The disseminated signal was that the bulk data of the Vietnamese population was “valuable assets” and should be subject to “strict protection measures.” (Nhân, Reference Nhân2020b). Within this framework, state control by regulating personal data processing activities is justified by security considerations, scaffolded by digital market practices under the direction of the party-state. A prominent example is seen in September 2023 through an article by Công Lý (Justice), the Supreme People’s Court’s official media agency, which bluntly declared that “Digital data is the property of the state” (Dữ liệu số là tài sản của quốc gia) (Hồ, Reference Hồ2023).

The scaffolding discourses received strong support from prominent market players, who are also data controllers and processors. Their support is crucial to consolidate the state’s comprehensive digital transformation agenda because these service providers have been identified as the primary subjects that lead the digital transformation of Vietnam, and they are considered to contribute significantly to the success of the state’s digital transformation in recent years. According to the Vietnam E-Commerce Report 2023 released by the MoIT’s Vietnam E-Commerce and Digital Economy Agency, B2C retail e-commerce revenue jumped from $8 billion in 2018 to $16.4 billion in 2022, accounting for 7.5% of total retail sales of goods and services around the country (Nhĩ, Reference Nhĩ2023). In October 2020, during the “Promoting Productivity of Small and Medium-sized Enterprises in the Context of COVID-19 Based on Scientific and Technological Innovation and Administrative Regulation Reform” conference co-organised by the Ministry of Science and Technology and Small Business Association, Deputy Minister of Science and Technology Le Xuan Dinh emphasised that firms are pioneers of innovative technologies and thus should actively seek measures to develop and expand the application of technologies. During the PDPD’s drafting, the Prime Minister sent a unified message that policies in the new digital economy regime are proposed with firms and enterprises as the primary beneficiaries of developmental policies. In a meeting with firms’ representatives in 2021, the Prime Minister said:

Firms and enterprises answered this call with enthusiasm. With 74% of the population using the internet, these service providers are currently processing a considerable amount of personal data. They would constitute a large community of duty-bearers under PDPD. Over the years, an alignment between large tech-based firms has been formed to join the regulatory processes sincerely and assist state agencies on governmental tasks. Known as a “group of fellow travellers” (nhóm đồng hành), the government ministries select firms based on their sizes and business fields to form accompanying interest groups to directly acquire opinions upon drafting regulations. Taking advantage of this opportunity, these firms actively join the regulatory conversations and discuss socioeconomic and regulatory issues. According to some interviewees who wished to remain anonymous, these firms formed a close-tie relationship with each other and critical persons from government entities to ensure they could reach and comment on the latest policies and regulations for their business benefit. In this way, selective firms and businesses can gain preliminary access to regulatory drafts and express their concerns towards the upcoming change in how they do business.

Through this “fellow-travelling” channel, firms and businesses who are to-be data processors gained access to primary drafts of the PDPD. In the early stages, firms and enterprises have been consulted formally and informally by the MOPS and other co-authorities (including, among others, the MoIC). Firms’ and enterprises’ opinions are acquired through these “accompanied” channels and are filtered through the highest representatives of these co-authorities before being delivered to the MOPS. Through these alliances, state actors partake in the discussions and gain tremendous gravity regarding the back-and-forth diffusion of regulatory thinking across communities.

5.2.2. The Institute of Policy Studies and Media Development: The lone traveller

The Institute of Policy Studies and Media Development (IPS), a non-state research centre, is a keen advocate of the developmental approach to data governance in Vietnam. Among other non-governmental organisations, the IPS has been the only prominent actor to spread ideas of data protection in cost-and-benefit grammars (Bach Thi Nha Nam and other firm representatives confirm this). In detail, the IPS has been speaking out concerns over misuse of power while promoting a right-based approach to personal data protection regulation. According to Ms Nguyen Lan Phuong, IPS aimed to foster a “balanced approach” in which the privacy values of data subjects are ensured while maintaining low entry costs for technology firms by raising opinions and awareness against enforcing unnecessary technical barriers to digital businesses.

