Tag Archives: commercial presence

New Cyber-security draft decree – better but the show goes on

In October, we reported on a first draft decree to implement the Cyber-security Law and noted many concerns about its overtly stringent terms and, in particular, the threat it caused to development of a thriving e-commerce/ Industry 4.0 landscape.  Since then, the business community, among others, have been vocal on the shortcomings of the draft and offered up many comments and suggestions to address concerns.  With the release of a new draft early Novembers, it appears that the Ministry of Public Security (MPS), the decree’s authors, have listened.

 

The first clue is in the length of the new draft: cut dramatically in size from 66 clauses to just 30, it necessarily doesn’t cover as much ground as the first draft.  But the devil is always in the detail and, although the new draft is considerably less complex, particularly when it comes to issues affecting e-commerce, a close look reveals there are still areas worthy of further advocacy.

 

The question we have been asked most frequently is whether the Cyber-security Law itself, and its impending decree, govern every company on earth accessible over the Internet to Vietnam-based users. Taking the language of the “old” draft at face value, the answer was a clear affirmative, resulting in consequences both unreasonable and unnecessary to impose as well as impossible to enforce in practice, notably an obligation to localize data and establish commercial presences.  The new draft takes a much more balanced and practical approach and suggests that a far more limited number of companies will be subject to these requirements in practice. In particular, these key obligations look set to only apply to companies (whether local or international) which meet all of the following conditions:

 

  • providing one or more of specific services to users in Vietnam, including: (i) telecommunications, (ii) internet storage, (iii) internet data sharing, (iv) web hosting services, (v) e-commerce, (vi) online payment, (vii) payment intermediary, (viii) transportation connection service (think Uber), (ix) social network and social media, (x) e-gaming, and (xi) electronic mail;

 

  • collecting, exploiting, analyzing, and processing the data of Vietnamese users (see below for what amounts to “data”);

 

  • allowing its users to conduct activities prohibited by Articles 8.1 and 8.2 of the Cyber-security Law (i.e. – key Internet-based wrongdoings such as libel, anti-government propaganda, financial fraud etc.); and

 

  • committing wrongdoings covered by Article 8.4.a of the Law [this appears to be a typo as there is no such clause in the Law] or Article 26.2.b of the Law (this obliges companies to prevent sharing of and delete certain kinds of “wrongful” information within 24 hours of receipt of a request from the Vietnamese authorities).

 

While criterion (1) is still very broad, it at least removes from the scope any and all companies that had service-offering websites accessible by Internet from Vietnam (such as our hypothetical Irish bank in our October blog post). Still, many other tech companies such as Amazon, Agoda, Google, Facebook etc. would fall squarely within one or more categories covered there. However, this is just the top of a funnel: even is a company fits within criterion 1 (and therefore almost certainly criterion 2) they will not automatically be required to localize data or establish commercial presences in Vietnam.  Following approaches of other jurisdictions to assess and handle based on risk and conduct, such companies will only be required to take such steps if they fail to comply with what the Cyber-security Law expects them to do (read: cooperate with the government). It is good for business as now they can decide to cooperate and avoid strict monitoring rules.

 

Apart from this new and more tolerant “co-operate-or-comply” philosophy, the data which companies may need to store in Vietnam is also watered down slightly. The list now “only” covers information which can help identify users (i.e. – names, nationalities, occupations, residency, contact information, ID/passport numbers, credit card numbers, health records, biometrics) and other user-created data (i.e. data which users choose to upload, friend lists, groups users join or interact with).  Data such as “philosophical belief” or “political views” are no longer covered in the new draft decree.

 

As ever, there is some bad with the good.  The new draft seems to double down on granting power to the MPS to proactively examine the information systems of companies in Vietnam where it suspects wrongdoing.  There is little or no due process involved in such cases.

 

In conclusion, the MPS has clearly taken on board much of the advice and criticism received following the broad and unworkable first draft decree and this is good news.  Whether this will ultimately be reflected in the final decree however still remains to be seen.

 

For more information about the Cyber-security Law in Vietnam, please contact Giles at GTCooper@duanemorris.com, Le Hau at HNLe@duanemorris.com. Giles is co-General Director of Duane Morris Vietnam LLC and branch director of Duane Morris’ HCMC office.

Draft Decree to implement Cybersecurity Law doesn’t dampen concerns

A draft Decree to implement Vietnam’s controversial Cybersecurity Law does little to assuage fears that all online commercial activity will be within its scope, mandating physical presence in Vietnam, expensive, cumbersome data localization and even a new permit.

