Vietnam’s National Assembly yesterday overwhelmingly approved a heavily-debated Cyber-Security Law that could have significant impact on all online service providers with clients or customers in Vietnam. While the stated aim of the new Law is to “protect national defense and ensure social order”, it imposes obligations on digital businesses that could have far-reaching and unintended effects without necessarily advancing the Law’s primary objective. Key among such obligations are data localization and mandatory commercial presence rules that should worry not only tech giants but any company providing online services to customers in Vietnam.
While much of the commentary has focused on social network providers (e.g. – Facebook, Youtube) or ‘pure tech’ behemoths (e.g. – Google), the language of the Law is broad and potentially captures a wide range of business activities and models. First and foremost, the Law appears to cover all enterprises (whether based onshore or offshore) that “provide services on the telecommunication network, internet, and other value-added services on the internet in Vietnam.” In the digital age, this wide language covers a vast array of activity and is clearly not limited to social media services. Take banks as an example. If a foreign bank provides an online service to a client in Vietnam (including a non-Vietnamese citizen resident in Vietnam), will it be covered by this Law? The answer is clearly yes according to the wording of the Law. Another example would be an online booking services company like AirBnB which is accessible to, and used by, residents of Vietnam. Again, such service activity is clearly covered by the wording of the Law, whether or not that is the true intent.
Once a company is covered by the Law, other requirements may apply. For example, the Law requires companies to “authenticate upon registration” and “keep confidential” users’ information. Critically, companies (wherever located) must also cooperate with the authorities to provide information of their users when such users are investigated or deemed to breach laws on cybersecurity. Companies also need to grant the authorities access to their information system when there is “a serious breach of law or action causing serious loss to the public order and safety.” Unclear as ever, these regulations will require further elaboration in implementing Decree(s), as well as implementation in practice, before the true implications can be known.
Another significant requirement is data localization. Compared with earlier drafts, the version approved by the National Assembly appears to narrow down the kinds of companies which must perform data localization. Nevertheless, the potential scope is broad: companies which “collect, exploit, analyze, or process” personal information, information created by users in Vietnam and data on the relationship of the users must store data locally for a period of time. However, the language of the Law on this is still very vague and, absent further guidance, open to discretion of the authorities to interpret. To take previous examples, a bank could be deemed as “collecting, exploiting, analyzing, processing” personal information of users in Vietnam when it establishes or provides online banking services for such clients. A booking reservation company, or an online film provider (e.g. Netflix) does the same. Read literally, all such companies will need to ensure data localization within Vietnam.
Not only that, such companies will also be required to establish commercial presences in Vietnam (either a branch or a representative office). Oddly enough, it is unclear whether establishment of a fully-fledged subsidiary in Vietnam would be sufficient under the Law. Many companies supply services to their customers in Vietnam via the internet without having a commercial presence in Vietnam. This kind of blunt instrument will cause uproar and, one presumes, flagrant violations will abound which, for the most part, authorities in Vietnam will be unable to pursue on any practical level (though the desire and ability to shut off access to individual websites may grow over time). The Law gives some wriggle rooms on this point by assigning the Government to elaborate the commercial presence requirement further and we may find that the scope will be narrowed down.
Many tech and non-tech companies voiced their concerns in the lead up to this Law. However, the National Assembly justifies its approval based on the need to ensure national defense and security. A National Assembly spokesperson has stated that the regulations are feasible and not contrary to free trade agreements that Vietnam is a party to. The jury however remains out on both these points.
The Law will take effect on 1 January 2019. Implementing Decree(s) are expected to elaborate further prior to then though no drafts are available for review at present.
By Giles Cooper and Le Nguyen Duy Hau. For more information about the new cyber-security regulations in Vietnam, please contact Giles at GTCooper@duanemorris.com, Hau at HNLe@duanemorris.com or any of the lawyers in our office listing. Giles is co-General Director of Duane Morris Vietnam LLC and branch director of Duane Morris’ HCMC office.