Following the passing of the controversial Cybersecurity Law in June, the Ministry of Public Security recently released for public consultation a draft decree providing detailed guidance on this law. The draft contains a number of important clarifications of the localisation requirements applicable to foreign service providers. Partner Linh Bui and Associate Hien Nguyen report on the key issues that could affect businesses.
One key issue of the Cybersecurity Law (please see our Client Update: Vietnam issues a stringent new cybersecurity law) is the lack of definition of 'enterprise which provides services on telecom networks and on the Internet and other value added services in cyberspace' that is subject to localisation requirements. Under the draft decree, published on 2 November 2018, an enterprise is captured (Captured Service Provider) if it provides any of the following:
- telecommunications services;
- data storage and data sharing [services] in cyberspace;
- supply of national or international domain names for service users in Vietnam;
- online payment;
- payment mediation;
- transport connection services via cyberspace;
- social network and social media;
- online games; or
- email services.
According to the draft decree, the following types of user data (Captured Data) must be stored in Vietnam for the relevant periods:
- For the entire operational period of the [service provider] enterprise or until it ceases providing services:
- personal information data of service users in Vietnam, including name, date of birth, place of birth, nationality, occupation, job title, residence address, contact address, email address, telephone number, ID number, passport number, social insurance card number, credit card number, health status, medical records and biometrics.
- For at least 36 months:
- data generated by service users in Vietnam, including data uploaded, synchronized or input from [users'] devices; and
- data of relationships of service users in Vietnam, including friends and groups that users connect to or interact with.
An enterprise (whether domestic or foreign) will need to store Captured Data, and have a branch or representative office, in Vietnam, if it passes all of the following tests:
- it is a Captured Service Provider;
- it collects, exploits, analyses, processes Captured Data;
- it allows users to perform prohibited acts, as prescribed in Articles 8.1 and 8.2 of the Cybersecurity Law: eg dissemination of 'offending' contents, gambling, IP infringements, credit card/bank account thief, anti-state acts, acts to distort history, deny revolutionary achievements, damage national unity, offend religions, or constitute gender discrimination or racism, cyberterrorism and cyber-attacks;
- it violates Article 8.4, 26.2(a) or 26.2(b) of the Cybersecurity Law: eg by obstructing the cybersecurity authority's activities, failing to verify users' information and provide information to the authority, or failing to remove and prevent the sharing of information considered 'offending' under the law.
Prongs (c) and (d) of the tests appear counter-intuitive, in light of the Government's stated goals to regulate the market, as they could substantially curtail localisation requirements only to those enterprises that breach the law and allow users to breach the law at the same time. It is unclear if this is intentional or just a drafting mistake.
Enterprises that pass the tests must store data, and open a branch or representative office in Vietnam, within 12 months from the date the Minister of Public Security requests. It is not clear if the Minister will make specific requests to individual companies or there will be a market-wide deadline for this to be done.
A Captured Service Provider must also store system logs for at least 12 months.
A number of issues remain unresolved in this draft decree:
- the manner in which the data shall be stored: eg physical or cloud-based;
- the use of the general term 'e-commerce' (as opposed to 'e-commerce services', such as provision of an e-commerce platform) in the draft suggests the regulation may apply to any commercial entities that conduct sale of goods and/or services on the internet/network environment;
- whether users are limited to individual users or include corporate users (although the types of Captured Data suggest the former);
- types of users' information that must be verified and provided to the authority; and
- specific measures and penalties that can be applied to breaches of the law, and any judicial review process in connection with disclosure and inspection requests.
As for the consultation process, the public has until 2 January 2019 to give comments on the draft decree. If you have any questions on cybersecurity and data privacy laws, or would like to get involved in the consultation, please do not hesitate to contact us.