 

Last June, Vietnam’s National Assembly overwhelmingly passed the Cybersecurity Law and it will take effect on 1 January 2019.  Despite assurances from the Ministry of Public Security (MPS) – author of the Law – that the Law is aimed at ensuring online security and protecting critical information infrastructure, its wide and unclear language caused concern for online commercial service providers whose activities are captured by its scope and worried about the cost and other implications of compliance, particularly with respect to commercial presence and data localization obligations.

 

Since the Law’s approval, many have been waiting to see the government Decree that will effectively interpret and implement the Law.  The Decree will determine whether and how the Law will truly impact online commercial activity.  Will it be business as usual for online commerce, as promised by a government that publicly embraces Industry 4.0, or will data hosting services and compliance officers be working overtime?

 

During the first half of October, two different versions of the draft Decree came into the public sphere. The latest draft, dated 11 October 2018, contains 66 clauses, touching on almost every single issue and clause of the Law itself.  While draft Decrees can and do change, the signs are that restrictions and headaches will remain for companies with online business activities.

 

Take, for example, the question of who will need to establish a commercial presence in Vietnam.  Under the Law, companies providing any kind of services related to or via telecommunication networks or the Internet, and which collect, process, analyze, or exploit the personal data of users in Vietnam (regardless of nationality) will need to establish a representative office or a branch in Vietnam (Article 26.3).  Many wondered whether this was intended to apply to every single company falling within the very broad criteria.  For example, would a bank in Ireland offering online banking services used by a handful of Vietnam-based users be subject to this requirement?  It would seem unnecessary and wholly impractical to say so.  The draft Decree however seems to support such a view.  According to Article 60 of the draft Decree, all companies providing “services through the Internet” will be subject to the requirement to establish a commercial presence in Vietnam (in the form of a branch, a representative office or other type of “establishment”).  “Services through the Internet” is understood very broadly by the draft Decree to include anyone providing: (1) internet connection services, (2) internet access services, (3) data storage, (4) social network, (5) over the top services (think, Netflix), (6) e-commerce, (7) banking and finance, (8) messaging and teleconference services, (9) live chat services, (10) search engines, (11) games, films, music.

 

While this clarifies and elaborates the Law’s general drafting, the long list is troubling as it clearly covers not only tech giants such as Facebook, Twitter, and Google, but also companies simply having auxiliary Internet-based services or the Irish bank in our example.

 

In a similar vein, the draft Decree sheds more light on the data localization rules but does little to assuage fears that the regulations are for the sake of regulation rather than based on risk analysis and purpose-driven policy.  According to Article 61 of the draft Decree, certain personal data will need to be stored in Vietnam by companies for the lifetime of the business, while certain other personal data need only be stored for three years from the date of creation. At any time, the MPS may request companies to provide copies of such data.  On the plus side, there is no indication that companies cannot transfer data abroad, provided they also maintain it in Vietnam. The list of personal data that companies need to store in Vietnam is extensive, including typical information such names, addresses and photos but also extending widely to include biometrics, financial records, health records, political views, and philosophical beliefs (items that need to be stored for the lifetime of the business).  Further information looks worrisome from a civil liberties perspective, including chat logs, and search histories, which will need to be stored for at least three years from creation.

 

Aside from the regulatory compliance burden, these requirements may put companies into difficult positions if they face conflict complying with their own local regulations prohibiting the transfer of data to foreign governments (take, for example, the US CLOUD Act).

 

A brand new element introduced by the draft Decree is an obligation on companies subject to the Law to obtain a special permit from the MPS prior to providing services in Vietnam.  No such requirement is included in the Law itself and this calls into question the legality of the MPS ‘creating’ this new permit obligation.  It’s cause for serious concern if this remains in the final Decree, not least of all because there is no guidance or explanation on procedures, information or timeline required to obtain such a permit.  It is also entirely unclear if this new permit obligation will apply retrospectively to companies already doing business in Vietnam over the Internet.  Any way you look at it, this is harmful for the business environment in Vietnam and contrary to the message delivered by the MPS and government in consultations and meetings about the Law.

 

The only good news in the draft Decree seems to be the decision that companies will have a full year to comply with the Law, meaning, in effect, that even though the Law takes effect on 1 January 2019, companies won’t need to be compliance until January 2020.

 

Time will tell what ultimately stays in and out of the Decree.  The draft is expected to be finalized and formally adopted by the government in the next weeks.

 

For more information about the Cybersecurity Law in Vietnam, please contact Giles at GTCooper@duanemorris.com, Le Hau at HNLe@duanemorris.com. Giles is co-General Director of Duane Morris Vietnam LLC and branch director of Duane Morris’ HCMC office.