Draft Cybersecurity Decree issued in Vietnam

What impact will it have on data regulations?

Introduction

As the call has grown to ensure national security in cyberspace, the Vietnam government issued the controversial Law on Cybersecurity (CSL) on 12 June 2018. With it due to come into effect on 1 January 2019.

There are two main issues in the CSL worrying the data industry — a data localization requirement and the compulsory establishment of branches and representative offices (Data Localization and Presence Establishment Requirement).                                                                                                                                             

However, as the CSL has ambiguous wording on the two issues, the Ministry of Public Security (MPS) worked on a draft decree guiding the implementation of the CSL and published their second draft on 31 October 2018 for public consultation. The Draft Decree provided guidance on:

  • the compilation and protection measures for the list of important information on national security;
  • protocol [to prevent or act on?] against cybersecurity emergency breaches;
  • action plans to ensure cybersecurity in government agencies; and
  • Data Localization and Presence Establishment Requirement (Article 24, 25, 26).

Proposed changes on the Draft Decree

In this update, we would like to focus on the issues around data. While Article 24 and 26 of the Draft Decree clarified the type of information to be stored and its term of storage in Vietnam, Article 25 of Draft Decree set out conditions to trigger the requirements on Data Localization and Presence Establishment Requirement.

Type of information to be stored and its term

We set out the relevant information and the corresponding terms of storage in Vietnam:

 

No.

Type of information

Term of storage

(at minimum)

1

Full name, date of birth, place of birth, nationality, occupation, job titles, residential address, contact address, email, phone number, ID card number, personal identification number, passport number, social insurance number, credit card number, health status, medical records, biometric data

Permanent (depending on the operating time of the data processor or stoppage of services)

2

Vietnamese user-created data, including the type of data to be uploaded, synchronised or copied from devices

36 months

3

Data on the relations of Vietnamese users, including friends, groups that the users connected to or interacted with

36 months

4

Network logs

12 months

 

Clarification of the businesses involved

Article 25 of the Draft Decree clarified that telecommunication networks, the Internet and value-added services on cyberspace in Vietnam are to be subject to the Data Localization and Presence Establishment Requirement. The list includes telecommunication services, hosting and sharing data on cyberspace, providing national or international domain names for service users in Vietnam, E-commerce, online payment, payment intermediation, mobility services via cyberspace, social network and social media, online video games and email. This demonstrates to the public the potential reach of the CSL on the data industry.

Reduced burden on Data Localization and Presence Establishment Requirement

Article 26.3 of the CSL stipulated that the government would impose a Data Localization and Presence Establishment Requirement on all entities who:

  • provide services on telecommunication networks, the Internet and value-added services on cyberspace in Vietnam; and
  • collect, exploit, analyse and process users’ personal data, data on relationships of the service users, and user-created data in Vietnam.

In contrast, Article 25 of the Draft Decree sets two more conditions for imposing the requirement. Particularly, the entities must also:

  • allow their users to conduct prohibited acts in cyberspace (including publication of anti-State or immoral messages, subject to Article 8.1 and 8.2 of Law on Cybersecurity); and
  • disobey the competent authorities or fail to comply with their requests (including information disclosure or taking down certain contents in 24 hours).

In short, this means the relevant entities would need to have violated the CSL before being the Data Localization and Presence Establishment Requirement is imposed upon them. Looking at it optimistically, it is the public backlash against the CSL which has influencedthe lawmakers to limit the  scope of the requirement by imposing further conditions. However, many data processing giants (especially social networks) may not escape  the CSL because of the increased regulatory expectation of moderating content in the networks or complying with the requests from the authorities.

Unclear sanctions against violations

If the entities met all four conditions set out in Article 25 of Draft Decree, they would be requested to comply with the Data Localization and Presence Establishment Requirement (by the Minister of the MPS). Although the article stated that failure to comply may be subject to sanctions, it did not specify them. It is usual that the government would issue a separate decree on administrative sanctions against violations in a particular field. However, it is unclear how the government could issue sanctions against companies having no commercial presence in Vietnam (in particular, for the failure to open branches or representative offices or store data in Vietnam).

Conclusion

In the meantime, the Draft Decree is attracting wide attention from the public, and the MPS is accepting public consultation on this draft until 2 December. It is expected that the finalised decree would be issued after the effective date of the CSL. Although this draft made great attempts to clarify the implementation of the CSL, it remains to be seen how the public can contribute further to the draft and perhaps more importantly the receptiveness of the MPS to consider and accept changes.