On 6 June 2017, the first draft of the Law on Cybersecurity (“Draft Law”) was released for public consultation between 8 June and 8 August 2017.
According to the proposal on the Draft Law by the Ministry of Public Security ("MPS"), the current legal landscape is insufficient to address Vietnam's cybersecurity concerns. The Draft Law confers the MPS with broad powers on governing cybersecurity matters, including developing cybersecurity strategies; issuing implementing regulations under the Draft Law; addressing prohibited content and anti-government activities; overseeing the conformity of cybersecurity products and services; and supervising cybersecurity activities of telecoms and Internet service providers, etc.
Depending on how the Draft Law will eventually be implemented, many businesses, particularly telecoms and Internet companies, may find these measures onerous and impractical. We have highlighted the key points of the Draft Law below.
1.1. Both onshore and offshore organizations and individuals likely covered
The Draft Law appears to broadly apply to both onshore and offshore organizations and individuals that are directly involved in or related to the management, provision, or use of cyberspace and the protection of cybersecurity of the Socialist Republic of Vietnam.
1.2. Suspension of websites handling illegal cyber information
The Draft Law contains specific requirements to address information on cyberspace that incites any mass gatherings that disturb security and order, and anti government activities on cyberspace, etc.("Illegal Cyber Information").
Websites or web portals hosting Illegal Cyber Information may be subject to temporary suspension or withdrawal of operating licenses. The Draft Law, however, does not provide any notice or take down mechanism for the website or web portal to undertake before being subject to this measure. As such, these requirements appear to make platform operators liable for the content posted by their users.
1.3. Broad requirements relating to cybersecurity emergency incidents
The Draft Law provides a broad list of cybersecurity emergency incidents, such as a cyber attack or intrusion against the State or information systems critical to national security ("Critical Systems").
The Draft Law also requires "organizations and individuals" to cooperate with and provide support to the authorities in cases of cybersecurity incidents. The scope of cooperation appears to be quite broad, ranging from collecting, analyzing, forecasting, and reporting relevant information, to providing personnel and means to prevent and eliminate cybersecurity risks, etc.
1.4. Critical Systems
Appraisal / reviewing requirements for the supply of products and services for use in Critical Systems
Before buying products and services for use in Critical Systems, administrators of the Critical Systems must have the products and services reviewed / appraised by the competent agency under the MPS or by a professional organization authorized by the MPS. However, the Draft Law contains no detail on any review / appraisal procedures, as well as on any objective criteria to establish whether a specific product or service is fit for use in Critical Systems.
It is unclear when an information system develops to a point that it is critical to national security and social order, and thus constitutes a "Critical System". Neither is it clear whether Critical Systems cover State owned systems only or include private systems as well.
The Draft Law requires administrators of Critical Systems to store personal data and critical data within the national territory of Vietnam. For movement of such data outside Vietnam, an assessment on the level of security must be done according to regulations by MPS or other existing laws (if any). "Critical data" is also not defined.
1.5. Ceasing to provide cyber information
The Draft Law entitles the MPS to propose to the Government of Vietnam to cease the provision of cyber information at certain locations to respond to or remedy cybersecurity incidents for protecting national security, social safety, and order.
This provision, if arbitrarily applied, could disrupt the flow of information on cyberspace.
1.6. Business License for providing cybersecurity assurance services
The Draft Law introduces the concept of "cybersecurity assurance services" ("CAS"), which partially overlaps with the concept of cyber information security services under Article 41.1 of the Law on Cyber Information Security ("LOCIS"). CAS includes cybersecurity services relating to audit, assessment, consultancy, supervision, prevention, and testing.
A license from the MPS is required for the business of providing CAS. The Draft Law further states that this law will prevail in cases of overlap with the LOCIS.
1.7. Commercial presence and server localization
The Draft Law requires foreign suppliers of telecom services and Internet services to obtain operation licenses, locate a "representative agency" in Vietnam, and locate the server that manages Vietnamese users' data in the territory of Vietnam.
The concept of "telecom services" and "Internet services" are repeatedly used throughout the Draft Law without being defined. If "telecom services" and "Internet services" covered by the Draft Law are too broad, the Draft Law could be inconsistent with relevant WTO commitments, as the cross border supply of certain telecom services are not restricted by the Vietnam WTO Services Schedule.