You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

March 18, 2024

New Telecom Services Set Out in Vietnam’s Telecom Law and Draft Decree

Subscribe to Updates

Vietnam’s new Telecom Law 2023 was promulgated on November 24, 2023, and will take effect on July 1, 2024, for most telecom services. For three newly introduced telecom services—OTT telecom services, internet data center services, and cloud computing services—implementation and compliance will be delayed until January 1, 2025. These new services will be explored briefly below.

The Ministry of Information Communication (MIC) is currently in the process of developing a number of decrees and circulars that will detail the implementation of the Telecom Law 2023, including one main decree that guides the new law in general. This decree is scheduled for prompt promulgation to coincide with the law’s effective date of July 1, 2024.

The draft version of this decree, dated February 22, 2024 (“Draft Decree”), was shared for consultation with international organizations, associations, and enterprises by the Vietnam Telecom Agency (VNTA) in early March 2024 to gather feedback. The Draft Decree is expected to undergo further revisions before being sent to relevant state agencies for input and submission to the Ministry of Justice for assessment by the end of March 2024. The MIC anticipates submitting the subsequent version to the government by April 15, 2024.

 

New Telecom Services: OTT Telecom Services, IDC Services, and Cloud Computing Services

In comparison to the Telecom Law 2009, the Telecom Law 2023 has three new telecom services:

  • Basic telecommunications services on the internet (OTT telecom services) are defined as services whose primary functions including the sending, transmission, and receipt of information between two persons or a group of people using telecommunications services on the internet (Article 3.8 of the Telecom Law 2023). By incorporating the term “primary functions” into the definition, the Telecom Law 2023 aims to exclude services such as ride-hailing platforms where the primary function is transportation, not telecom services for sending and receiving messages between users. This intention has been clearly confirmed by the VNTA in its series of consultation meetings with industry groups during the development process of the new law.
  • Internet data center (IDC) services are services that provide functions including processing, storage, and retrieving information for users via the telecom network by partially or fully leasing a data center.
  • Cloud computing services are telecom services that provide functions including processing, storage, and retrieving information for users over the telecom network via cloud computing.

Under the Draft Decree (Article 5.3), these three new services are all classified as “value-added telecom services.”

 

Indications of Light-Touch Management Principle

Unlike traditional telecom services, these three new services will be subject to a light-touch management principle. While this was not clearly provided in the new Telecom Law 2023, which left it to future decrees to provide further guidelines, the Draft Decree reflects this intention much more clearly.

Cross-border service provision: In particular, the Draft Decree excludes these three new services from the requirement of subjecting offshore companies to sign a commercial agreement with a local licensed telecom company for service provision. Providers of these three new services only need to notify the VNTA before service provision.

Nevertheless, there are certain unclear matters that require refinement in a subsequent version of the Draft Decree. One such issue is whether offshore service providers can commence services immediately after notifying the VNTA, or if they must wait for the VNTA to issue a confirmation of notification. During its meeting for gathering feedback in early March 2024, the VNTA affirmed that offshore companies could provide services immediately upon notification, eliminating the need for any confirmation, and noted that it will consider removing the confirmation requirement from the Draft Decree.

Onshore service provision: The Draft Decree has also lifted the foreign ownership restriction applied to these three new telecom services. It requires onshore service providers of OTT telecom and cloud computing services to merely notify VNTA before providing their services. Onshore IDC service providers must register with VNTA before beginning service provision.

Similarly, there is ambiguity regarding whether IDC service providers must wait for the issuance of a confirmation of registration before providing the services, or can provide the services immediately upon registration. In response to this query, VNTA clarified that IDC service providers are required to obtain a registration certificate before commencing their services.

 

Key Obligations of Service Providers

The Draft Decree introduces a few key obligations of service providers:

  • Verify information about users’ mobile phone numbers before providing services, and store users’ information (service username and mobile phone number) and information about the service usage for the duration specified in the cybersecurity law with regard to OTT telecom service providers.
  • Store and manage user information (full name and telephone or email for individuals; organization name and address, and full name, telephone or email of contact person for organizations) with regard to IDC and cloud computing services. The industry has expressed concerns that this Draft Decree might pose a trade barrier, as current trends among OTT service providers involve minimizing the collection and storage of users’ personal information, aligning with their obligations for personal data protection. By reducing the collection and storage of personal information, not only are costs lowered, but the risk of user data leakage during system attacks is also diminished. Despite these concerns, VNTA has justified the inclusion of telephone numbers, asserting that they are essential for tracking violators in the event of violations through OTT services. Furthermore, VNTA highlighted the effective management of junk SIM cards by the MIC, reducing the risk of being unable to trace individuals based on such junk SIM cards. It is worth noting that the name provided to OTT service providers is the service username, not the actual name of the users.
  • Protect state secrets pursuant to the law on protection of state secrets: This requirement introduces compliance risks as service providers primarily serve as intermediaries without direct access to user information, which is typically encrypted. In response, VNTA has expressed an intention to review and clarify the wording, emphasizing that the obligation applies when service providers are aware of violations but fail to comply with authorities’ requests to prevent or stop such violations.
Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

