Vietnam - 2018 Cybersecurity Law – Impacts On Users And Service Providers In Cyberspace.
Legal News & Analysis - Asia Pacific - Vietnam - Cybersecurity
27 August, 2019
On 12 June 2018, the Cybersecurity Bill was ratified by the National Assembly of Vietnam with an approval rate of 86.86%. The Cybersecurity Law is due to take effect on 1 January 2019 and provides regulations on the protection of national security, ensuring social order and safety in cyberspace. It also covers the responsibilities of concerned agencies, organizations and individuals when creating, transmitting, collecting, processing, archiving and communicating information in cyberspace.
Unless the particular item is on the list of important information systems for the national security, a specialized agency for cybersecurity protection shall conduct cybersecurity checks on organizations and agencies’ information data systems when they detect an act of violation in cybersecurity where a party is attempting to commit a crime prejudicial to State security or to cause serious harm to social order and safety; or when receiving a request from the manager of information data system if they themselves detect an act of violation against the cybersecurity law on information data system under their management. Objects for cybersecurity checks comprise of:
(i) Hardware, software, digital devices used in information data systems;
(ii) Information archived, processed, transmitted in information data systems; and
(iii) Technical measures for protection of State secrets and prevention and combat from disclosing or losing State secrets.
For conducting checks, a letter of notice is required to be sent to the manager of the information data system more than 12 hours prior to conducting the cybersecurity check. The check results and the request for the manager of information data system shall be provided within 30 days as from the end of checking date if they detect any weakness or vulnerability of security of such information data system. The detailed procedure for a cybersecurity check shall be prepared and promulgated by the Government in the coming days.
The provision, posting, or transmission of the following contents by any individual, organization or agency on their website, e-portal, or social network site shall be considered as an act of violation against information security in cyberspace (the “Violation information”):
(i) Information in cyberspace with contents that may be considered propaganda against the State of the Socialist Republic of Vietnam;
(ii) Information in cyberspace inciting riot, disrupting security, disturbing public order;
(iii) Information in cyberspace causing humiliation, slander;
(iv) Information in cyberspace with contents for violation of economic management order;
(v) Information in cyberspace with fabricated or untruthful contents causing confusion amongst the citizens, causing loss and damage to socio-economic activities, causing difficulties for the activities of the State agencies or officials in performing their duties, or infringing the lawful rights and interests of other agencies, organizations and individuals; and
(vi) Other information infringing upon State security.
Requirements for guaranteeing information security in cyberspace under the Cybersecurity Law is to set out the responsibilities for domestic and foreign companies providing services over telecom networks or the internet or value-added services in cyberspace in Vietnam comprising of:
(i) Implementing management and technical measures to prevent, detect, stop and remove the Violation Information as requested by the specialized agency for cybersecurity protection when conducting cybersecurity checks;
(ii) Coordinating with the specialized agency for cyber security protection to deal with the Violation Information in cyberspace;
(iii) Authenticating information when user registers a digital account, maintaining confidential information and account of users; providing information of users for the competent agency when such information is directly used for serving an investigation on cybersecurity, and the competent agency must have a letter of notice for such request;
(iv) Preventing from sharing and removal of the Violation Information on services or information data systems under their direct management within 24 hours as from receipt of letter of notice from the specialized agency for cyber security protection under the Ministry of Public Security or the competent agency of the Ministry of Information and Communication, and saving the system logs within a specified period according to the regulations by the Government in order to serve investigation of and deal with an act of violation against the Cybersecurity Law;
(v) Not providing or ceasing to provide services on telecom networks or the internet or value- added services for the organizations, individuals who post the Violation Information in cyberspace as requested by the specialized agency for cybersecurity protection under the Ministry of Public Security or the competent agency of the Ministry of Information and Communication;
(vi) Storing information data in Vietnam in a specified period according to the regulations by the Government which is created from the activities of collecting, exploiting, analyzing and processing data on personal information, data on relationships of users, and data created by such users; and (vii) Setting up a branch or representative office in Vietnam is required for foreign companies in question.
For implementation of the Cybersecurity Law, there remain quite a few guiding regulations which will be issued by the Government and the relevant ministries when the Law comes into effect on 1 January 2019, such as the specified period for storing information data, procedures for cybersecurity checks, as well as requirements for storing information data in Vietnam.
For further information, please contact:
Dang The Duc, Partner, Indochine Counsel