The Government of Vietnam recently issued Decree No. 27/2018/ND-CP ("Decree No. 27") to amend and supplement Decree No. 72/2013/ND-CP dated 15 July 2013 on the management, provision, and use of Internet services and online information ("Decree No. 72"). Decree No. 27 took effect on 15 April 2018.
Notable updates are below:
1. Consolidated regulations from Circulars
Decree No. 27 contains consolidated provisions from the following implementing Circulars of Decree No. 72:
- Circular No. 23/2013/TT-BTTTT dated 24 December 2013 of the Ministry of Information and Communications ("MIC") regulating public Internet access point and public gaming point;
- Circular No. 24/2015/TT-BTTTT dated 18 August 2015 of the MIC regulating the use of Internet resources;
- Circular No. 09/2014/TT-BTTTT dated 19 August 2014 of the MIC providing detailed regulations on the management, provision and use of information on aggregated information websites and social networks ("Circular No. 09"); and
- Circular No. 24/2014/TT-BTTTT dated 29 December 2014 of the MIC providing detailed regulations on the management, provision and use of online game services.
In general, licensing conditions and procedures as set out in the aforementioned Circulars have been consolidated into Decree No. 27. Decree No. 27 offers certain amendments, such as:
- Time frames for licensing procedures for aggregated information websites, social networks and online games have decreased (as per Articles 23e, 23h, 32e). For example, the timeframe for issuing licenses for aggregated information websites is now 15 working days instead of 20 working days.
- Removal and/or amendment of several business conditions regarding the provision of online game services (as per Articles 32a, 32c). For example, the requirement for G1 online service providers to have a manager of online game activities with a university degree or higher has been removed.
Certain requirements for aggregated information websites and social networks in Circular No. 09 are consolidated, updated and elevated to Decree No. 27.
2. Consolidated requirements for aggregated information websites and social networks
2.1. User authentication requirements:
Decree No. 27 requires aggregated information websites and social networks to have a technical system that is able to register and store personal information of their members and to authenticate the service users via SMS or email messages when such member registers use the service or want to amend personal information.
The personal information that needs to be registered and stored includes full name; date of birth; ID card/citizen identity card/passport number and its date and place of issuance; phone number and email address (if any).
If the Internet user is under 14 years old and does not have an ID card/citizen identity card/passport, the legal guardian of this person will decide on using the personal information registration of such guardian to express consent and responsibility before the law for registration.
2.2. Content management requirements:
Aggregated information websites and social networks are required to set up a warning mechanism in case their members post illegal content (filter). In the event of illegal content being posted on their platforms, aggregated information websites and social networks must have a coordinating mechanism to remove illegal content within three (3) hours after the aggregated information websites and social networks discover such illegal content or receive takedown requests from the MIC or licensing authorities via written documents, telephone or email.
Aggregated information websites are also required to authenticate the sources of information and to have a mechanism to manage and verify information before and after publishing.
2.3. Local server requirement:
Aggregated information websites and social networks must have at least one server system based in Vietnam that allows investigation, verification, storage and provision of information at any time.
2.4. Data retention:
- For aggregated information websites: Content of aggregated information must be stored for at least 90 days from the date of publishing. Data processing logs must be stored at least two (2) years from the date of publishing.
- For social networks: Information regarding accounts, date and time of signing in/out of accounts, IP addresses of users and data processing logs of the published information must be included.
However, as it is unclear under Decree No. 72 whether the current requirements would apply to offshore entities, it is also unclear whether the new amendments and supplements to these requirements would apply to offshore entities.
3. Suspension and revocation of license to establish an aggregated information website, social network, or online game service
Pursuant to the amended Articles 23 and 33d of Decree No. 72, authorities may suspend an entity's license to establish an aggregated information website or a social network or license to provide online game services ("Business License") if:
- Such entity commits a "prohibited act" under Article 5.1.(d), (dd) or (e) of Decree No. 72 (for example, spreading false information and/or damaging the reputation or dignity of individuals and/or organizations); or
- Such entity does not follow certain licensing business conditions or requirements as set out under Decree No. 72 and Decree No. 27.
The entity will have ten (10) days to remedy such issue and, failing to do so, will have their license suspended for three (3) months.
Authorities may also revoke an entity's Business License if:
- Such entity commits a "prohibited act" under Article 5.1.(a), (b) or (c) of Decree No. 72 (for example, inciting violence); or
- The Business License of such entity has been suspended twice.