April 4, 2024
On March 18, 2024, the president of the Supreme Court of Thailand announced the establishment of a specialized Technology Crime Division within the Criminal Court of Thailand. This represents a significant commitment to cybercrime within the Thai judiciary and a step forward in Thailand’s ability to investigate cybercrime. The rise in cybercrime investigations in recent years has made it increasingly difficult for Thailand’s traditional criminal courts to consider and issue enforcement orders in support of ongoing investigations in a timely manner. The new Technology Crime Division addresses this challenge. This new division has jurisdiction over cybercrime and technology-related crime, fraud or extortion using computers, and criminal offenses relating to personal data protection laws. In addition, this new division has jurisdiction over all requests from competent law enforcement officers seeking court orders under the Computer Crimes Act B.E. 2550, the Personal Data Protection Act B.E. 2562, and the Cybersecurity Act B.E. 2562. The Technology Crime Division will have trainees and judges with expertise in technology and cybercrime—not only to facilitate expert prosecution of cybercrime but also to offer critical and time-sensitive support to law enforcement investigations of alleged cybercrime. The Technology Crime Division is not yet operational. The president of the Supreme Court is expected to announce the division’s opening date in the coming months. For more details on Thailand’s measures for dealing with cybercrime, please contact Michael Ramirez at [email protected] or Piyawat Vitooraporn at [email protected].
Read More
March 29, 2024
Thailand’s Cybersecurity Regulating Committee (CRC) released a notification under the Cybersecurity Act on February 22, 2024, setting key operational obligations for critical information infrastructure (CII) organizations. The notification takes effect on June 20, 2024. CII organizations are state or private entities that carry out services related to national security, public services, banking and finance, information technology and telecommunications, transportation and logistics, energy and public utilities, or public health. CII organizations will be identified by the National Cyber Security Committee (NCSC) and notified of their status. The key obligations of CII organizations are laid out below. Reporting to the National Cyber Security Agency (NCSA) CII organizations must provide the following to the NCSA: A list of executive and operational staff, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list within 15 days following any changes. A list of internal departments or individuals who are the responsible persons, owners, and holders of the computer systems, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list at least 7 days prior to any changes (or within 15 days after the change if there is a necessary reason). Policies, Guidelines, and Procedures As specified in the National Cyber Security Committee (NCSC) guidelines, CII organizations must prepare the following internal documents by June 20, 2025: Cybersecurity practice guidelines, consisting of an inspection plan, risk assessment, and incident response plan. Cybersecurity standards framework, consisting of measures for risk identification, risk prevention, threat detection and monitoring, incident responses, and resilience and recovery. CII organizations must also prepare the following: Mechanisms, procedures, and steps for monitoring and detecting
Read More
March 29, 2024
Vietnam’s Ministry of Public Security (MPS) is drafting two reports to present to the government in May 2024 to advocate for the development and adoption of a Law on Personal Data Protection. These reports include an assessment of the policy impact of the proposal to develop a personal data protection law, and an assessment of the current state of social relations related to personal data protection. Decree No. 13/2023/ND-CP on Personal Data Protection (PDPD), adopted in April 2023, became the first comprehensive legal instrument on data protection in Vietnam. When the National Assembly was debating its text and adoption in 2022 and 2023, questions were raised as to the status of this new regulation and the legality to adopt a decree before a law. In accordance with the public announcements made throughout the development of the PDPD assuring that a law would be developed at a later stage, the MPS is now advocating for the development of a Personal Data Protection Law and has drafted the two reports pursuant to the Law on the Promulgation of Legal Documents. The main arguments advanced by the MPS in the two reports are as follows: As the right to privacy is enshrined in the Constitution, any restrictions thereof must be made through a law and not a decree. The MPS is notably referring to the lawful basis for processing and limited exceptions to consent under the PDPD. This may be a sign that the MPS intends to widen the exceptions to consent under the new law. The definitions of “personal data” and “personal data protection” need to be harmonized to consolidate the regulatory framework. The MPS indicates that there are 69 legal documents directly related to “personal data protection” in Vietnam with more than 10 different definitions, while “personal information” appears in
Read More
March 28, 2024
Recently, Vietnam has witnessed a dramatic increase in cyber fraud, causing significant financial losses and posing a grave threat to both Vietnamese and foreign entities. With the increasing reliance on digital technology and the widespread adoption of online platforms, the country has become fertile ground for cybercriminals to exploit vulnerabilities and conduct various fraudulent activities. This article aims to present an overview of addressing cyber fraud in Vietnam and offers practical advice for businesses to safeguard themselves from becoming victims of such illicit activities.
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2023 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Legal Notice