14 CYBER SECURITY PRACTITIONER

VIETNAM

Vietnam’s new Cybersecurity Law: A headache in the making?Vietnam’s National Assembly has overwhelmingly approved a heavily debated Cybersecurity Law (‘the Law’) that could have a significant impact on all online service providers with clients or customers in Vietnam. While the stated aim of the Law is to ‘protect national defense and ensure social order1,’ it imposes obligations on digital businesses that could have far-reaching and unintended effects without necessarily advancing the Law’s primary objective, as Giles Cooper and Hau Le of Duane Morris Vietnam LLC explain.

For the greater goodVietnam is a country enjoying rapid economic development and, not coincidentally, is simultaneously witnessing an explosion of online connectivity and activity. One report states that nearly half of Vietnam’s approximately 90 million population are regular internet users2. According to the Government, these developments also pose a threat to national security, especially when social networks are used more frequently by citizens and non-citizens to air criticisms about Government behaviour, not all of which is justified or accurate. More ‘traditional’ online risks abound as well with one report by an online security firm concluding that the country has lost $542 million as a result of cyber attacks and ransomware in 2017 alone3. Kaspersky Lab ranked Vietnam as the country to receive the second highest amount of cyber attacks globally in 2017.

The need to address these problems has resulted in efforts by the Government to not only regulate, but also control, cyber activities in the country. The draft Law was introduced in 2016 in response to such threats and was subject to much debate and discussion prior to its formal passage in June 2018. The Law will take effect on 1 January 2019. As one senior lawmaker put it, even though the Law may “curb personal rights […] [it] is necessary for a bigger cause4.”

While lawmakers frequently need to balance personal freedoms with the public good, question marks have been raised about the full scope of the Law, intended or otherwise, and whether the balance reached is appropriate or might unduly stifle online activity, particularly commercial business activity, at a time when the Government is actively pushing to position Vietnam as an ‘Industry 4.0’ player. In this regard, the obligations for data localisation and the need to establish a commercial presence in Vietnam placed on online service providers are of most concern. According to a report by the Ministry of Public Security to the National Assembly, the rationale for such obligations is to create a ‘cleaner Internet environment’ and force companies to be more responsible in complying with Vietnamese law and political tradition. Unsurprisingly though, such statements have not assuaged the concerns of internet service providers who fear the Law creates unclear and unnecessary barriers to business and could put some providers off offering their services in Vietnam altogether.

The worries in essenceWhile much of the commentary on the impact of the new Law has focused on the providers of social networks (e.g. Facebook, Youtube) or ‘pure tech’ behemoths (e.g. Google), the language of the Law is broad and potentially captures a wide range of

business activities and models. First and foremost, the Law appears to cover all enterprises (whether based onshore or offshore) that ‘provide services on the telecommunication network, internet, and other value-added services on the Internet in Vietnam5.’ In the digital age, such general language covers a vast array of online activities and is clearly not limited to just social media services. 

Take banks as an example. If a foreign bank provides an online service to a client in Vietnam (including a non-Vietnamese citizen resident in Vietnam) will it be covered by this Law? The answer is clearly yes according to the wording of the Law. Another example would be an online booking services company like AirBnB which is accessible to, and used by, residents in Vietnam. Again, such activities will clearly be covered by the wording of the Law, whether or not that was the intention.

Once a company is covered by the Law, other requirements may apply, for example, the Law requires companies to ‘authenticate upon registration6’ and ‘keep confidential7’ users’ information. Critically, companies wherever they are located must also cooperate with the authorities to provide information8 about their users when such a user is investigated or deemed to be in breach of the Law. Companies will also need to grant

A Cecile Park Media Publication | July 2018 15

Giles Cooper Partner and Co-General DirectorHau Le AssociateDuane Morris Vietnam LLC, Ho Chi Minh City

the authorities access to their information system9 when there is ‘a serious breach of law or action causing serious loss to the public order and safety10.’ Unclear as ever, the Law will require further elaboration through implementing decrees, as well as implementation in practice, before the true implications can be known, but it appears that the executive bodies could extend such requests without the need to have a competent court involved.

These obligations are in fact, not entirely new. Vietnam currently has two regulations that place similar obligations on companies. Decree 72, issued in 2013 regulating internet businesses, imposes similar prohibitions and obligations on ‘internet service providers.’ In addition, Circular 38, issued in 2016 by the Ministry of Information and Communications, sets out a reasonably clear process by which offshore internet-based service providers must cooperate with the Government to combat ‘bad’ and ‘toxic’ content on the internet. According to a Google Transparency Report, since 2009, Google received 67 requests from the Government for removal of material from Google’s platforms (affecting 6,594 items) and a number of requests for provision of user data. Google accepted some requests and declined others11. The same approach was taken by Facebook with a similar outcome12. Despite this, it is reasonable to expect that the new

Law will provide further teeth to the Government to proactively (even pre-emptively) restrict companies that fail to comply with takedown requests. While the terms of the Law itself contain few clues on what sort of action could be taken, technical barriers such as firewalls and/or financial penalties are possibilities.

While there are clear and obvious concerns for companies providing online services to customers or clients in Vietnam, the Law could have broad impact on other companies and industries as well. For example, a company that entrusts a service provider with confidential information will often first require a non-disclosure or confidentiality agreement (‘NDA’). However, standardised NDAs frequently exclude recipients from obligations when they receive legal requests from a competent authority or government. With the new Law in place and a relatively vague and easy process for executive bodies to request information, market practice may require an overhaul. Take a law firm in Vietnam that uses a third party cloud storage services as an example. Theoretically, the service provider, as an entity providing online services to a customer in Vietnam, may need to provide the information it holds about such law firm, including the law firm’s clients, to the Government on request. Such a scenario is perhaps wildly hypothetical at the moment

but prudent companies ought to take note and look with fresh eyes at contractual agreements relating to the protection of confidential information.

