By Nguyen Xuan Thuy, Tran Dinh Vinh and Phan Vu Minh Truong, of LNT & Partners
Foreign service providers may be affected by a new regulation aimed at improving cybersecurity in the country.
From January 1, 2019, internet-based activities and services in Vietnam are expected to undergo drastic changes regarding the way they are conducted. This is a result of the enactment of the first Law on Cybersecurity passed on June 12, 2018 during the National 14 Assembly (the “Law”).
Aimed to safeguard cyber activities in Vietnam, the Law is meant to reinforce the internet’s security by setting out the dos and don’ts for both users and providers of cyber services. While waiting for detailed guidelines of the Law to be issued by the government and relevant ministries in 2019, this article will discuss certain potential impacts that this new cyberspace regulation may have on cyber business participants in Vietnam, including foreign service providers.
The Law is meant to regulate activities conducted in cyberspace and introduces new measures and conditions to ensure cybersecurity.
Prior to the Law’s enactment, multiple draft versions of the Law were proposed to solicit the public’s and experts’ opinions. Most opinions were directed towards the new conditions imposed on internet-based service providers, raising concerns that the conditions might deter foreign investment and stunt the growth of the digital economy. Indeed, some conditions put forth by the Law might cause foreign investors in the telecommunications sector and internet-related services to have difficulty accessing Vietnam’s market. Nonetheless, after rounds of updates, the requirements for internet-based service providers remain unchanged.
The Law did not go into effect immediately, so there is a window of time until January 1, 2019 to prepare for compliance with any newly imposed requirements.
Who has to be prepared?
The Law does not include a provision detailing the entities required to comply with it as other laws usually do. Instead, these entities can be deduced from the Law’s purview (ie entities related to the protection of cybersecurity) and from the Law’s required or prohibited actions. This means that a broad range of entities (whether based inside Vietnam or outside) can be targeted, including internet service providers, internet software/hardware manufacturers, e-retailers, mobile app owners, social network operators, and others.
Of all the Law’s targets, attention is mostly drawn to offshore service providers which, due to the much debated requirements of data localisation and legal presence in Vietnam, are to be immediately affected once the Law is given effect. In addition to foreign tech firms, local tech firms should also be preparing during this time if they have not met the same demand for data storage.
How are enterprises affected?
Among the Law’s requirements and prohibitions, perhaps the most notable ones are those stipulated in Article 26.3:
- “personal data, data about the relationships of the service users and data created by service users in Vietnam” collected, handled and/or analysed by cyber service providers to be stored within Vietnam for a period of time determined by the government; and
- overseas enterprises providing services telecommunications networks, the internet and value-added services on Vietnam’s cyberspace to establish their branches or representative offices in Vietnam.
In the Law’s earlier draft versions, the local presence and data storage requirements were only applicable to internet-related service providers when their cyber services catered to 10,000 Vietnamese or more, or when the government made the request. However, the service user threshold and the governmental factor have been removed from the official version, broadening the applicable scope of the above requirements. Therefore, any service provider who collects, handles and/or analyses personal data, data about the relationships of the service users and data created by service users in Vietnam (eg, tech giants like Facebook and Google, and mobile app services like Viber, Line, Airbnb and Tinder) may be targeted and will need to ensure data localisation in Vietnam.
Concerns are thus raised regarding the feasibility and costs for overseas tech firms to install storage systems and set up their commercial presence (either branch or representative offices) in Vietnam. While large firms like Facebook or Google may not mind spending extra money to comply with these requirements, many smaller services may shun Vietnam’s market. The latter reaction could in turn hurt Vietnam’s economy and deprive consumers of options.
Apart from the two most prominent requirements above, under Article 26.2 of the Law, internet-related service providers are also asked to:
- provide the information of service users to the competent authorities upon their written request to serve the purpose of inspecting and handling violations in cybersecurity;
- prevent and remove from the systems under their management any violation cybersecurity within 24 hours from the request of the competent authorities;
- save the system log for the purpose of inspecting and handling violations in cybersecurity;
- stop providing services to users committing violations in cybersecurity upon request by the competent authorities.
Cybersecurity violations include, among other actions, spreading information in cyberspace that offends the State of Vietnam, inciting public-disturbing gatherings, slandering other entities and inducing false public understanding about goods consumption, banking activities, the stock market, and others. However, the Law’s language regarding these violations is still vague and ambiguous, and there has not been any further guidance, leaving authorities the discretion to interpret its meaning. Therefore, it is hard for internet service providers to determine whether or not contents posted on their websites/apps are prohibited under Vietnamese law.
What are the implications of not complying with the Law on Cybersecurity?
In the event internet service providers violate the Law’s regulations, the providers may be subject to disciplinary forms, administrative or criminal responsibilities under Article 9 of the Law. We are still waiting for regulations detailing which disciplinary forms and administrative responsibilities, as well as necessary procedures, will be imposed on such internet service providers.
With respect to criminal responsibilities, when considering whether criminal responsibilities are applicable for an internet service provider’s violation of the Law, the internet service provider should determine whether such violation falls under the scope of crimes applicable to commercial legal entities under the new Criminal Code 2015.
What has to be done and what is expected?
A large number of offshore and onshore companies expressed their concerns regarding the promulgation of the Law. For example, during the mid-term Vietnam Business Forum 2018 held in Hanoi on July 4, 2018, the American Chamber of Commerce Vietnam’s member companies were particularly worried about the Law’s requirements regarding the establishment of representative offices, as well as regulations on user data and the storage of user data in the host country. They were concerned because the requirements might increase unnecessary costs without helping improve Vietnam’s cyber security environment. However, the National Assembly gave its approval based on the need to ensure national defence and security.
The Law’s regulations are still vague and need to be clarified; the Ministry of Public Security expects that there will be approximately 25 decrees and circulars issued detailing the Law’s provisions to facilitate its enforcement. These legal documents are expected to be presented to the government in October 2018 and may help clarify legal grounds for internet-related service providers to comply with the cybersecurity laws, as well as to resolve the dilemma in which companies are forced to choose between investing in Vietnam as one of the world’s most dynamic economies and protecting their consumers’ rights.
This article is for information purposes only. Its contents do not constitute legal advice and should not be regarded as detailed advice in individual cases. For legal advice, please contact our partners.