The Law on Cybersecurity and its effects on enterprises in Vietnam

Posted on October 26, 2018
Vietnam

Screen Shot 2018-10-23 at 5.45.17 PMBy Nguyen Xuan Thuy, Tran Dinh Vinh and Phan Vu Minh Truong, of LNT & Partners

E: thuy.nguyen@lntpartners.com
E: truong.phan@lntpartners.com
E: dinhvinh.tran@lntpartners.com

 

Foreign service providers may be affected by a new regulation aimed at improving cybersecurity in the country.

 

Screen Shot 2018-10-23 at 6.11.23 PMFrom January 1, 2019, internet-based activities and services in Vietnam are expected to undergo drastic changes regarding the way they are conducted. This is a result of the enactment of the first Law on Cybersecurity passed on June 12, 2018 during the National 14 Assembly (the “Law”).

Aimed to safeguard cyber activities in Vietnam, the Law is meant to reinforce the internet’s security by setting out the dos and don’ts for both users and providers of cyber services. While waiting for detailed guidelines of the Law to be issued by the government and relevant ministries in 2019, this article will discuss certain potential impacts that this new cyberspace regulation may have on cyber business participants in Vietnam, including foreign service providers.

 

Introduction

The Law is meant to regulate activities conducted in cyberspace and introduces new measures and conditions to ensure cybersecurity.

Prior to the Law’s enactment, multiple draft versions of the Law were proposed to solicit the public’s and experts’ opinions. Most opinions were directed towards the new conditions imposed on internet-based service providers, raising concerns that the conditions might deter foreign investment and stunt the growth of the digital economy. Indeed, some conditions put forth by the Law might cause foreign investors in the telecommunications sector and internet-related services to have difficulty accessing Vietnam’s market. Nonetheless, after rounds of updates, the requirements for internet-based service providers remain unchanged.

The Law did not go into effect immediately, so there is a window of time until January 1, 2019 to prepare for compliance with any newly imposed requirements.

 

Who has to be prepared?

The Law does not include a provision detailing the entities required to comply with it as other laws usually do. Instead, these entities can be deduced from the Law’s purview (ie entities related to the protection of cybersecurity) and from the Law’s required or prohibited actions. This means that a broad range of entities (whether based inside Vietnam or outside) can be targeted, including internet service providers, internet software/hardware manufacturers, e-retailers, mobile app owners, social network operators, and others.

Of all the Law’s targets, attention is mostly drawn to offshore service providers which, due to the much debated requirements of data localisation and legal presence in Vietnam, are to be immediately affected once the Law is given effect. In addition to foreign tech firms, local tech firms should also be preparing during this time if they have not met the same demand for data storage.

 

How are enterprises affected?

Among the Law’s requirements and prohibitions, perhaps the most notable ones are those stipulated in Article 26.3:

  1. “personal data, data about the relationships of the service users and data created by service users in Vietnam” collected, handled and/or analysed by cyber service providers to be stored within Vietnam for a period of time determined by the government; and
  2. overseas enterprises providing services telecommunications networks, the internet and value-added services on Vietnam’s cyberspace to establish their branches or representative offices in Vietnam.

Screen Shot 2018-10-23 at 5.45.36 PMIn the Law’s earlier draft versions, the local presence and data storage requirements were only applicable to internet-related service providers when their cyber services catered to 10,000 Vietnamese or more, or when the government made the request. However, the service user threshold and the governmental factor have been removed from the official version, broadening the applicable scope of the above requirements. Therefore, any service provider who collects, handles and/or analyses personal data, data about the relationships of the service users and data created by service users in Vietnam (eg, tech giants like Facebook and Google, and mobile app services like Viber, Line, Airbnb and Tinder) may be targeted and will need to ensure data localisation in Vietnam.

Concerns are thus raised regarding the feasibility and costs for overseas tech firms to install storage systems and set up their commercial presence (either branch or representative offices) in Vietnam. While large firms like Facebook or Google may not mind spending extra money to comply with these requirements, many smaller services may shun Vietnam’s market. The latter reaction could in turn hurt Vietnam’s economy and deprive consumers of options.

Apart from the two most prominent requirements above, under Article 26.2 of the Law, internet-related service providers are also asked to:

  1. provide the information of service users to the competent authorities upon their written request to serve the purpose of inspecting and handling violations in cybersecurity;
  2. prevent and remove from the systems under their management any violation cybersecurity within 24 hours from the request of the competent authorities;
  3. save the system log for the purpose of inspecting and handling violations in cybersecurity;
  4. stop providing services to users committing violations in cybersecurity upon request by the competent authorities.

