The National Assembly of Vietnam passed the Law on Cybersecurity (“Law”)
on 12 June 2018 by a vast majority. This comes one year after the release of
the first draft of the Law.
This Law will take effect on 1 January 2019.
The full text of the Law has not been officially issued. However, news reports
indicate that the draft approved on 11 June and put to vote and passed on 12
June incorporates changes to the most recently published version of the draft
law (i.e., the 18th version). On 12 June, VNEconomy published a full
Vietnamese text of the Law, which can be viewed here.
Below are the key provisions of the Law:
1. Scope of Entities Subject to Data Localization and Office Requirements
Article 26.3 requires certain entities to store data within the territory of Vietnam. This requirement applies to domestic and foreign enterprises, which:
- provide services on the telecom network, the internet and value-added services on cyberspace in Vietnam; and
- are involved in the collection, exploitation, analysis, [and/or] processing of personal information, data about users’ relationship [and/or] data generated by users in Vietnam
Foreign businesses that fall within the scope of this clause are also required to establish either a branch or a representative office in Vietnam. The Government will provide further details on such requirements in upcoming implementing decrees and circulars.
2. Data Localization Requirement
Under Article 26.3, the following information must be stored in Vietnam for a duration of time (which will be specified by the Government in implementing regulations):
- personal information;
- data about users‘ relationships; and
- all other data generated by users in Vietnam.
The Law does not define any of the data/information mentioned above.
As stated above, such data must be stored in Vietnam for a duration of time. This requirement appears to be both a data localization requirement and a data retention requirement.
Under this Article, it is still unclear whether such data must be stored exclusively in Vietnam, because this provision could mean either of the following:
- a copy of the data must be stored in Vietnam for a duration of time (i.e., data can be stored in foreign countries, as long as a copy of such data is stored within Vietnam. Entities subject to this requirement can delete information stored in Vietnam after the statutory storage period); or
- data must be stored exclusively in Vietnam for a duration of time (i.e., storage of such data in foreign countries during the statutory storage period is prohibited).
3. Cybersecurity Audit of Information Systems of Agencies and Organizations
The specialized force for cybersecurity of the Ministry of Public Security (“MPS”) may carry out an audit of information systems that are not in the “List of Information Systems Critical to National Security” in the following circumstances:
- There is an act violating the laws on cybersecurity that prejudices national security, or causes serious harm to social order and safety; or
- There is a request from the information system owner.
Subjects of a cybersecurity audit shall include:
- Hardware and software systems and digital devices used in such information system;
- Information stored, processed, and transmitted in the information systems; and
- Measures to protect State secrets, and to prevent the revelation or loss thereof through technical channels.
Before the audit, the specialized force in charge of cybersecurity protection shall issue at least 12 hours’ written notice to the information system owner. Within 30 days after the audit, the specialized force will notify the result of audit and issue requests to the information system owner in case there is any security vulnerability or flaw detected.
4. Handling of Illegal Content
Illegal content under the Law on Cybersecurity is mainly addressed in the following Articles:
- Article 8: Prohibited acts;
- Article 16: Prevention and handling of information contents in cyberspace that are used for propaganda against the Socialist Republic of Vietnam, instigate violent disturbances, disrupt security or disturb public order, are embarrassing or slanderous, or are in violation of the economic management order;
- Article 17: Prevention of and fighting against cyberespionage, protection of State’s secrets, work secrets, trade secrets, personal secrets, family secrets and private life on cyberspace;
- Article 18: Prevention and handling of uses of cyberspace, information technology or electronic means in violation of legislation on national security, public safety and order;
- Article 29: Protection of children on cyberspace.
Required actions regarding illegal content
Enterprises providing services on the telecom network, the internet and value-added services on cyberspace in Vietnam (“Cyberspace Service Providers”) are required to:
- Prevent the sharing, deletion of information containing any illegal content propaganda against the Socialist Republic of Vietnam, instigate violent disturbances, disrupt security or disturb public order, are embarrassing or slanderous, or are in violation of the economic management order on the services or information systems directly managed by Cyberspace Service Providers within 24 hours from the time requested by the specialized force in charge of cybersecurity protection under the MPS or competent authorities under the Ministry of Information and Communications (“MIC”);
- Record system logs to assist the investigation and handling of violations of laws on cybersecurity in the period of time as required by the Government;
- Refrain from providing, or cease to provide such services to organisations or individuals that post cyberspace information containing any illegal content mentioned above when requested by the specialized force in charge of cybersecurity protection under the MPS or competent authorities under the MIC.
Protection of children
For contents that harm or prejudice children or children’s rights, the Cyberspace Service Providers are obligated to prevent the sharing of content, delete any contents that harm or prejudice children or the children’s rights, and to notify and cooperate in a timely manner with the competent cybersecurity authorities under the MPS to handle the above-mentioned infringing contents. However, there is no timeline of takedown for such requests.