VIETNAM – CYBERSECURITY – COMPARING VIETNAM’S CYBERSECURITY LAW WITH ITS COMMITMENTS UNDER THE CPTPP, EVFTA

Vietnam’s latest Law on Cybersecurity came into force on 1 January 2019. The law sets out rights and obligations on domestic and foreign companies providing services to customers in Vietnam over telecom networks or the Internet. The two provisions of the Law that are the most controversial are arguably Data Localization (offshore and onshore online service providers are required to store Vietnamese users’ information within the country for a period of time) and Commercial Presence (the same companies must establish a commercial presence in Vietnam either in the form of a branch or representative office). It has been questioned whether these provisions are contradicting international treaties that Vietnam is a signatory to, including the CPTPP and the EVFTA. In answering this question, we shall examine Vietnam’s commitments under each Agreement.

Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP):

No import tax to be imposed on e-commerce transactions. However, Vietnam has the right to impose local taxes, fees and charges on “electronically transmitted content”, provided that such taxes, fees or charges are in accordance with provisions of the Agreement.

Cross-border transfer of information by electronic means is allowed. The cross-border transfer of information, data by electronic means is only for business activities or a legal entity. Vietnam has the right to have separate requirements for data transfer by electronic means and take necessary measures to implement legitimate public policies, but on the condition that the policies does not create disguised barriers to trade or are applied in a discriminatory or arbitrary manner.

Data localization requirement is not mandatory. Vietnam is not allowed to require the use or location of servers in the host country as a business condition. However, Vietnam has the right to make specific management requirements regarding the use or location of servers, including requirements to ensure communications security and confidentiality; and take necessary measures to implement legitimate public policies, but on the condition that the policies does not create disguised barriers to trade or are applied in a discriminatory or arbitrary manner.

CPTPP countries agreed not to sue Vietnam if its cybersecurity regulations are deemed to be inconsistent with the CPTPP Agreement (specifically, two obligations of free cross-border information flow and server localization in the E-Commerce Chapter) within 2 years after the date of entry into force of the CPTPP Agreement.

Reserving measures related to national security and defense, public order and privacy. Vietnam has the right to have separate management requirements for cross-border transfer of data or information by electronic means, using or locating servers (including requirements to ensure communications security and confidentiality); Vietnam has the right to take necessary measures to implement legitimate public policies, but on the condition that they do not create a disguised trade barrier or are applied in a discriminatory or arbitrary manner.

The validity of electronic authentication and electronic signatures must not be denied. However, Vietnam may require that, for a particular category of transactions, the method of authentication meets certain performance standards or is certified by an authority accredited in accordance with its law. In practice, though not stated in the law, all application dossiers to the local Department of Planning and Investment still require wet ink signature, even if the investor is abroad.

EU-Vietnam Free Trade Agreement (EVFTA):

The issue of Cybersecurity could be found in Chapter 8 of the EVFTA, Section F of which states that “the Parties, recognizing that electronic commerce increases trade opportunities in many sectors, shall promote the development of electronic commerce between them, in particular by cooperating on the issues raised by electronic commerce under the provisions of this Chapter of EVFTA”.

As committed under the EVFTA, Vietnam and EU shall maintain dialogues on regulatory issues raised by electronic commerce, which shall, inter alia, address the following issues:

•the recognition of certificates of electronic signatures issued to the public and the facilitation of cross-border certification services;
•the liability of intermediary service providers with respect to the transmission or storage of information;
•the treatment of unsolicited electronic commercial communications;
•the protection of consumers in the ambit of electronic commerce; and
•any other issue relevant for the development of electronic commerce.

This dialogue may take the form of exchange of information on the EVFTA’s Parties’ respective laws and regulations on the issues referred to above issues as well as on the implementation of such laws and regulations.

From the above, it could be seen that the international treaties leave a lot of room for Vietnam to develop its own regulations. In other words, due to their vague language and absent of further guidance, the provisions are open to the discretion of the local authorities. As such, to answer the question at the beginning, the Law on Cybersecurity and accompanying legal documents stipulating that foreign enterprises operating commercially in cyberspace must set up a representative office and store data in Vietnam for a period of time is not contrary to international practice outlined in the CPTPP and EVFTA.

***

Please do not hesitate to contact the author Dr. Oliver Massmann under omassmann@duanemorris.com. Dr. Oliver Massmann is the General Director of Duane Morris Vietnam LLC, Member to the Supervisory Board of PetroVietnam Insurance JSC and the only foreign lawyer presenting in Vietnamese language to members of the NATIONAL ASSEMBLY OF VIETNAM.