With the drafting authority of the MOPS established and the consolidation of public security discourse along the developmental discourse, the spaces for non-state advocacy had been narrowed down. To achieve their objectives, Ms Phuong and IPS acquired a clever strategy called “channelling and collective voice.” This involves utilising “personal relationship” (quan hệ cá nhân) to approach the National Assembly’s subordinate agencies, which are authorised to dissent or veto the draft, and the participants who have the potential to be invited to closed consultation events while releasing informal and simple messages on social media to raise the public awareness. However, the strategy still faced tremendous challenges. In Ms Phuong’s words:

Due to the closure of the “fellow-traveller” groups and their focus on firms’ and market players’ opinions, the IPS was reluctant to shift their advocate discourses towards how strict controls towards data management activities could bring excessive costs to digital business models. According to Ms Phuong, because the perception of individual privacy interests in Vietnamese society was relatively low, and additionally the A05 had been “sending consistent messages (thông điệp nhất quán) of keeping domestic political security (an ninh chính trị nội bộ),” the IPS were not able to facilitate ideas of individual privacy in right-based approach during the deliberative process regarding the PDPD.

5.3.1. COVID-19

The COVID-19 outbursts in Vietnam consolidated the public belief in the need for a centrally governed social system to respond to community crises. Four waves of pandemic outbursts between 2020 and 2022 renavigated public attention away from the PDPD to the tremendous efforts of central and local level governments in keeping people safe. Public sentiment towards the state increased as people were isolated, creating room for reflection upon social mores and values and cultivating trust in the governmental state. These reflections upon the state’s role are, in turn, diffused widely through social media and helped reaffirm the state’s critical role in ensuring civil safety. In this way, the disruption to public gatherings, the daily image of wholehearted state officials who sacrificed themselves for the public good, and the increasing reliance on social media and other channels which are put under strict state monitoring, the public sentiments and trust in regulators’ decisions had grown more potent than the previous period. The pandemic events also remind communities of the value of a collective spirit over individual needs. The public believed that the government’s determined public security measures had led to the success of anti-epidemic objectives (Le, Reference Le2022, pp. 130–137; Nguyen, Nguyen and Taylor-Robinson, Reference Nguyen, Nguyen and Taylor-Robinson2022). In short, through COVID-19 events, the governmental state stands out as the legitimate social safety and security protector.

But the state has also been actively promoting messages of unity and cooperation on mediated channels using inspirational terms such as “unity” (đoàn kết), “one-hearted” (đồng lòng), and “loving and aiding each other” (tương thân, tương ái). For example, in April 2021, an article was published titled “46 Years of Liberation of the South: A Lesson of the Strength of Great Unity” by the Vietnam News Agency (Thông tấn xã Việt Nam) and was re-posted on state authorities’ news agencies, including the National Assembly news agency and the Public Security News (Báo Công An), the very agency which promoted the public security discourse over the drafting of the PDPD. Notably, the article wrote:

The resolution of the National Steering Committee on Prevention and Control of COVID-19, issued June 2023, used the term “the all-people and global approach” (tiếp cận toàn dân, toàn cầu) to describe the achievement of epidemic control objectives (Ministry of Health, 2023). The resistance to the epidemic was imagined as a “fight” which irritated national cooperation in a collective spirit (Huynh, Reference Huynh2020, p. 2). Since the initial stages of controlling policies towards COVID-19, local government authorities contributed significantly to the perception by facilitating the “Great Unity” policies, encouraging and proposing contact-tracing measures between close-knit neighbourhoods and household units (Pham et al., Reference Pham, Nguyen, Bach, Le and Nguyen2023, pp. 155–159). These insights suggest that different levels of state authorities used subtle measures to foster collective sense-making and scaffolded the “collective security” discourse at a time when the PDPD draft was still in its early stages of deliberation. Figure 2 demonstrates additional examples of state media’s news and articles which promote the “collective security” discourse.

Figure 2. Data protection as security issue: messages sent by state-sponsored media agencies in public news articles

