It is expected that a new Law on Cyber-Security will be debated and adopted at the May 2018 session of Vietnam’s National Assembly. A draft of the new law (“Draft Law”) was debated at the last session of the National Assembly, and various conference committee meetings and consultative workshops have been held over recent months to iron out some of its key points.

Concerns have been expressed that the Draft Law has some provisions that are redundant or inconsistent with the existing Law on Network Information Safety and the Information Technology Law. However, through the debates, it seems clear that the authorities believe that a new, more focused law is needed to deal with public security concerns, including the fact that, based on studies and statistics, Vietnam is one of the susceptible countries in the world to cyber-attacks.

One key point of the Draft Law deals with policies toward international providers of telecom and internet services. Specifically, earlier drafts considered requiring foreign service providers to maintain servers in Vietnam, but in the most recent draft, following some focused National Assembly committee sessions in early April 2018, the requirement for maintaining servers in Vietnam was dropped. However, the relevant committees have thus far decided to maintain the requirement that foreign service providers must maintain a “representative” office or presence in Vietnam, and must store user data in Vietnam only.

The National Assembly committees felt that by dropping the in-country server requirement, they could create good conditions for foreign service providers to provide services in Vietnam, and doing so would help ensure consistency with international treaties (such as relevant WTO provisions). Conversely, in deciding to keep the requirements on maintaining the representative presence and in-country user data storage requirements, the National Assembly committees felt that doing so would help maintain national sovereignty over electronic data and would also create conditions for the authorities to effectively take action in the event of cyber-security violations. This could, however, create a substantial barrier to service providers’ cross-border transfer of user data, which could potentially impede the digital economy and the growth of telecom and internet services in Vietnam, as it prevents free flow of data.

During the recent committee working sessions, the National Assembly members noted the importance of building up domestic expertise in cyber-security matters. As a result, the provisions of the Draft Law that relate to increasing education on cyber-security issues have received focus.

While the Draft Law is expected to be adopted next month, more changes may be forthcoming, as lawmakers seek to resolve any controversial provisions, and make sure that the law is consistent with other existing laws.