The latest draft of the Law on Cybersecurity (Draft Law), submitted on 10 January 2018 for discussion at the 20th meeting of the Standing Committee of the National Assembly, among other things, provides more clarity on certain key terms and circumstances that trigger regulation of an offshore service provider.
Since the release of the first draft in June 2017, the drafting committee has continued to fine tune the Draft Law to provide principles, measures, and activities to ensure the implementation of cybersecurity tasks; the responsibilities of relevant agencies, organisations, and individuals in management positions, providing services in cyberspace, and using cyberspace; and the protection of cybersecurity of the Socialist Republic of Vietnam. However, the latest draft does not depart significantly from the previous versions in that the data localization requirement remains.
A summary of the key updates to the Draft Law is provided below.
1. Terms added and/or amended (Article 3)
In response to the National Assembly representatives' concern that the terms featured in previous drafts were overly broad and vague, the Draft Law now defines the following terms as provided below:
- "Cyber service" is defined as a program applied to implement a cyber task or function.
- "Cyber application" is defined as an application that provides services in cyberspace.
- "Cybersecurity threat" refers to any occurrence in cyberspace which is likely to encroach upon national security, social order and safety, or the legitimate rights and interests of organizations or individuals.
- "Cybersecurity incidents" refers to any unusual occurrence in cyberspace that is prejudicial to national security, social order and safety, and the legitimate rights and interests of organizations or individuals
We note that the term "Internet service providers" is used throughout the Draft Law without a definition or clarity regarding its scope. In other words, it is unclear as to whether Internet service providers refer to (i) providers of telecommunications service, including Internet access and connection, or (ii) companies that provide services on the Internet. This may lead to different interpretations and in turn affect companies with users in Vietnam when the Draft Law comes into effect.
2. Requirements on offshore entities when providing telecommunication or Internet services (Article 27)
What may be the most significant change in the Draft Law is the removal of offshore entities' requirement of having local servers in Vietnam. However, Article 27.4 of the Draft Law imposes on offshore entities providing telecommunications and Internet services in Vietnam the following:
- If (i) 10,000 or more Vietnamese users use their service, or if (ii) the Government so requests, such offshore entities must:
- Have headquarters or representative offices in Vietnam; and
- Store within Vietnam (i) the data of Vietnamese users, and (ii) other important data collected and/or generated from the use of Vietnam's national cyber infrastructure;
- Fulfil requirements provided by the competent Vietnamese authorities about the prevention and removal of information that infringes national security, social order and safety and legitimate rights and interests of organizations and individuals; provide Vietnamese users’ data upon request and deal with matters in violation of the Cybersecurity Law.
In effect, the requirement to store the data of Vietnamese users in Vietnam is similar to the requirement of having local servers within Vietnam. This draft is, however, still subject to further review and adjustments.
3. Obligations of service providers
3.1 Users data verification by telecommunication and Internet service providers:
The Draft Law maintains the requirements for Internet service providers to:
- Set up mechanisms to authenticate information when users register digital accounts to assure the confidentiality and the veracity of registration information, and
- Provide such information to the competent cybersecurity authorities upon request (Article 27.3).
Moreover, it is also required that the cyber service and/or cyber application provider cooperate with the competent authorities in adopting measures to identify and verify the identifications of users (Article 40.11).
3.2. The suspension of cyber services upon request of competent authorities (Article 40)
The Draft Law provides that a cyber service and/or cyber application provider is obligated to, among other things, promptly suspend the production of digital devices and the provision of cyber services and applications, and give timely notifications to related parties and to take remedial actions when any of their digital devices, cyber services, or applications has been discovered to have possibly disrupted cyber security.
However, there is no detailed procedure/due process that the competent authority must follow when requesting the cyber service and/or cyber application provider to halt or stop providing digital services.
3.3. Child protection and content restrictions
Internet service providers are responsible for:
- Controlling information content on internet services provided by them, so that such content will not harm or prejudice children or the children’s rights; and
- Preventing the sharing of content and deleting any content that harms or prejudices children or the children’s rights.
With regard to content restrictions, Article 16.6 requires information system administrators/owners, telecoms and Internet service providers to closely coordinate with the competent authorities to handle illegal content.
4. Critical Systems (Articles 10,11)
The Draft Law remains unclear as to when an information system develops to a point that it is critical to national security and social order, and thus constitutes a "Critical System".
Further, while the Draft Law maintains that administrators of Critical Systems must have products and services reviewed/appraised by the Ministry of Public Security prior to purchasing the products and services, it does not include any details regarding the review/appraisal procedures, with for example an objective criteria, to determine their suitability for use in Critical Systems.
5. Final notes and Key concerns
The 15th draft of the Draft Law has added and developed provisions to touch on the importance of protecting national security and the legitimate rights and interests of individuals and organizations. However, the scope of application of certain provisions still remains broad and vague. Moreover, offshore service providers are likely to be concerned over issues such as commercial presence and data localization requirements.