As this eventful year for new privacy and cybersecurity regulations winds down, multinational companies still need to look ahead to new regulations that will come online in 2019, including Vietnam’s Law on Cybersecurity.
Unlike the California Consumer Protection Act (CCPA) and other cybersecurity laws passed this year that were inspired by the European Union’s General Data Protection Regulation (GDPR), Vietnam’s law shares more similarities with China’s cybersecurity law. Like in China, Vietnam’s cybersecurity legislation does not focus so much on individual rights, but rather on providing the government with the ability to control the flow of information and to protect critical infrastructure.
Passed in June of this year, Vietnam’s law will go into effect in January, although a draft decree recently issued by the Vietnamese government will likely delay certain requirements, including those related to data localization and mandatory commercial presence of foreign companies covered under the law.
When and where does the law apply?
Like the GDPR and CCPA, Vietnam’s cybersecurity law creates obligations for companies inside and outside of its borders, particularly through its data localization requirement. However, unlike the GDPR and CCPA, the law also requires such companies to set up a representative office or branch in the country through its commercial presence requirement. These requirements (discussed in further detail below) apply to any domestic or foreign entity that provides services on a telecommunications network or the Internet, or to “value-added” industries in Vietnam and that also collect, process, exploit or analyze personal data on users, data created by users in Vietnam or data about user relationships.
The law imposes these obligations in general on all agencies and businesses that provide services in “cyberspace,” which according to the draft decree is likely to mean that at least the following industries and services are impacted: telecommunication companies; companies that host or share data like cloud service providers; companies that provide national or international domain names for service users in Vietnam; e-commerce sites; online payment companies; payment intermediation; transportation applications; social networking and social media; and online video games.
Following the trend towards expansive collections of personal information and led by the GDPR, Vietnam similarly defines personal information broadly as information in connection with identifying a specific person. The draft decree does not amend the definition, but further clarifies that personal information includes information such as a person’s name, medical records and biometric data. Along with personal information, the law also protects data created by the user’s uploads, data about user relationships (which most likely refers to social media connections), and system logs.
What are the requirements of the law?
Vietnam’s cybersecurity law creates several potentially onerous obligations on the part of covered entities.
First, covered entities must comply with the law’s data localization requirement. Under this rule, relevant types of user data covered by the law must be stored in Vietnam for a specific time period depending on the type of data collected. Data on users’ personal information must be stored in Vietnam during the lifetime of the covered entity or as long as the covered entity operates its service on cyberspace in the country. Data uploaded by users and data about user relationships must be stored for at least 36 months, and system logs must be stored for at least 12 months. The law remains unclear on whether in-country storage is exclusive (as in China) or whether only a copy needs to be stored in-country (as is the case in Russia).
Second, the law requires covered entities to comply with any government request to delete data Vietnam deems illegal. The law identifies various categories of illegal data, most of which are forms of criticism against the Vietnamese government or invented or untruthful information in certain sectors, such as finance, banking, e-commerce, e-payment, etc. Compliance with the law requires covered entities to remove illegal content within 24 hours of receiving notification from the government and to potentially take other remedial steps (such as prohibiting the data user from accessing the covered entity’s services in the future) if required.
Third, the law requires certain covered foreign businesses to establish local offices in Vietnam. The original iteration of the law required all covered foreign businesses to establish local offices, but the most recent draft decree limits the scope. Now, according to the Vietnamese government, companies that have allowed users to conduct “prohibited acts” as prescribed in Articles 8.1 and 8.2 of the law might be required to comply. Examples of these prohibited acts include conducting a cyber-attack that compromises Vietnamese national security and public order; providing false information which causes confusion among Vietnamese citizens or disrupts socioeconomic activities; and distorting history.
In addition, covered companies that have breached the provisions of Article 8.4, Article 26.2(a) or Article 26.2(b) may also be required to establish a local office. The two obligations to be most aware of here are to comply with a government request to remove illegal information and not to oppose or obstruct the activities of a Cybersecurity Task Force (CTF) under Vietnam’s Ministry of Public Security.
Fourth, for the first time, Vietnam has a data breach notification requirement that requires companies to notify users directly if their data has been breached, damaged or lost. The law also requires prompt notification to the CTF under certain circumstances. Accordingly:
- any agency, organization or individual which detects any indication or any act of cyberterrorism or an otherwise dangerous cybersecurity situation must promptly notify the CTF;
- an information system administrator is responsible for notifying the CTF upon discovery of any breach of the law on cybersecurity on an information system within the scope of his/her managerial authority; and
- information system administrators and cyberspace service providers are responsible for promptly notifying and coordinating with the CTF for dealing with information on their information systems or on services provided by them, which causes harm to children
Failure to comply with any of the provisions of the law can lead to administrative, civil and criminal penalties subject to the nature and seriousness of the violations.
The draft decree issued in early November is now open to a two-month public comment period, and it indicated that companies will likely have a 12-month grace period from the effective date of the law to comply with the rules on data localization and commercial presence in Vietnam. The rest of the law, however, is set to take effect in January 2019—a little less than a month from now. Accordingly, companies operating in Vietnam should make sure they have the plans, programs and policies in place, or well underway, to ensure compliance.