Database

The Office of the Australian Information Commissioner (OAIC) can make a determination that includes, for example, a declaration that the complainant is entitled to a specified amount by way of compensation or can apply to the federal court or federal circuit court for an order that the organisation has breached a civil penalty provision. In such cases, a fine of up to A$340,000 for individuals or A$1.7 million (around 1.2 million USD) for corporations can be imposed for a serious breach or repeated breaches of the the Australian Privacy Principles Guidelines.

Australia's Prime Minister has put forward a plan to compel technology companies to provide access to users' encrypted messages, citing national security concerns. The law in question would mandate the creation of "back doors" into encrypted communication services.

In April 2018, it was reported that the legislation was in "advanced stages" of drafting.

An Australian court has agreed that Google can be held liable for the content on its platform. According to the Court, Google should be considered the "publisher" of the content when it 'hosts' defamatory material. This case set a legal precedent for the right to be forgotten regime in Australia.

According to the Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2014, which entered into force in October 2015, internet and mobile service providers are required to store metadata for 24 months. The Bill allows law enforcement and security agencies to request access to the metadata retained by internet and mobile service providers, often without a warrant.

Under the Federal Privacy Act, before an organisation discloses personal information to an overseas recipient, it must take reasonable steps to ensure that the overseas recipient will not breach the Australian Privacy Principles (APPs).
This requirement does not apply only if:
- the overseas recipient is bound by a law similar to the APPs that the data subject can enforce;
- the data subject consents to the disclosure of the personal data in the particular manner prescribed by APP; or
- another exception applies.
An organisation may be held liable for any breaches by that overseas organisation of the APPs.

The Personally Controlled Electronic Health Record Act of 2012 requires local data centres to handle 'personally controlled electronic health records'. Therefore, no electronic health information can be held or processed outside Australia, unless they do not "include information in relation to a consumer" or "identifying information of an individual or entity".

The draft circular also requires that any “general information website” or social network must have a high-level person responsible for content management who must be a Vietnamese national and reside in Vietnam.

Decree No.72 of 2013 requires that online social network service suppliers ensure that only individuals who have supplied "accurate and complete personal information as required by law", including the government-issued card number, may create blogs or provide information on online social networks. (Art. 3.16 and 25.9)

Infringement of privacy laws may lead to fines up to 2,000 USD and criminal penalties of up to two years’ imprisonment. In addition, e-commerce activities may be suspended for six to 12 months.

Decree No. 72 of 2013 states that "organizations and individuals that use Internet resources shall provide information and cooperate with competent state management agencies at the latter’s request".

Vietnam's Law on Cybersecurity, which will enter into force in January 2019, also stipulates that businesses have to provide users’ data to the Ministry of Public Security upon receipt of requests in writing, in cases where any infringement of the cybersecurity law is being investigated.

According to Decree No. 72 of 2013, aggregated information websites are required to store the information for at least 90 days from the date it is posted on the website.

Vietnam's Law on Cybersecurity, which will enter into force in January 2019, requires administrators of information systems critical to national security to store personal data and "critical data" within the national territory of Vietnam. It is unclear when an information system develops to a point that it is critical to national security. Neither is it clear whether the systems cover state-owned systems only or include private systems as well. "Critical data" is also not defined.

A draft of the law issued in 2017 stipulated that the movement of such data outside Vietnam would require an assessment on the level of security according to regulations by the Ministry of Public Security or other existing laws that apply. At this stage, since the full text of the law is not yet available, it is unclear whether this provision remains in the final version of the law due to come into force in January 2019.

Vietnam's Law on Cybersecurity, which will enter into force in January 2019, requires that foreign internet services firms open representative offices or branches in Vietnam, as well as store important user data in Vietnam on local servers. It is reported that the government will decide the duration for which such businesses must store users’ data in the Vietnamese territory, but it is currently unclear which criteria will be used. The concept of "telecom services" and "Internet services" are not yet defined. If the interpretation of "telecom services" and "Internet services" covered by the draft Law were too broad, the Law could be inconsistent with relevant WTO commitments, as the cross border supply of certain telecom services have been liberalised under Vietnam services schedule for WTO accession.

According to the Decree 90 of 2008, advertising service providers that use email advertisements and internet based text messages are required to send emails from a Vietnamese domain name (“.vn”) website which is operated from a server located in Vietnam.

Decree No. 72, which entered info force in September 2013, establishes local server requirements for online social networks, general information websites, mobile telecoms network based content services and online games services. All these organizations are required to establish at least one server inside the country "serving the inspection, storage, and provision of information at the request of competent state management agencies".