On June 12, 2018, the Vietnamese National Assembly passed the Law on Cybersecurity (the “Cybersecurity Law“), which will take effect on January 1, 2019. Among other aims, the law seeks to regulate data processing methods of technology companies that operate in Vietnam and restrict the Internet connections of users who post “prohibited” content. The seemingly broad application of the law’s provisions understandably caused concern among foreign tech companies serving Vietnamese end-users with fears of mandatory data localization and requirements to establish a physical presence in Vietnam.
As is common in Vietnam, the Cybersecurity Law was drafted quite broadly with further specifics to be provided through future implementing guidance issued by the relevant authorities. While earlier drafts of the implementing guidance saw the authorities pushing forward on all provisions of the Cybersecurity Law, the latest draft implementing decree published on October 31, 2018 has, to an extent, allayed concerns with an apparent narrowing of the law’s scope of application. Issues do, however, remain.
We discuss below key aspects of the Cybersecurity Law and the current draft implementing decree.
One year grace period
The Cybersecurity Law will, in principle, affect both domestic and foreign companies that provide services through telecommunication networks or the Internet, or value-added services to customers in Vietnam. Interpreted broadly, these services would include social networks, search engines, online advertising, online broadcasting and streaming, e-commerce websites and marketplaces, internet-based voice/text services (OTT services), cloud services, online games and other online applications.
While it was originally envisaged that all such service providers would be required to comply with the Cybersecurity Law when it comes into effect on January 1, 2019, the latest draft decree proposes that service providers will have one year to comply with the law’s requirements following receipt of a request from the Ministry of Public Security. Assuming no changes when the final decree is issued, this would mean that no steps towards compliance need to be taken by a company until expressly instructed by the authorities. This should not only alleviate general concerns regarding the breadth of the law’s applicability, but more specifically should provide comfort to companies that were unsure of their ability to meet the looming January 1 deadline for compliance.
Localized storage and retention of personal data
Online service providers subject to the Cybersecurity Law will be required to store the personal data of Vietnamese end-users in Vietnam for the legally prescribed period of time, and surrender such data to Vietnamese government authorities upon request. Personal data in this context includes not only specifically-identifiable personal information such as name, date/place of birth, ID numbers, address and phone number, but also such things as job title, health status, medical records and biometrics. Data created by a user (e.g. uploaded information and synchronization or input from devices) and data regarding the relationships of a user (e.g. friends and groups with which an individual connects or interacts) are also covered by the data localization requirements.
Data retention periods depend on the type of data being stored. Personal data must be stored in Vietnam for as long as the service provider continues to provide the covered services, while data created by users and data regarding the relationships of users must be stored for a period of at least 36 months.
Content control and censorship
The Cybersecurity Law requires online service providers to supervise user posts and remove content “prohibited” by the Government within 24 hours of receiving a request from either the Ministry of Information and Communications or the Ministry of Public Security. Prohibited content includes information opposing or otherwise offending the Socialist Republic of Vietnam. For example, “defamatory propaganda,” which could in theory encompass any critical or dissenting statements made against the Government, the Communist Party or any of their respective members or officials, is prohibited. Content deemed to encourage political or socioeconomic activism and anti-State activity similarly violates the Cybersecurity Law.
If an online service provider flags a user for posting prohibited content, it must stop providing an Internet connection to such user and essentially block the user from its telecommunication networks. Providers may even be compelled to report and turn over user information if requested by relevant authorities. Compliance with the new law could therefore require companies to violate their own terms of service (and possibly the laws of other jurisdictions) regarding protection of users’ privacy, thereby putting online service providers in the unenviable position of having to choose between complying with the Cybersecurity Law and protecting the personal data of users.
Establishment of branches or representative offices of offshore service providers
The Cybersecurity Law ostensibly requires all offshore service providers to open branches or representative offices in Vietnam, but the draft decree has thankfully curtailed its reach by identifying a number of criteria (relating for the most part to breaches of law or a failure to cooperate with local authorities) that need to be met before an offshore service provider is required to establish a local presence. Specifically, under the draft decree an offshore provider is required to establish a local presence in Vietnam only if, among other things (i) it allows users to commit cyberattacks, cybercrimes or other acts which disturb national security and public order or (ii) it violates the Cybersecurity Law, such as by obstructing cybersecurity policing or failing to verify users’ personal details, keep users’ personal information confidential, provide users’ information to the relevant authorities or timely remove illegal content.
The draft decree assigns responsibility to the Ministry of Public Security to identify which offshore service providers are subject to the local presence requirement. Given that the criteria are open to broad interpretation, the Ministry will effectively be the arbiter of whether or not any particular offshore service provider must establish a local presence in Vietnam. A company engaging in any of the covered activities in Vietnam may therefore be caught by this requirement at some point in time, though that is certainly an improvement over the initial fear that every such company would automatically be covered from the date of the law’s implementation.
Potential penalties for non-compliance
While the consequences for failing to comply with the Cybersecurity Law have not yet been announced, officials have indicated that express service bans are unlikely. Local companies have, however, previously been pressured to suspend advertising on sites seen as promoting anti-State material, and the new law provides a further basis for authorities to undertake such efforts.
As the implementation of the Law on Cybersecurity continues to unfold, companies providing online services to customers in Vietnam will no doubt be watching with a keen eye. For the time being, while concerns do remain, the direction in which the authorities appear to be leaning as they seek to put flesh on the bones of the Cybersecurity Law does at least seem to back off from some of the more onerous provisions that foreign tech companies in particular find so concerning.