A new law in Vietnam enabling state control of cyber data will have wide-ranging implications for business costs and compliance. The powers it gives to the Government are extensive, and its coverage is unprecedented. Partner Linh Bui and Associates Hien Nguyen and Khanh Nguyen report on the key issues.
Vietnam's National Assembly has passed its new Law on Cybersecurity. The Law on Cybersecurity becomes effective 1 January 2019, and will monitor cyberspace activities with the ultimate goal of maintaining Vietnam's national security and 'social order'. While not being the first legal instrument for regulating the handling of cyber data and information, the law is unprecedented in its far-reaching coverage and the extensive powers it gives to the state.
The law sets out a wide range of offending information that must be censored:
- anti-state information, such as slanders against the people's government or derogatory information about the national flag, emblem and/or leaders;
- information that incites riots or otherwise causes security and/or social disorders;
- libellous information;
- information violating the economic-management order, such as false information about the finance, banking and securities area; and
- false information causing unrest among the population, damaging economic-social activities, creating difficulties for the operation of government agencies and/or the duties of government officers, and/or harming the legal interests of other organisations and individuals.
Besides prohibiting the spreading of offending information, the law also imposes measures to prevent numerous other offending acts, including cyber espionage; the use of cyberspace to breach laws relating to national security, social order and security network attacks; and cyberterrorism.
Article 26 of the Law on Cybersecurity imposes responsibilities to ensure cybersecurity for 'foreign and domestic enterprises when providing services on a telecommunication network, the Internet and value-added services in cyberspace in Vietnam'. Due to its generalities, this clause appears to capture any businesses of whatsoever nature as long as they are delivered via a network environment. This presents a departure from past legislations that primarily regulate telecom carriers and end-user content providers, such as news-aggregation websites and social network websites.
Service providers are responsible for:
- (Information verification and disclosure) verifying information when users register digital accounts, securing users' information and accounts, and providing users' information upon written request of the Cybersecurity Task Force (CTF) under the Ministry of Public Security as part of an investigation or action against cybersecurity law breaches;
- (Information censorship) blocking and removing offending information within 24 hours after receiving a request from the CTF or a responsible agency under the Ministry of Information and Telecommunications, maintaining system logs for a duration to be set by the Government, ceasing services to individuals and organisations that publish such information;
- (Information localisation) storing users' personal information data, data of users' relationship or data created by users in Vietnam for a duration to be set by the Government if they collect, exploit, analyse or process such data; and
- (Local commercial presence) if subject to the information localisation requirement, a foreign service provider must have a branch or representative office in Vietnam.
IT system owners are, to the extent not already covered above as service providers, generally required to implement technical and managerial measures to prevent, detect, block and remove offending information, as well as protect against cyber espionage, network attacks and cyberterrorism.
Under the new law, the CTF can inspect any IT system (i) on the ground of Cybersecurity Law breaches that harm national security or cause serious damages to social order and security, or (ii) upon request of the system owner. The CTF must send 12 hours' written notice prior to the inspection and deliver a report within 30 days thereafter. The scope of inspection may include, among others, software, hardware and digital devices, as well as information stored, processed or transferred thereon. The inspection result must be kept confidential, but there are no other rules for ensuring confidentiality when the inspection is on-going.
Other than inspection right, the Law on Cybersecurity also contemplates extensive powers for the authority to block, limit, suspend or terminate operation of an IT system. The Government is authorised to stipulate detailed application for these powers.
It is unclear if IT systems located overseas are also subject to the law in the way foreign service providers to Vietnam are, although it is doubtful the authority can enforce against them from a practical point of view.
If it is implemented to the fullest extent, the Law on Cybersecurity may cause significant burden for businesses. At the moment, the law's high-level approach and generic wordings mean much is left for the Government to determine. It has been signalled that many regulations are now in the pipeline, although their details and issuance timelines are yet to be announced. Until the effective date of 1 January 2019, the business community still has a chance to raise opinions and get involved in the drafting process of implementing regulations so as to mitigate more unwanted detrimental effects.
Several issues still subject to clarification that could have significant impact are:
- which 'service providers' in particular will have to comply with the law, eg whether information service contractors who work exclusively for corporate clients can be exempted;
- whether the scope of 'users' whose information must be verified and stored in Vietnam extend to corporate users or individual end-users only;
- categories of users' information that must be verified, stored in Vietnam and disclosed to the authority;
- whether information that must be stored in Vietnam can be stored elsewhere, and the statutory storage duration;
- whether a contractor that works for and collects data from another service provider that already stores data in Vietnam must still observe the data-localisation requirements;
- whether IT system owners are liable to self-censor their users' information or whether they only need to do so at the request of the authority;
- specific processes for appealing or the judicial review of a disclosure or inspection request, and mechanisms to ensure confidentiality in the event of an inspection; and
- cases where an IT system's operation can be blocked, limited, suspended or terminated.
If you wish to be updated of further cybersecurity regulatory developments, or would like to get involved in the consultation process, please do not hesitate to contact us.
Download an English translation of the Law on Cybersecurity,