The “Great Unity” discourse not only aided the government in exercising control over religious practice and reducing voices concerning religious freedom issues but also softened the seriousness of privacy violations and criticisms of government violations of privacy during COVID-19 (Gillespie, Reference Gillespie2014, pp. 140–145; Pham et al., Reference Pham, Nguyen, Bach, Le and Nguyen2023, p. 161). The positive effect of the perceived benefits of contact-tracing apps soon overrode privacy concerns. Here, the collective good justified informal exceptions of individual privacy from state perspectives (Nguyen, Tran Hoang and Phung, Reference Nguyen, Tran Hoang and Phung2022, p. 183). Large-scale privacy violations, including disclosing sensitive personal data such as medical records, had often been overlooked, given the effectiveness of centralised social control measures (Sun et al., Reference Sun, Wang, Xue, Tyson, Camtepe and Ranasinghe2020, p. 10; Nguyen et al., Reference Nguyen2021, p. 6). As Nguyen, Tran Hoang, and Phung contended, the rise of public trust in governmental decisions generated social consensus and justified the exceptions to privacy (Nguyen, Tran Hoang and Phung, Reference Nguyen, Tran Hoang and Phung2022, p. 185). This change in public attitude towards privacy matters would result in the common opinion in the MOPS’s regulatory authority regarding the PDPD. Due to lockdowns and mass relocation to cyberspace communications, collective safety became the public consensus, which justified state control measures for civil society in cyberspace. These normative beliefs would later be carried on as the state reactivated the post-COVID dialogues about the PDPD and generated a robust epistemic tenet for the security/safety meaning of data protection.

5.3.2. The intermediate community: Academia

In Vietnam, academic opinion from legal scholars often contributes theoretical tenets on which governmental bodies ground their regulatory decisions. Historically, legal scholars have been considered state members who provided highly valued comments for top decision-makers. Today, opinions from the legal academia are still considered with a certain degree of authority regarding state and law issues (Bui, 2022a, pp. 375–385).

During the deliberative process that led to the PDPD, legal scholars imprudently aided and extended the sense of safety/security of privacy to both the regulators and the regulatees’ communities. Scholars have contributed to the interactive dialogues between actors in two ways. First, by introducing concepts like “the right to be forgotten,” “data subject’s right,” and “consent” to the scholarly literature and public news channels, scholars raised public awareness of privacy matters (Vũ and Phạm, Reference Vũ and Phạm2017, pp. 67–74; Bạch, Reference Bạch2020, pp. 38–47; Bạch, Reference Bạch2022, pp. 50–57; Vũ and Lê, Reference Vũ and Lê2020, pp. 55–64). However, since most legal scholars are working in the university system subjected to governmental oversight, their discussions on privacy matter only to the extent of it being an inalienable human right and a civil right to personality (Phùng, Reference Phùng1996, p. 39). Almost no scholars have written publicly about privacy as against governmental control, except those addressing this matter subtly from a “balancing” between public good and private rights (Thái, Reference Thái2012, pp. 178–202; Huỳnh, Reference Huỳnh2022).

Second, by rapidly conducting several research projects into the concepts and the implementation of the “fourth industrial revolution,” scholars had exaggerated the assumption that the state is the primary force leading socioeconomic changes, thus legitimising its authority to oversee personal data management activities. Between 2017 and 2019, Vietnamese economists and legal scholars focused their research on the theme of “technology advances and economic development”; their findings, in turn, generated solid theoretical tenets for the diffusion of ideas of development under the state’s direction. Economists and legal scholars, in particular, were interested in identifying the “problems” and “challenges posed” by the “revolution” and suggesting law reforms to increase state control in specific regulatory domains (Nguyễn, Reference Nguyễn, Nguyễn and Ngô2018, p. 37–52; Nguyễn, Reference Nguyễn2019). Within this strand of research, some legal scholars view personal data issues through the lens of economic rights; some further imagined a regime of personal data protection based on the free negotiation of property (Đỗ and Đào, Reference Đỗ and Đào2023, pp. 3–11). These opinions categorise personal data into broader sets of “profitable data” and suggest a comprehensive legal reform to treat data as a resource entitled to the people of the nation (Ngô and Nguyễn, Reference Ngô and Nguyễn2023; Đỗ and Đào, Reference Đỗ and Đào2023, p. 6). This view supports the state’s scaffolding discourses since it supports the “enterprise-centred” approach adopted by the government-enterprise alliance.

