- Domestic and foreign companies providing services over telecom networks or the internet or value-added services in cyberspace in Vietnam must:
- authenticate users’ information upon registration;
- keep user information confidential;
- cooperate with Vietnamese authorities to provide information on their users when such users are investigated or deemed to have breached laws on cybersecurity;
- prevent and delete “anti-state,” “offensive” or “inciting” contents from their platforms within 24 hours after receiving a request from competent authorities;
- store in Vietnam within certain time limits (which are to be further prescribed in detail by the government) users’ personal information, data on service users’ relationships, and data generated by service users in Vietnam (definitions and scopes of all such user-related data are not clearly provided under the law); and
- for foreign service providers in particular, establish branches or representative offices in Vietnam.
It is worth noting that, under the version of the law adopted by the National Assembly, the restrictions on cross-border transfer of Vietnamese users’ information outside of Vietnam (which appeared in earlier drafts of the law and which were a concern of the business community) seem to have been removed. Under the adopted version of the law, under one interpretation, both onshore and offshore online service providers appear to no longer be required to “only” store their users’ information inside Vietnam and comply with certain assessment procedures before transferring “critical data” outside of Vietnam. The adopted version of the law seems to relax these restrictions by requiring the online service providers to store the Vietnamese users’ information within Vietnam for a certain period of time. However, during the statutory retention time, the law does not appear to expressly prohibit the online service providers from duplicating the data and transferring/storing such duplicated data outside of Vietnam.
This data localization requirement will surely create additional burdens for foreign online service providers supplying services to customers in Vietnam. Moreover, foreign online service providers are also required to establish a branch or representative office in Vietnam if, during the provision of services, they “collect, exploit, analyze or process” Vietnamese users’ information.
Another requirement found in previous drafts, that offshore service providers must locate servers in Vietnam, has been removed from the final version. However, by requiring offshore service providers to “store” Vietnamese users’ information in Vietnam, the offshore service providers, as a practical matter, will likely need to locate servers in Vietnam, either by directly owning/operating the servers or leasing servers owned/operated by other service providers in Vietnam, to store such information.
Any onshore and offshore online service providers wishing to provide services to customers in Vietnam need to assess the Cybersecurity Law and prepare themselves to comply with these requirements before they take effect on January 1, 2019.
Currently, there are various issues that are unclear under the Cybersecurity Law, such as the penalties for non-compliance with these requirements and measures for the Vietnamese authorities to enforce offshore service providers. One question is whether the government should exclude foreign online service providers who have a small number of subscribers in Vietnam from the requirements on data localization and establishment of business presence in Vietnam, as it seems impractical for these companies to invest and comply with these requirements.
Time will be needed for the Vietnamese government to prepare to implement the Cybersecurity Law. The expectation is that subordinate legislation will soon be issued to clarify the details on the implementation of the Cybersecurity Law.