Data localisationAnother significant requirement of the new Law is data localisation13. Compared with earlier drafts, the final version of the Law approved by the National Assembly appears to have reduced the types of companies that must comply with the data localisation requirements. Nevertheless, the potential scope is broad: companies that ‘collect, exploit, analyze, or process14’ personal information, information created by users in Vietnam and data on the relationship of the users, must store data locally for a period of time. However, the language of the Law on this is still very vague and, absent of further guidance, open to the discretion of the authorities.

To take a previous example, a bank could be deemed to collect, exploit, analyse, or process the personal information of users in Vietnam when it establishes or provides online banking services to such clients. A booking reservation company, or a media services provider (e.g. Netflix) would also be caught within this definition. Read literally, all such companies will need to ensure that data is localised within Vietnam.In an earlier draft of the Law, lawmakers seemed to have a more stringent intent,

Image: Ngo Tung / Unsplash.com

CYBER SECURITY PRACTITIONER16

VIETNAM 1. Article 1 of the Law.2. https://www.opengovasia.com/

articles/6609-vietnam-recognized-among-countries-with-the-most-Internet-users

3. https://e.vnexpress.net/news/news/vietnam-loses-542-million-to-cyber-viruses-in-2017-3692898.html

4. https://e.vnexpress.net/news/news/cyber-security-law-restrictions-worry-vietnamese-legislators-3756271.html.

5. See for example Articles 1, 26, and 28, Cybersecurity Law.

6. Article 26, Cybersecurity Law.7. Ibid.8. Ibid.9. Articles 24 and 26, Cybersecurity Law.10. Ibid.11. https://transparencyreport.google.

com/government-removals/by-country/

VN?country_request_amount=group_by:totals;period:;authority:VN&lu=country_request_amount

12. See https://transparency.facebook.com/ 13. Article 26, Cybersecurity Law.14. Ibid.15. Article 14.11 of the CPTPP points out that ‘Each

Party shall allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person’ (Clause 2) and that no measures to prevent free flow of information can be applied if it is not for legitimate public purpose and it is applied ‘in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction’ and does ‘impose restrictions on transfer of information greater than are required to achieve the objective.’ Essentially, a blanket data localisation rule may contravene Article 14.11 of the CPTPP.

requiring companies to maintain servers in Vietnam. However, despite the approved text not expressly requiring this anymore, it is not clear how a data localisation obligation can be met without onshore servers, presumably the difference may be who owns the servers.

In the immediate aftermath of the Law’s adoption, lawmakers justified their decision to pass the Law by referring to a number of other countries that have similar data localisation rules in place. However, critics point out that while protection of data confidentiality may be a valid reason to implement data localisation rules, the Law does not impose any new obligations to keep data confidential. For example, while Australian law requires all information regarding citizens’ health to be localised for safety reasons, and the EU’s General Data Protection Regulation makes it clear that a company can only transfer user data outside EU territory when and where it can ensure equal or better protection for such data, no such similar mechanisms or obligations are provided in the Law in Vietnam.

Commercial presenceThe same companies will also be required to establish a commercial presence in Vietnam (either a branch or a representative office). Oddly enough,

it is unclear whether establishment of a fully fledged subsidiary in Vietnam would be sufficient under the Law (read literally it would not). Many companies supply services to their customers in Vietnam via the internet without having a commercial presence in Vietnam. This kind of blunt instrument will cause uproar and, one presumes, flagrant though unintended violations will abound which, for the most part, authorities in Vietnam will be unable to pursue on any practical level (though the desire and ability to shut off access to individual websites may grow over time). The Law provides some wriggle rooms on this point by assigning the Government with the job to elaborate the commercial presence requirement further and we may find that the scope will be narrowed when the implementing regulations are developed.

ConclusionMany tech and non-tech companies voiced their concerns in the lead up to the Law’s passage. The National Assembly justifies its approval based on the need to ensure national defense and security. Little serious examination has yet been made as to whether the Law, especially the data localisation rules, might conflict with Vietnam’s international commitments. While lawmakers have asserted that national

security is a valid exception to what might otherwise be a breach of the World Trade Organization commitments, the recent Comprehensive and Progressive Agreement for Trans-Pacific Partnership (‘CPTPP’) to which Vietnam is committed effectively requires Member States to ensure free flow of information and, in principle, is against data localisation rules per se15. Canada and the US have, through their embassies, voiced some concerns on these issues.

Despite the objections, the President of Vietnam formally signed in the Law on 2 July 2018, which will take effect on 1 January 2019. A National Assembly spokesperson has stated that the regulations are feasible and not contrary to free trade agreements that Vietnam is a party to. Inevitably, the devil will be in the detail which will take the form of implementing decrees prepared by the Ministry of Public Security. Many eyes are on this process though no drafts have been made public and little is known about the approaches being considered with respect to how to interpret and implement the Law. This is an important process and companies have various avenues to get involved in the process to share their views and put forward policy, as well as technical, comments.

continued

In an earlier draft of the Law, lawmakers seemed to have a more stringent intent, requiring companies to maintain servers in Vietnam.