Internet of Things in Vietnam - Legislation & Practice The Vietnamese Government is investing in developing information and communications technology capacity by providing funding for more than 2,000 startups, including those engaged in what is called the "Internet of Things' ("IoT") .1 Although nebulous, the term encapsulates the increasing trend of machine to machine interconnectivity via the internet. According to Asia IoT Business Platform, significant potential exists for IoT in Vietnam in the areas of: smart cities, industrial and manufacturing, automotive, transport and logistics, big data, cloud and security, agriculture, and banking, finance and e-commerce.2 International and local businesses also recognize these opportunities, evidenced by the July launch of the Hoa Lac IoT Lab— the first of its kind in Vietnam— supported by Hoa Lac Hi-Tech Park, DTT Technology Group, Intel and Dell Vietnam.3 Legal issues Globally, the core risk areas for IoT are likely user privacy and device security. In Vietnam, additional uncertainties exist. For example: how IoT services are legally defined and, as a result, possibly subject to restrictions on foreign investment; lack of specificity in regard to definitions of personal data, its protection, and consequent limits on what companies may do with it once they collect it; and unpredictable enforcement of data protection laws and cybersecurity measures. Challenges for foreign investment - classification of IoT "services" – a telecommunications or information technology service? The absence of enabling legislation and classification of IoT "services," potential restrictions on foreign ownership, and additional requirements for foreign-invested companies in certain sectors, may create obstacles for foreign companies seeking to invest in the IoT industry in Vietnam and consequently hinder development of the sector. In Vietnam, the fact that a law is silent on the provision of certain services does not mean that engaging in the provision of such services is permitted. Activities typically must be "approved," "explicitly permitted" or "licensed." This creates a legal impediment to foreign companies seeking to invest in the IoT industry as the provision of such services is not addressed in the law. Depending on how such service is legally classified, a foreign-invested business may also be restricted or prohibited from operating in Vietnam, or providing the service on a cross border basis, because of market access conditions or limitations under Vietnam's WTO Commitments, and consequently domestic law. If a foreign invested business in the IoT industry was considered to be providing a non-facilities-based telecommunications ("telco") service, it must establish a joint venture ("JV") with a local partner licensed to provide such services.4 As a result of the WTO Commitments and domestic restrictions, foreign ownership in the JV may not exceed 65% of the equity capital, while the remaining 35% must be held by the local partner(s). Local and foreign businesses in Vietnam must obtain an Investment Registration Certificate ("IRC") and Enterprise Registration Certificate ("ERC") before they may operate. As part of this process, the business must detail in their IRC/ERC applications its "investment objectives" and "business lines" of operation.5 This requirement would be regulated during the IRC/ERC application process, in which the company would detail their business lines and be approved or denied to operate accordingly. Otherwise, the foreign-invested service provider's only other legal option is to enter into a commercial arrangement with a local telco to provide the service on a cross border basis.6 Such foreign ownership limits may not appeal to foreign invested companies because of a desire to maintain maximum corporate control. However, whether a foreign-invested company—through its provision of IoT "services"—would be considered to be supplying a non-facilities based telecommunications service and thus subject to such restrictions on foreign investment is unclear.7 A further complication is that the IoT "service" may conversely be considered an IT service under the Law on Information Technology ("IT Law"). The provision of IT services are generally not subject to the foreign ownership restrictions described above. However, if passed, the Draft Decree on Information Technology Services ("Draft IT Decree") may subject foreign invested IoT service providers to additional requirements.8 In light of the lack of clarity, a foreign company seeking to invest in the IoT industry should either make an informed assumption based on market practice, or seek clarification from the Ministry of Information and Communications. However, being forced to make such a choice is a barrier to high technology companies seeking to invest in Vietnam's IoT sector and has served to deter investment from foreign companies. Vietnam privacy and data protection laws – and enforceability Vietnam does not have a single comprehensive law that specifically addresses privacy and data protection across sectors. Relevant provisions are contained in various legislation: the Civil Code, the IT Law, the Consumer Protection Law, the Penal Code, the Telecommunications Law, and the Law on Cyber Information Security ("LOCIS") and their implementing regulations. What constitutes personal data (or as is referred to in Vietnamese legislation, "personal information") and the limits on its protection and use will become an increasingly important question when considering the development of IoT services. As a general rule, information pertaining to individuals that can serve to personally identify that individual should be protected and processed with consent.9 While some decrees provide examples (i.e name, age, address, ID number, phone number, email address) the question is how broadly or narrowly the varying definitions of personal data should be interpreted. For example, is browser generated information, which may not be processed by a commercial entity prior to obtaining a data subject's consent, personal data? The law remains unclear in this regard. While other jurisdictions may employ broad definitions of Personal Data, these are complemented by official guidance (albeit typically not binding) issued by a data commissioner or data protection officer, for example. The European Court of Justice and domestic courts in common law jurisdictions also issue court decisions which serve to further illuminate the contours of privacy and data protection law. In theory, failure to comply with