Cybersecurity violations include, among other actions, spreading information in cyberspace that offends the State of Vietnam, inciting public-disturbing gatherings, slandering other entities and inducing false public understanding about goods consumption, banking activities, the stock market, and others. However, the Law’s language regarding these violations is still vague and ambiguous, and there has not been any further guidance, leaving authorities the discretion to interpret its meaning. Therefore, it is hard for internet service providers to determine whether or not contents posted on their websites/apps are prohibited under Vietnamese law.

 

What are the implications of not complying with the Law on Cybersecurity?

In the event internet service providers violate the Law’s regulations, the providers may be subject to disciplinary forms, administrative or criminal responsibilities under Article 9 of the Law. We are still waiting for regulations detailing which disciplinary forms and administrative responsibilities, as well as necessary procedures, will be imposed on such internet service providers.

With respect to criminal responsibilities, when considering whether criminal responsibilities are applicable for an internet service provider’s violation of the Law, the internet service provider should determine whether such violation falls under the scope of crimes applicable to commercial legal entities under the new Criminal Code 2015.

 

Screen Shot 2018-10-23 at 5.46.09 PM

What has to be done and what is expected?

A large number of offshore and onshore companies expressed their concerns regarding the promulgation of the Law. For example, during the mid-term Vietnam Business Forum 2018 held in Hanoi on July 4, 2018, the American Chamber of Commerce Vietnam’s member companies were particularly worried about the Law’s requirements regarding the establishment of representative offices, as well as regulations on user data and the storage of user data in the host country. They were concerned because the requirements might increase unnecessary costs without helping improve Vietnam’s cyber security environment. However, the National Assembly gave its approval based on the need to ensure national defence and security.

The Law’s regulations are still vague and need to be clarified; the Ministry of Public Security expects that there will be approximately 25 decrees and circulars issued detailing the Law’s provisions to facilitate its enforcement. These legal documents are expected to be presented to the government in October 2018 and may help clarify legal grounds for internet-related service providers to comply with the cybersecurity laws, as well as to resolve the dilemma in which companies are forced to choose between investing in Vietnam as one of the world’s most dynamic economies and protecting their consumers’ rights.

_____________________________

This article is for information purposes only. Its contents do not constitute legal advice and should not be regarded as detailed advice in individual cases. For legal advice, please contact our partners.

 

Screen Shot 2018-10-23 at 5.51.17 PM

W: www.LNTpartners.com

E: thuy.nguyen@lntpartners.com
E: truong.phan@lntpartners.com
E: dinhvinh.tran@lntpartners.com

Tags: Cybersecurity, Vietnam
Related Articles by Firm
Notable changes introduced by the amended Labour Code 2019
The legislation includes changes to holidays, retirement age, labour contracts, trade unions and overtime.
Protecting personal data in cyberspace: enterprise’s obligations under the laws of Vietnam
Some of the key takeaways that enterprises should be aware of ...
Can backdating be acceptable?
The effective date of a contract under Vietnamese laws.
Development of collaborative economy in Vietnam
New regulation promises a clear and effective regulatory environment for collaborative economy investors.
The challenges of establishing residential housing projects on mixed-use land areas in Vietnam
Grey areas in Vietnam's housing laws may increase financial risks to developers.
Managing the relationship with special managers in Vietnam
Successful cooperation between a special manager and the acquirer requires the involved parties to know, name and manage this relationship ...
Understanding “Business Transfer”
When investing in a business in Vietnam, an investor may prefer to cherry-pick a specific part of the business rather than buying the entire company ...
Related Articles
Core Points of the New PRC Company Law and Compliance Transformation of Limited Liability Companies
The Use of Hydrogen in the Energy System in Malaysia and the Relevant Laws and Regulations
Getting to know… Joe Liu
Related Articles by Jurisdiction
New rules for food safety assurance
Food poisoning happens nearly every day in Vietnam, and there have been some serious cases with large numbers of poisoned persons …
VIETNAM
Who can be CEO in Vietnam?
Latest Articles
Clifford Chance Appoints New Beijing and Shanghai Managing Partner, China Practice Chair
K3 Legal, With Fred Kan & Co, Opens First Office in Hong Kong
The Greater China IP Updates – April 2024