10 things to know about the Cybersecurity Law in Vietnam

In mid-2018, the National Assembly passed the Law on Cybersecurity (“Cybersecurity Law”) after more than a dozen of drafts with intensive debate among domestic and international experts. It is believed that the promulgation of this legislation will create major impact on internet-based businesses in Vietnam. Below are 10 key points to note about this new regulation.

1. Effective date and background of the promulgation.
The Cybersecurity Law was adopted on June 12, 2018 and will come into effect from January 1, 2019. During the drafting of the Cybersecurity Law, there was concern that the governing scope of this law could overlap with the Cyber Information Security Law (effective from July 1, 2016), which broadly covers, among others, the protection of personal information but also cyber information security, regulation on standards and technical regulation, protection of information systems, and regulation on cyber information security products and services. However, there seems to be no clear and official guidance to this issue until now.

2. Cyberspace Service Providers.
This legislation governs activities protecting the national security and ensuring social order in cyberspace. Since the governing scope of this legislation is broad, any domestic or foreign entities which provide services on telecommunication network and the internet, including those which provide value-added services on cyberspace in Vietnam (such as social networks, search engines, online advertising, e-commerce websites/marketplaces, cloud services, online games/applications and OTT services) (“Cyberspace Service Providers”) are covered by this legislation.

3. Notable prohibited acts and illegal content.
In order to ensure a safe cyberspace in Vietnam, the Cybersecurity Law has specified several illegal acts and contents which Cyberspace Service Providers and users must take into account, such as the following: those used for propaganda against Vietnam, instigate disturbances, disrupt security or disturb public order; are humiliating or slanderous; violate economic management order; provide untruthful information for the purpose of panicking society or causing damages to social and economic activities; cyberespionage; cyber-terrorism; cyber-crimes or attacking, infiltrating or destroying information systems critical to national security.

4. Information Systems Critical To National Security.
In order to differentiate information systems, the Cybersecurity Law introduces a list of important information systems which shall be subject to a higher level of protection, such as those systems which are critical to national security. “Information system critical to national security” means information system of which any error, infiltration, loss of control, defect, disruption, non-response, freezing, attack or destruction of which shall cause material infringement to cybersecurity, such as information systems on military, security and diplomacy. Given the importance of such systems to the cybersecurity in Vietnam, the Cybersecurity Law stipulates several protective measures to be conducted by government bodies, including (i) cybersecurity appraisal for system upgrading, (ii) assessment of security conditions before operation, (iii) checking and monitoring, and (iv) responsive measures to cybersecurity incidents.

The Prime Minister has the power to issue, amend and supplement the “List of Information Systems Critical to National Security.”

5. Obligation to cooperate with authorities in handling violation.
Information system owners (i.e. organizations, including both government bodies and private entities, and individuals having power to directly manage information system) and Cyberspace Service Providers in Vietnam must cooperate with the authorities in dealing with illegal content. In addition, information system owners are requested to manage their information systems and implement technical methods to detect, prevent and remove illegal content upon authorities’ request.

6. Audit of information systems not included in the List of Information Systems Critical to National Security.
Owners of information systems which are not listed in the List of Information Systems Critical to National Security could be subject to an audit by a cybersecurity special unit under the Ministry of Public Security of Vietnam (“MPS”) if a violation of cybersecurity laws infringing national security or causing material damage to social order and safety is detected or the information system owner so requests. Subjects of a cybersecurity audit include: (i) hardware and software system and digital devices used in the information system, (ii) information stored, processed and transmitted in the information systems, and (iii) measures to protect State secrets, and to prevent the leakage or loss thereof through technical gateways. The specialized unit under the MPS shall inform the information system owner in writing of the audit at least 12 hours prior to the audit. The confidential audit result together with remedial actions and recommendations shall be notified by the special unit to the information system owner within 30 days from the completion of the audit.

7. Statutory actions to be implemented by Cyberspace Service Providers to ensure information security in cyberspace.
Cyberspace Service Providers (whether onshore or offshore) are obligated to: (i) authenticate users’ information upon registration; (ii) keep user information and account confidential; (iii) delete information containing any illegal content on the services or stored in the information systems under their direct management and prevent the information from being disseminated within 24 hours from the time of the authorities’ request; (iv) record system logs to assist the investigation and handling of violations of the cybersecurity laws in the period prescribed by the Government; and (v) refrain from providing or cease to provide such services to organizations or individuals that post information containing illegal content on the cyberspace as per authorities’ request.

8. Data localization, data retention and local presence requirements.
Under Cybersecurity Law, the Cyberspace Service Providers (whether onshore or offshore) which are involved in the collection, exploitation, analysis and/or processing of personal information, data on user relationship and/or data generated by users in Vietnam must store the data within the territory of Vietnam for a duration of time. It is unclear whether “storing the data within the territory of Vietnam” requires offshore Cyberspace Service Providers to physically locate its server to store the data in Vietnam. It is noteworthy that the express provision under previous drafts of the Cybersecurity Law which requests Cyberspace Service Providers to locate its server to store the data in Vietnam is not found in the promulgated Cybersecurity Law. Please note that Offshore Cyberspace Service Providers are also requested to establish a branch or representative office in Vietnam.

9. Protection of Children on Cyberspace.
Information system owners and Cyber Service Providers are responsible for control of information stored in the information systems or on the services to keep children from being harmed and to prevent children and their rights from being infringed. They must prevent the sharing of content and delete contents that harm or prejudice children or children’s rights. Concurrently, they are requested to send a prompt notice to and to cooperate with the specialized unit under the MPS in handling the said infringing content.

10. Issuance of guiding documents.
There are some unclear points in the Cybersecurity Law which need to be clarified before its effective date, such as: (i) sanctions for non-compliance with these requirements (including the remedial actions and recommendations provided by after audit by the MPS special unit, (ii) how to enforce the liabilities of offshore Cyberspace Service Providers, and (iii) how to store the data in Vietnam (including whether storing a copy of data in Vietnam is acceptable or not in light of the data localization requirements). The Government is expected to issue the first draft of guiding documents by early October 2018 and it is hoped that all unclear points will be addressed.

 Ha Hoang Loc, Nguyen Tuan Anh, and Jumpei Nagaoka