data privacy laws in Vietnam may result in an administrative authority investigation and a fine, penalty or sanction, seizure of equipment or data, civil action, or criminal proceeding. Yet enforceability remains low and, if the courts do find a violation of data protection or privacy law – the public is not made aware. Vietnam is largely a civil jurisdiction; most final decisions and administrative rulings are not made public and the courts do not follow the principle of stare decisis. Vietnam also does not have an authority that issues guidance on, for example, what consumer consent entails or appropriate data retention periods for a data controller ("information-owning entity" in Vietnamese). However under a new Resolution, the Supreme Court will issue 6 new precedential decisions once every 12 months, which may serve to flesh out consumer and business understanding of privacy and data protection law. In future, such change may result in increased legal predictability, including in the IoT industry. Cybersecurity According to news and security sources, IoT-based attacks are on the rise, with many of them originating from Vietnam.10 Four decrees under the recently passed LOCIS largely relate to cybercrime and are expected to pass sometime in 2017.11 The 2015 Penal Code also introduced a section on cybercrime which penalizes the act of using a computer, telecommunications network or electronic means to "deliberately interfere with radio frequency systems in a harmful manner." However, due to technical errors, the Vietnamese Government has postposed the Penal Code's implementation, and has not indicated which sections of the Code are being amended. Whether such legal change will increase consumer privacy protection on their devices and have a positive impact on the development of a strong, secure IoT industry remains to be seen. Action on such issues will not be limited to national borders and Vietnam will likely continue to participate in global initiatives to improve cybersecurity, particularly in light of recent Distributed Denial of Service Attacks originating from IoT devices. In the meantime, Vietnam may also consider requiring device security based on global standards to decrease the potential of IoT-based security breaches and attacks. Outlook In order to exploit the potential benefits of the IoT industry, Vietnam—like other countries—must improve infrastructure, integration, network security and maintenance. Perhaps in recognition of the need to improve communication standards to facilitate the growth of the industry, the government recently granted VNPT, Viettel and Mobile Phone a license to operate on 4G.12 Yet, to support a potentially burgeoning industry in Vietnam, the legal backbone enabling such development to occur and to correspondingly protect consumers in the use of such interconnected devices, must also catch up to technological developments. For more information, please contact Tran Manh Hung and Emily Mahoney. ______________ 1 https://m.vietnambreakingnews.com/2016/10/ho-chi-minh-city-to-unveil-45-million-fund-for-startups/ http://e.vnexpress.net/news/business/ho-chi-minh-city-to-unveil-45-million-fund-for-startups-3488894.html 2 https://iotbusiness-platform.com/iot-vietnam/ 3 https://www.linkedin.com/pulse/vietnam-launches-first-internet-of-things-iot-lab-nguyen?trk=prof-post 4 World Trade Organization, Working Party on the Accession of Viet Nam, Schedule CLX – Viet Nam, Part II - Schedule of Specific Commitments in Services, List of Article II MFN Exemptions WT/ACC/VNM/48/Add.2; 27 October 2006; Art. 4, Decree No. 25/2011/ND-CP 5 Art. 49, Decree 78/2015/ND-CP; Art. 33.2, Decree 118/2015/Nd-CP. 6 Schedule of Specific Commitments in Services, Part II, Schedule CLX-Vietnam, Working Party on Accession of Vietnam, WT/ACC/VNM/48/Add.2 dated 27 October 2006; Art. 3.1, Decree No. 25/2011/ND-CP, 6 April 2011; Art. 1, Circular No. 10/2012/TT-BTTTT, 10 July 2012; Art. 5.1(a), Circular No. 05/2012/TT-BTTTT, 18 May 2012. 7 Art. 9, Decree No. 25/2011/ND-CP, 6 April 2011. An IoT service may be legally defined as any of the following and thus subject to the Telco Law: a telco service, a basic telco service, a value-added telco service, or a "telco application service." A provider of the first three types of service is subject to foreign ownership restrictions and consequently must choose between the above two investment options. The "telcoapplication service" is the only service likely not subject to foreign ownership restrictions. A telco service means a "service that includes the transmission of information between two users or within a group of users of [telco] services, which includes both basic and "value-added services."7 A basic service includes inter alia "data transmission, photo transmission, message, video conference, lease line services, internet connection, and other basic services as stipulated by the Ministry of Information and Communications ("MIC"). Value-added services include: "e-mail, voicemail, added value fax, and internet access service, and other value added services prescribed by the MIC." 8 Art. 3.5, Draft Decree on Information Technology Services, 2014. Cloud computing system is defined as "a technical system comprised of internet-connected equipment, hardware and software designed to enable clients to use and exploit jointly information technology resources on internet such as information technology infrastructure, software platform and application software." 9 Article, 3.15, LOCIS ; Decree No. 72/2013/ND-CP dated 15 July 2013, on the management, provision, and use of internet services and online information. 10 https://krebsonsecurity.com/2016/10/iot-device-maker-vows-product-recall-legal-action-against-western-accusers/; https://www.helpnetsecurity.com/2016/09/26/iot-based-ddos-attacks/ 11 The drafts include: the Government Decree Detailing Guidance on the Prevention of Online Information Conflict (drafted by the Ministry of Defence); Government Decree Detailing the Responsibilities and Preventative Measures Against Use of the Network Environment for Terrorism (drafted by the Ministry of Public Security); Prime Ministerial Decision to Promulgate a Rescue Plan in the Event of a National Information Network Disaster (drafted by the Ministry of Information and Communications); and Prime Ministerial Decision to Promulgate a List of Information Systems of National Importance (drafted by the Ministry of Information and Communications). 12 On 14 October 2016; http://mic.gov.vn/Pages/TinTuc/133085/MobiFone-chinh-thuc-duoc-cap-phep-4G.html.