5.4.1. Clashing regulatory signals and technologies

The fresh rules on data privacy protection were promulgated in a Decree (Nghị Định). In the Vietnamese regulatory context, a decree contains lesser formality than a statutory law but reflects clearer signals of governmentality. In Vietnam, as stipulated by Article 4 of the Law on Promulgation of Legal Normative Documents, a “decree” is promulgated by the Government to regulate specialised areas of society and economy. Vietnamese legal documents are categorised based on the combination of “scope of regulation” (phạm vi điều chỉnh), “object of regulation” (đối tượng điều chỉnh), and “method of regulation” (phương pháp điều chỉnh). For decrees and other sub-law level instruments, the scope, object, and regulatory approach are usually determined based on responsive state agencies assigned with the primary drafting task whose authorities correspond to the “scope of regulation.” The responsive agencies are referred to as the “principal governing agencies” (cơ quan chủ quản or cơ quan đầu ngành). As indicated explicitly in the Preamble of the PDPD, its promulgation was in pursuance of the Civil Code, the Law on National Security, the Cybersecurity Law, and at the request of the Minister of Public Security in Vietnam. It can be inferred that the PDPD’s “object of regulation” aligns with the authorities of the MOPS, which is to ensure national security through the authorised use of force and other authoritative measures.

While the right to privacy in Article 38 of the Civil Code was constructed on the equal-agreement approach (phương pháp bình đẳng-thỏa thuận), the primary approach seen in the PDPD is the imperative-authority approach (phương pháp mệnh lệnh-quyền uy). According to the Vietnamese state’s formally recognised legal theories, the equal-agreement approach is the characteristic regulatory technology in private law relations. It enables legal subjects to freely negotiate their obligations based on “equality, free will, asset independence and self-responsibility” (Article 1, Civil Code). By contrast, the imperative-authority method typically applies to relations between state entities and civilians and intra-governmental relations. The “imperative-authority method” represents the limitation of state power but also provides parameters for the state’s governance. The divergence between these regulatory logics reflects an epistemic separation between private and public law domains, diffusing thoroughly in Vietnamese political and legal thinking.

The promulgation of the PDPD extends the general cyber regulation regime in Vietnam, characterised by its strengthening state control over cyberspace business activities using the imperative-authority approach of regulation (Nguyen, Reference Nguyen2022, pp. 164–166). By stipulating A05’s authority to supervise, examine and veto data management activities, the room remaining for data subjects–controllers negotiation regarding the processing of personal data is insignificant. In this way, data subjects are expected to refer to state authorities to ensure the data processing activity is lawful. The PDPD adopts the imperative-authority logic and constructed data controllers and processors’ obligation towards the A05, but this approach has nevertheless minimised the responsibility of data controllers towards data subjects in direct negotiable relations. This is the fundamental difference between the current Vietnamese private rights framework in which a “right to privacy” is situated and the PDPD authoritative data privacy framework.

5.4.2. Shifting authorities

Before 2023, the authority to make privacy-related regulations was shared between various government agencies. Each agency is specialised in a particular field of governance, so the laws reflected the ideas held by different communities of regulators. Depending on how close these agencies are to the authority to implement the party’s policies, two major regulatory agencies are considered: the MOPS and the MoIC.

Before the introduction of the PDPD, personal information management in cyber activities was put under overlapping regulatory authorities. Generally, the National Assembly is authorised to legislate and supervise the enforcement of laws that contain human rights provisions. However, as the epistemic connection between privacy as a legal right and data protection regulations remains ambiguous, there have been laws constructed for personal data protection, such as the Law on Cyber Information Safety and the Decree 52/2013/ NĐ-CP on Electronic Commerce, which assign the direct enforcement authorities into different governmental agencies. These regulations generated the expectation that multiple state agencies, for instance, the MoIC and the Ministry of Trade and Commerce (MoTC), have the authority to oversee personal information management activities in their respective governmental domains (Greenleaf, Reference Greenleaf2013, pp. 5–7).

In addition to the overlaying authorities, it has been found that the authorities have been in constant shifts from one to another. Research shows that while initial personal information protection rules promulgated in Decree 52/2013/NĐ-CP on Electronic Commerce were prepared and enforced primarily by the MoTC and had effect only on the e-commerce and consumer sectors (Greenleaf and Park, Reference Greenleaf and Park2014, p. 495), the regulatory oversight has been gradually shifting to a freshly constructed cyber regulation and security sectors (Greenleaf, Reference Greenleaf2021, p. 1). This shift aligns well with the constantly expanding authorities of the MoIC, especially with the establishment of specialised state agencies under these ministries to oversee data management issues. According to Article 2(1)(a), Decision 1499/QĐ-BTTTT Regulations on The Functions, Tasks, Powers and Organizational Structure of The Information Security Department, dated 14 August 2023, the Authority of Information Safety (AIS) under the MoIC was authorised to “Preside and coordinate research, propose, develop and submit to the Minister for promulgation or let the Minister submit to competent authorities for the promulgation of legal documents on information security.” The Minister of Information and Communication, the head of the MoIC, is concurrently a member of the Central Propaganda Committee. This might imply that the MoIC’s enforcement of information security rules would follow the party’s policies on data and information control in cyberspace. This insight corresponds to MoIC’s view that guarding information safety is guarding the comprehension of party ideology. This view is publicly announced in articles published in the Communism Review (Tạp chí Cộng Sản), the efficient propaganda organs under the direct command of the CPV (Nguyễn and Nghiêm, Reference Nguyễn and Nghiêm2023).

