New Draft Cybersecurity Law 2017 More data has been created in the past few years than in the entire previous history of the human race. In 2002, 100GB of data was created every second. By 2014 this had become 30,000 GB per second and by 2018 it is projected to grow to 50,000 GB/sec. The significance data plays in our daily lives as well as business has resulted in an exponential rise in its value with many now referring to "Big Data" as the new oil. Due to this meteoric rise, we have also seen significant growth in the amount of cybercriminals actively trying to acquire private data through cybercrimes and cyberattacks. The consequences and aftermath that follow a cybercrime or cyber attack are not pretty. The impact on victims, whether they be a company, government entity or an individual, can be severe and long lasting. A cyber attack against a state could cripple its infrastructure. A loss of corporate data, which could include contracts, supplier details, plans, designs or formula, may seriously damage the company’s business and reputation. If customer data is also stolen it may violate local data privacy laws which could lead to fines, business suspension or worse. This is of particular concern for Vietnam, who consistently ranks low in various regional and global cybersecurity indexes and reports. The Global Cybersecurity Index in 2015 ranked Vietnam 76th out of 196 countries globally. Vietnam has also been found to be the sixth most affected by phishing attacks. To combat this problem, the Vietnamese government and its relevant ministries have been enacting a myriad of cybersecurity laws over the last 18 months. Its most recent measure is the drafting of a new Cybersecurity Law ("Draft Law"). 1. Background and overview According to the proposal on the Draft Law by the Ministry of Public Security ("MPS"), the current legal landscape is insufficient to address Vietnam's cybersecurity concerns. The Draft Law confers the MPS with broad powers on governing cybersecurity matters, including developing cybersecurity strategies; issuing implementing regulations under the Draft Law; addressing prohibited content and anti-government activities; overseeing the conformity of cybersecurity products and services; and supervising cybersecurity activities of telecoms and Internet service providers, etc. Depending on how the Draft Law will eventually be implemented, many businesses, particularly telecoms and Internet companies, may find these measures onerous and impractical. We have highlighted the key points of the Draft Law below. 2 Baker McKenzie July 2017 1.1. Both onshore and offshore organizations and individuals likely covered The Draft Law appears to broadly apply to both onshore and offshore organizations and individuals that are directly involved in or related to the management, provision, or use of cyberspace and the protection of cybersecurity of the Socialist Republic of Vietnam. 1.2. Suspension of websites handling illegal cyber information The Draft Law contains specific requirements to address information on cyberspace that incites any mass gatherings that disturb security and order, and anti government activities on cyberspace, etc.("Illegal Cyber Information"). Websites or web portals hosting Illegal Cyber Information may be subject to temporary suspension or withdrawal of operating licenses. The Draft Law, however, does not provide any notice or take down mechanism for the website or web portal to undertake before being subject to this measure. As such, these requirements appear to make platform operators liable for the content posted by their users. 1.3. Broad requirements relating to cybersecurity emergency incidents The Draft Law provides a broad list of cybersecurity emergency incidents, such as a cyber attack or intrusion against the State or information systems critical to national security ("Critical Systems"). The Draft Law also requires "organizations and individuals" to cooperate with and provide support to the authorities in cases of cybersecurity incidents. The scope of cooperation appears to be quite broad, ranging from collecting, analyzing, forecasting, and reporting relevant information, to providing personnel and means to prevent and eliminate cybersecurity risks, etc. 1.4. Critical Systems Appraisal / reviewing requirements for the supply of products and services for use in Critical Systems Before buying products and services for use in Critical Systems, administrators of the Critical Systems must have the products and services reviewed / appraised by the competent agency under the MPS or by a professional organization authorized by the MPS. However, the Draft Law contains no detail on any review / appraisal procedures, as well as on any objective criteria to establish whether a specific product or service is fit for use in Critical Systems. It is unclear when an information system develops to a point that it is critical to national security and social order, and thus constitutes a "Critical System". 3 Baker McKenzie July 2017 Neither is it clear whether Critical Systems cover State owned systems only or include private systems as well. Data localization The Draft Law requires administrators of Critical Systems to store personal data and critical data within the national territory of Vietnam. For movement of such data outside Vietnam, an assessment on the level of security must be done according to regulations by MPS or other existing laws (if any). "Critical data" is also not defined. 1.5. Ceasing to provide cyber information The Draft Law entitles the MPS to propose to the Government of Vietnam to cease the provision of cyber information at certain locations to respond to or remedy cybersecurity incidents for protecting national security, social safety, and order. This provision, if arbitrarily applied, could disrupt the flow of information on cyberspace. 1.6. Business License for providing cybersecurity assurance services The Draft Law introduces the concept of "cybersecurity assurance services" ("CAS"), which partially overlaps with the concept of cyber information security services under Article 41.1 of the Law on Cyber Information Security ("LOCIS"). CAS includes cybersecurity services relating to audit, assessment, consultancy, supervision, prevention, and testing. A license from the MPS is required for the business of providing CAS. The Draft Law further states that this law will prevail in cases of overlap with the LOCIS. 1.7. Commercial presence and server localization The Draft Law requires foreign suppliers of telecom services and Internet services to obtain operation licenses, locate a "representative agency" in Vietnam, and locate the server that manages Vietnamese users' data in the territory of Vietnam. The concept of "telecom services" and "Internet services" are repeatedly used throughout the Draft Law without being defined. If "telecom services" and "Internet services" covered by the Draft Law are too broad, the Draft Law could be inconsistent with relevant WTO commitments, as the cross border supply of certain telecom services are not restricted by the Vietnam WTO Services Schedule. * * * As mentioned, Vietnam's cybersecurity challenges are significant. As there is an evolving legal landscape on this issue, it is important that, before new laws are adopted, the effects and potential negative impacts on businesses and industry are well considered. To effectively combat cybersecurity risks, private industry involvement is essential. Implementing regulations that limit market access for experienced foreign suppliers and requirements that deter investment in Vietnam could ultimately undermine the objective of cybersecurity and expose Vietnam to greater risk.