Vietnam’s Decree No. 72/2013/ND-CP, as amended by Decree 27/2018/ND-CP (referred to collectively as “Decree 72”) regulates internet services and online information, and plays a crucial role in governing significant services such as social networks, online games, and aggregated information websites, as well as key matters like domain names and online information security. Given the rapid pace of development in these areas, Decree 72—having been in effect for nearly a decade—is in need of an update.
The Ministry of Information and Communications (MIC) had initially intended to draft an amendment to Decree 72 in 2021. However, the magnitude of required changes made it impractical to retain the form of an amending decree, leading the MIC to shift its focus toward replacing Decree 72 entirely. As a result, a new draft decree to replace Decree 72 (the “Draft Decree”) was released by the MIC for public consultation from July 17 to September 15, 2023. The Draft Decree is comprehensive, with six chapters, 87 articles, and an appendix of 56 forms.
The following are some of the main issues covered by the new Draft Decree.
1. Social Network Services
Classification and licensing/notification
Social network services include onshore and offshore social network services. Onshore social network services refer to those provided by organizations or enterprises with legal status in Vietnam, and are divided into “high-visitor” or “low-visitor” categories based on number of regular visitors. The high-visitor category includes social networks with total visits of 10,000 or more per month for six consecutive months or with more than 1,000 regular members in a month.
High-visitor onshore social network service providers must obtain a license to provide social network services. Low-visitor onshore social network service providers only need to notify the MIC’s Authority of Broadcasting and Electronic Information (ABEI) and receive the ABEI’s written notification confirmation before providing social network services.
Offshore social network services refer to those provided by foreign organizations or individuals on a cross-border basis. Offshore social network service providers who provide services on a cross-border basis and use data storage leasing services in Vietnam or meet a threshold of 100,000 or more total visit per month from Vietnam for six consecutive months (“regulated cross-border providers”) are subject to more rigorous requirements.
Regulated cross-border providers must notify the ABEI with stipulated contact information (including, for example, the location of the main server system providing the service) within 60 days from the time of reaching the threshold number of total visits.
Both onshore and regulated cross-border social network service providers are required to provide annual or ad hoc reports at the request of the MIC, in accordance with stipulated forms.
Obligations related to identity of Vietnamese users
A new draft provision applicable to both onshore and regulated cross-border social network service providers is the requirement to authenticate social network user accounts via their mobile phone numbers in Vietnam when users register for accounts. This regulation has been proposed by the MIC in response to the growing prevalence of cybercrime, aiming to enhance state management of social networks while also increasing user awareness and responsibility regarding content uploads on the internet. The requirement to authenticate users’ information when users register for accounts is also set out in the Cybersecurity Law (Article 26.2(a)).
Both onshore and regulated cross-border social network service providers are required to store personal information of Vietnamese users, including full name, date of birth, email, and mobile phone number used in Vietnam. It is unclear how this requirement is compatible with the right to delete personal data of data subjects regulated in the new Personal Data Protection Decree, or which law will prevail when there is inconsistency.
Personal information of users must be provided to authorities upon written request to serve the purposes of investigation and handling of violations.
Handling illegal content
Onshore and regulated cross-border social network service providers must actively inspect, monitor, and remove stipulated violating information, services, and applications upon self-discovery of the violations. For onshore social network service providers, there is a 24-hour deadline for removing any violating information, services, and applications upon self-discovery. However, this timeline is omitted with respect to regulated cross-border service providers, possibly due to a drafting error.
Social network service providers both onshore and offshore must prevent and remove violating content, services and applications within 24 hours from the time of a request from the MIC; or immediately remove violating content, services, and applications in cases affecting national security at the request of the MIC. (The Law on Cybersecurity (Article 26.2(b)) also requires foreign organizations and individuals to prevent and remove illegal information within 24 hours from the date of request from the Ministry of Public and Security (MPS) or the MIC. However, the immediate removal in the case of affecting national security at the request of the MIC is a newly proposed regulation.)
Both onshore and offshore social network service providers must temporarily or permanently block social network accounts, community pages, community groups, and content channels that frequently violate or pose threats to national security. Temporary blocking will be applied when these accounts or channels have been found to violate the law at least five times within a 30-day period or at least 10 times within a 90-day period, as per a removal request issued by the MIC. The temporary block must be implemented within 24 hours of the MIC’s request and will last from 7 to 30 days, depending on the number and severity of the violations. A permanent block is to be enforced when such accounts or channels publish illegal content that impacts national security or have previously been temporarily blocked at least three times as per request from the MIC.
