Vietnam - Law On Cybersecurity And Its Potential Effects On Investment Environment.
Legal News & Analysis - Asia Pacific - Vietnam - Cybersecurity
1 November, 2018
From 01 January 2019, as a result of the enactment of the Law on Cybersecurity (the “Law”), internet-based activities and services in Vietnam are expected to undergo drastic changes regarding the way they are conducted. Aimed to safeguard cyber activities in Vietnam, the Law is meant to reinforce the Internet’s security by setting out the dos and don’ts for both users and providers of cyber services.
Based on the Law’s purview and provisions, a broad range of entities (whether based inside Vietnam or outside) may be targeted, including Internet service providers, Internet software/hardware manufacturers, e-retailers, mobile app owners, social network operators, and others. Of all the Law’s targets, attention is mostly drawn to offshore service providers which, due to the much debated requirements of data localization and legal presence in Vietnam, are to be immediately affected once the Law is given effect. In addition to foreign tech firms, local tech firms should also be preparing during this time if they have not met the same demand for data storage.
Among the Law’s requirements, perhaps the most notable ones are those stipulated in Article 26.3:
(i) “personal data, data about the relationships of the service users and data created by service users in Vietnam” collected, handled and/or analyzed by cyber service providers to be stored within Vietnam for a period of time determined by the Government; and
(ii) overseas enterprises providing services telecommunications networks, the internet and value-added services on Vietnam’s cyberspace to establish their branches or representative offices in Vietnam.
With the above requirements, any service provider who collects, handles and/or analyses personal data, data about the relationships of the service users and data created by service users in Vietnam (e.g., tech giants like Facebook and Google, and mobile app services like Viber, LINE, Airbnb, and Tinder) may be targeted and required to store their data in Vietnam.
Concerns are thus raised regarding the feasibility and costs for overseas tech firms to install storage systems and set up their commercial presence (either branch or representative offices) in Vietnam. While large firms like Facebook or Google may not mind spending extra money to comply with these requirements, many smaller services may shun Vietnam’s market. The latter reaction could in turn hurt Vietnam’s economy and deprive consumers of options.
Apart from the two most prominent requirements above, under Article 26.2 of the Law, Internet-related service providers are also asked to:
(i) provide the information of service users to the competent authorities upon their written request to serve the purpose of inspecting and handling violations in cybersecurity;
(ii) prevent and remove from the systems under their management any violation cybersecurity within 24 hours from the request of the competent authorities;
(i) save the system log for the purpose of inspecting and handling violations in cybersecurity;
(ii) stop providing services to users committing violations in cybersecurity upon request by the competent authorities.
Cybersecurity violations include, among other actions, spreading information in cyberspace that offends the State of Vietnam, inciting public-disturbing gatherings, slandering other entities and inducing false public understanding about goods consumption, banking activities, the stock market, and others. However, the Law’s language regarding these violations is still vague and ambiguous and there has not been any further guidance, leaving authorities the discretion to interpret its meaning. Therefore, it is hard for Internet service
providers to determine whether or not contents posted on their websites/apps are prohibited under Vietnamese law.
In the event Internet service providers violate the Law’s regulations, the providers may be subject to disciplinary sanctions, administrative or criminal responsibilities under Article 9 of the Law. Currently, regulations detailing the “how” and “when” of the disciplinary sanctions are still in the waiting.
In response to the passing of the Law, a large number of offshore and onshore companies have expressed their concerns regarding the promulgation of the Law. For example, during the mid-term Vietnam Business Forum 2018 held in Hanoi on 04 July 2018, the American Chamber of Commerce Vietnam’s member companies were particularly worried about the Law’s requirements regarding the establishment of representative offices, as well as regulations on the storage of user data in Vietnam. Their concerns are that the requirements might increase unnecessary costs without helping improve Vietnam’s cyber security environment. However, the National Assembly gave its approval based on the need to ensure national defense and security.
To provide further details to the Law, the Ministry of Public Security expects that there are approximately 25 decrees and circulars to be issued. These legal documents are expected to be presented to the Government in October 2018 and may help clarify legal grounds for Internet-related service providers to comply with the cybersecurity laws, as well as to resolve the dilemma in which companies are forced to choose between investing in Vietnam as one of the world’s most dynamic economies and protecting their consumers’ rights.
OTHER LEGAL UPDATES
There are also other legal documents promulgated, including:
Decree 108/2018/ND-CP amending Decree 78/2015/ND-CP on enterprise registration. The Decree will take effect from 10 October 2018 and will introduce a few changes to the way enterprise registration procedures are conducted. Notably, enterprises will no longer be required to chop their seals on some of the enterprise registration application documents such as the application form, the resolution and
meeting minutes of their management bodies.
Decree 119/2018/ND-CP on electronic invoices in goods trading and service provision. The Decree, when effective from the start of November 2018, will replace Decree 51/2010/ND-CP on [ordinary] invoices in goods trading and service provision. Essentially, from 1 November 2020, electronic invoices will replace ordinary paper invoices and enterprises are provided a window of time from 1 November 2018 to adjust gradually to the change.
Circular 03/2018/TT-BTNMT amending the administrative procedures in relation to the specialized appraisal responsible for by the Ministry of Resources and Environment. The Circular will be effective from 1 October 2018 and simplify the procedures for importing scrap and waste products to use for production purpose.
Circular 23/2018/TT-BYT on the recovery and handling of unqualified food under the authority of the Ministry of Health. The Circular specifies the cases where the food must be recovered from the market and how to handle such food after recovery. The Circular will be effective from 1 November 2018.
Decree 123/2018/NĐ-CP amending a number of decrees on the conditions for investing and conducting business in the agricultural sector. Among the updates, this Decree makes changes to the conditions for manufacturing and trading crop protection chemicals. The Decree is effective from 17 September 2018.
For further information, please contact:
Dr. Net Le, Partner, LNT & Partners