However, interviews with key business representatives and other scholars with close relation to the drafting personnel of the PDPD reveal that MOPS usurps the authority to regulate data privacy matters. The fellow travellers confirm that the primary contents of the PDPD were drafted and prepared by the Department of Cybersecurity and High-Tech Crime Prevention and Control (A05) under the MOPS. The A05 was founded on 10 August 2018, by merging the Department of Cyber Security and the Public Security Department for Crime Prevention Using High Technology under the General Department of Public Security, MOPS. The A05 has been identified as the principle governing agency (cơ quan đầu ngành) of protecting cybersecurity and safety (bảo đảm an ninh và an toàn mạng). Its central function is to safeguard national sovereignty and public security in cyberspace. Cybersecurity has been one of A05’s foundational aims from the very beginning.

Furthermore, the MOPS maintained its exclusive authority to modify and finalise the PDPD drafts. According to a business representative who participated in the closed consultation meetings but wished to remain anonymous, the MOPS holds “real power” (thực quyền) over other authorised agencies such as the MoTC or the MoIC because it has concurrent authority to investigate and enforce sanctions to other state agencies under the direction of the CPV. Despite various objections to the registration requirements for data processing activities and the authoritarian supervising authority of the A05 over data controllers’ activities, the MOPS preserve the core principles of the PDPD through three draft versions with little room for negotiation from other actors.

The fact that the MOPS is authorised to prepare and implement the PDPD rules shows clear signals that personal data protection law is categorised as a cybersecurity policy. The legitimacy of the MOPS is not only justified by the collective safety discourse during the pandemic period but also through the normative belief that it is the sole “force” (lực lượng) to effectively “protect the Party’s ideological tenet” (bảo vệ nền tảng tư tưởng của Đảng). The motto of MOPS is that as a collective it “exists as long as the Party exists” (còn Đảng, còn mình). In Vietnamese, the first-person pronoun “mình” generates a homey feeling as it is used between close-knit relationships when referring to the shared values or mores in common. On the other hand, another motto upheld by the MOPS is “forget oneself for the country and serve the people” (vì nước quên thân, vì dân phục vụ). The MOPS, being identified as the legitimate agency of the Party, which acts for “the entire nation” and “for the interest of the people,” generated a robust ideological tenet that consolidated the MOPS’ authority for personal data protection regulatory power.

Most importantly, the MOPS’s authority over data protection regulation reflects a solid regulatory signal, as already spurred by media efforts and Party-sponsored agencies such as Nhân Dân, that data privacy is a matter of national security and that it is predetermined that personal data protection falls under the authority of the public security force. The rules authorising A05 to oversee personal data management activities in the PDPD confirm these findings.

The consolidation of the MOPS’ authority can also be seen in the court’s inaction. The Supreme People’s Court of Vietnam (SPC) remained silent throughout the drafting period of the PDPD. In Vietnam, the judicial branch is yet to be independent from the party-state system. It is not authorised to make laws nor to establish precedents like the way courts in Anglo-European and US legal systems do (Nicholson, Reference Nicholson, Gillespie and Nicholson2005, pp. 159–190). Although there has been an increase in the court’s authority to make case law and to deliver harmonised understandings of legal terms, in effect, the court’s authority upon these issues only extended to guidance of lower-level courts in delivering judgements upon certain legal matters. The court rarely takes part in the formation of regulatory and statutory documents. This not only limited the court from expressing an opinion and consulting the regulators during the PDPD drafting process, but it may also hinder the court’s ability to interpret privacy in ways diverging from the PDPD rules.