Vietnam – Flurry of regulatory activity under Law on Information Security to impact companies engaged in digital economy. 1. Background The first comprehensive law regulating cyber security in Vietnam, the Law on Online Information Security ("LOIS"), was adopted by the National Assembly of Vietnam on 19 November 2015 and took effect on 1 July 2016. LOIS will be supported and implemented by Government decrees, regulations and decisions promulgated by the Prime Minister, all of which will impact companies engaged in the Vietnamese digital economy. 2. Draft Regulations under LOIS The following are in draft form and currently expected to pass at some point in 2016: • Government Decree Detailing Guidance on the Prevention of Online Information Conflict (drafted by the Ministry of Defence); • Government Decree Detailing the Responsibilities and Preventative Measures Against Use of the Network Environment for Terrorism (drafted by the Ministry of Public Security); • Prime Ministerial Decision to Promulgate a Rescue Plan in the Event of a National Information Network Disaster (drafted by the Ministry of Information and Communications); and • Prime Ministerial Decision to Promulgate a List of Information Systems of National Importance (drafted by the Ministry of Information and Communications). 3. Recent Decrees under LOIS Adopted The following three Decrees were both adopted and took effect on the same day as LOIS, including: • Decree No. 58/2016/NĐ-CP, which regulates the conduct of civil cryptography product/service business and export/import of civil cryptography products ("Decree No. 58"); • Decree No. 108/2016/NĐ-CP, which outlines the necessary conditions an entity must meet in order to obtain a business license to trade in network information security products and services ("Decree No. 108"); and • Decree No. 85/2016/NĐ-CP, which regulates security categorizations of information systems ("Decree No. 85"). The final version of Decrees No. 108 and 85 have only just been circulated. Please stay tuned for an update on these in the next LegalBytes. Decree No. 58, which we discuss below, may have significant impact on companies involved in the import, export, distribution, and use of products using encryption in Vietnam. Decree No. 58 on Civil Encryption Products and Services 1. Background The LOIS lists the following as "Cyber Information Security Products" ("CISPs"): i. Civil encryption products ("CEPs") ii. Products for cyber information security testing and evaluation; iii. Products for cyber information security surveillance; iv. Anti-attack and anti-hacking products; and v. Other CISPs to be promulgated by the Government (currently not yet available) LOIS also broadly provides a list of Cyber Information Security Services ("CISS") which includes inter alia civil encryption services ("CESs"). LOIS tasks the Government's Cypher Committee ("GCC"), a government agency under the Ministry of National Defense, with regulating CEPs and CESs. All other types of CISPs and CISSs are to be regulated by the MIC. According to LOIS, the Government must issue a list of CEPs and CESs, the trading of which requires a business license. The Government is also tasked with issuing a list of CEPs, the import and export of which requires an import permit and an export permit. Below is our summary of Decree No. 58's key content. 2. CEPs and CESs subject to Business License Requirement – Broad Coverage with Limited Exceptions that Partly Resemble Wassenaar Arrangement Exemptions Appendix I of the Decree No. 58 provides the lists of CEPs and CESs, the trading of which requires a business license. a. CEPs List – Covering both Tangible and Intangible Products CEPs include systems, equipment, modules, and software applications specially designed for information security, using asymmetric or symmetric algorithms. The CEPs list includes eight broad categories of products, ranging from: i. CEPs for encryption key generation, ii. CEPs for protecting PKI systems, to iii. CEPs for protecting various types of data, e.g., online data transmission, IP streams and channels, analog and digital voice data, radio transmission, fax, telex. b. CEPs Exempt from Business License – Core Function Assessment and Product Specific Exception According to Appendix I, businesses are not required to apply for or operate with a business license in nine specific circumstances. To a certain extent, these exceptions appear to resemble the mass market exception and other exceptions to category 5A002 (Information Security) maintained by jurisdictions which are members to or voluntarily comply with the Wassenaar Arrangement on Export Control for Conventional Arms and Dual-Use Goods and Technologies. For example, a business license is not required for the trading of operating systems, Internet browsers, integrated circuits, and software applications that i. are embedded with encryption (the encryption function for information security is not the core function of these products), ii. are generally in use [by the public], and iii. can be installed by the user without any support from the supplier. Similarly, a business license is not required for the trading of information technology/ products such as notebooks, smart phones, DVD players, digital cameras and other civil electronic products, that i. are generally in use [by the public], and ii. have an information security function involving the use of encryption that is (a) not its core function, and (b) is already embedded in the products, such that no further support is required. Exemptions also apply to certain types of smart cards, mobile phones without end-to-end encryption capability, IP protection products, authentication products, cordless equipment, Personal Area Network wireless equipment, and medical application products. c. CESs List The following three categories of CESs are subject to the business license requirement: i. information security services using CEPs, ii. CEPs testing and evaluation services, and iii. information security consultancy services using CEPs. 3. List of CEPs Subject to Import/Export Permit Requirements Appendix II of the Decree No. 58 identifies a list of CEPs by HS codes at 4, 6, or 8 digit levels, the import / export of which is subject to an import / export permit. The list includes certain items under HS headings 84.43, 84.71, 84.73, 85.17, 85.23, 85.25, 85.26, 85.28, 85.29, 85.42, and 85.43. Accordingly, an import/export permit will be required for the import/export of certain types of printers, calculating machines, automatic data processing machines, telephone sets, storage devices, transmission apparatus for radio broadcasting and television, radars, electronic integrated circuits, electrical machinery and apparatus, and their accessories and parts. The third column of this Appendix II provides the description of encryption function, which is largely consistent with the description of CEPs in Part I of Appendix I. However, Decree No. 58 does not specify the relationship between Appendix I and Appendix II. 4. Other Provisions – Licensing Procedures and Applicable Penalties Decree No. 58 details the procedures to obtain, amend, renew, or re-issue a business license. It also provides specific procedures on the issuance of an import/export permit. Decree No. 58 does not specify the term of an import/export permit. It is also unclear whether a bulk import / export permit, i.e., a permit that covers multiple import / export shipments from a pre-approved list of CEPs, can be used. An entity's non-compliance is subject to a fine of up to VND50 million (approx. USD2,500) per infringing act. Supplementary penalties in the form of suspending the right to use the business license and the import/export permit for up to 3 months may also apply for certain types of violations. For more information, please contact Yee Chung Seck or Emily Mahoney.