If offshore social network providers do not comply with a request of the MIC without a valid reason, the MIC will implement technical measures to block violating content, services, and applications. Preventive measures can only be removed after violations have been handled by the offshore social network providers. If onshore social network providers do not comply with the request of the MIC without a valid reason, the MIC will suspend the provision of social networking services or revoke the license.
Onshore and regulated cross-border social network service providers must temporarily block content, services, and applications that receive complaints from Vietnamese users regarding their adverse effects on the legitimate rights and interests of individuals and organizations. These blocks must be implemented within 48 hours of receiving the complaints. Once the reported violations are verified, the respective content, services, and applications must be removed.
Searching and scanning content
A new provision in the Draft Decree sets out that both onshore and regulated cross-border social network service providers must provide tools for searching and scanning content at the request of the MIC. This requirement stems from the government’s desire to effectively monitor content on the internet, to enable timely detection and prevention of violating content and ensure user protection.
Only onshore social network providers with a valid license are permitted to provide online video streaming services (livestream) or engage in revenue-generating activities of any kind (excluding e-commerce activities). Onshore social networks with a low number of regular visitors that wish to provide livestream or engage in revenue-generating activities (excluding e-commerce) thus must apply for a social networking services license.
Despite the MIC’s statement in the government report on the Draft Decree indicating that only cross-border service providers who notify the MIC of their stipulated contact information are allowed to provide livestream services, this particular regulation appears to have been left out of the Draft Decree, possibly due to a drafting error.
The Draft Decree supplements a number of regulations to protect the interests of users and ensure that regulations are implemented fairly between domestic and foreign enterprises when providing services in Vietnam. In particular, both onshore and regulated cross-border social network service providers must:
- Have a specialized department to respond to requests from competent authorities and resolve and respond to complaints from Vietnamese users.
- Describe the content distribution process on their social networking platforms and publicly disclose the Service Provision Agreement/Community Standards for users to make an informed decision regarding their usage of the service.
- Publish policies and procedures to support customers in handling network information security matters in a concise, clear and easy-to-understand manner.
- Protect children when using social networks. For example, social network service providers can only allow users in Vietnam who are 16 years of age or older to register for an account. However, it appears that onshore social network service providers have more obligations in this area than offshore service providers. For example, onshore social network service providers are required to take measures to limit the time children use social networks to no more than 120 minutes per day while this obligation is left out for offshore social network service providers.
2. App Store Service Providers
Regulated cross-border app store service providers (i.e., those providing services on a cross-border basis and using data storage leasing services in Vietnam or meeting a threshold of 100,000 or more total visits per month from Vietnam for six consecutive months) must only allow organizations and individuals in Vietnam to upload legal apps (i.e., apps which have an appropriate license, certificate, certification, or decision as stipulated) to their app stores. They must also comply with Vietnamese regulations on payment and remove any apps that violate the law at the request of the MIC.
It is unclear why this obligation applies only to service providers meeting the “regulated” threshold, rather than all cross-border app store service providers. This could be a drafting error that will be addressed in the next version of the decree.
3. Online Games
The Draft Decree adds regulations for not licensing online games that feature content and scenarios resembling prize-winning games in casinos or games using images of playing cards.
This proposed regulation comes about because the MIC has observed that entertainment card games, despite prohibiting the exchange of rewards, can still easily be exploited, leading to gambling and prize exchanges. The current management measures have proven insufficient in effectively monitoring the transformation of these games into gambling activities beyond the virtual realm. Therefore, since 2010, the MIC has upheld the policy of suspending licenses for entertainment card games.
The Draft Decree provides that foreign organizations and individuals providing online game services to users in Vietnam must establish an enterprise in compliance with Vietnamese law to provide such services. As a result, the cross-border provision of online games remains prohibited.
4. Services Not Covered in the Draft Decree
The Draft Decree conspicuously excludes provisions concerning OTT telecom services, data centers, and cloud computing services as these will be governed by the amended Telecom Law, which is currently in draft form.