On June 12, Vietnam’s National Assembly passed the Law on Cybersecurity with a huge majority. The law will take effect on January 1, 2019. The major provisions in the law include data localization, government control over online content, and setting up local offices in Vietnam. Although the law has been adopted, there are still some issues that lack clarity, and more changes are expected to be introduced and implemented before it takes effect.
Data localization—Onshore and offshore service providers will be required to store data of Vietnamese users in Vietnam. Service providers include:
- Firms providing services on a telecom network, internet, or other online value-added service
- Firms involved in collecting, utilizing, and processing user data, including personal information
Information that needs to be stored locally should include users’ personal information, online relationships, and all other data generated by the users. Further clarity on issues such as duration of storing users’ data and restrictions on the cross-border transfer of data may be provided through subsequent decrees and circulars.
Local office—Offshore entities under the purview of the law need to establish a branch or representative office in Vietnam.
Content control and audits—The Ministry of Information and Communications and the cybersecurity agency under the Ministry of Public Security have the authority to request that online and offshore service providers remove offensive content. They can also conduct an audit of information systems, which can include:
- Digital devices, hardware, and software systems
- Transmitted, processed, and stored data
The government authority will be required to send a notice to the system owner at least 12 hours prior to an audit and will provide the results of the audit within 30 days from the completion of the audit.
Illegal content according to the new law includes:
- Article 8: Acts such as inciting people against the state, distorting history, gender discrimination, religious offenses, racism, posting untruthful information, and human trafficking. In addition, it includes network terrorism, cybercrimes, and network attacks on information systems critical to national security.
- Article 16: Details about the prevention and treatment of information with propaganda contents against the state that can incite riots, disturb public order, cyber-humiliate, slander, and affect the socio-economic activities of the state.
- Article 17: Network espionage behavior that can violate state secrets, users’ personal information, and corporate secrets.
- Article 18: Using cyberspace in violation of the national security laws, social order, and safety regulations such as selling banned goods, using illegal means of payment, and piracy.
- Article 29: Protection of children in cyberspace.
Foreign governments and firms believe that the new law can affect foreign investments and firms operating in the country. According to the Vietnam Digital Communications Association, the new cybersecurity law could reduce GDP growth by 1.7% and reduce foreign investment by 3.1%.
However, the government believes that this law is necessary for national security and the protection of citizens, as Vietnam lacks a legal framework for cybersecurity issues.
Do you like our content? Join the GPMI community to get free education and articles straight to your inbox!
This article was first published in Vietnam Briefing.
Since its establishment in 1992, Dezan Shira & Associates has been guiding foreign clients through Asia’s complex regulatory environment and assisting them with all aspects of legal, accounting, tax, internal control, HR, payroll, and audit matters. As a full-service consultancy with operational offices across China, Hong Kong, India, and ASEAN, we are your reliable partner for business expansion in this region and beyond.
For inquiries, please email us at [email protected]. Further information about our firm can be found at www.dezshira.com.