You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

December 15, 2023

Significant Aspects of Vietnam’s New Law on E-Transactions

Subscribe to Updates

Vietnam’s new Law on Electronic Transactions No. 20/2023/QH15 (LOET 2023) was promulgated by the National Assembly on June 22, 2023, and will replace the existing Law on Electronic Transactions No. 51/2005/QH11 (LOET 2005) when it enters into effect on July 1, 2024. The LOET 2023 is aimed at facilitating transactions carried out in an electronic environment in all sectors. Derived from the fundamental principles of the LOET 2005, the LOET 2023 is similarly considered a framework law, developed based on the Model Law on E-Commerce of the United Nations Commission on International Trade Law (UNCITRAL). The main points of interest of the LOET 2023 are summarized below.

1. Scope of Application

Unlike the LOET 2005, which explicitly excludes certain areas such as the issuance of certificates of land use rights and birth certificates from the scope of application, the LOET 2023 covers all areas without exception. However, the LOET 2023 will still not interfere with the regulations of substantive laws that stipulate the content, conditions, and forms of transactions in their respective areas (Article 1.2). The LOET 2023 also provides that it will only be applicable if other laws either allow or remain silent on the electronic execution of transactions; otherwise, if another law specifically does not permit a transaction to be carried out electronically, such law shall apply (Article 1.3). This emphasizes that the applicability of the LOET 2023 depends on the electronic readiness of specific sectors.

2. Enabling E-Transactions in All Sectors

For traditional transactions or contracts to be legally valid, they typically require written documentation, the signatures of the involved parties, and the seals of organizations or companies, if required by substantive laws or common practice. Additionally, certain sectors mandate further steps like notarization or certification, such as in property transactions like house sales or inheritance documentation. The questions then arise: How are these requirements mirrored in the electronic environment, and in the event of a dispute between parties, how can electronic transactions be used to support the parties to facilitate the transaction?

2.1 Data Messages

A data message is information generated, sent, received, and stored by electronic means (Article 3.4). There are two types of data messages under the LOET 2023 (Article 7): (i) data messages in the form of electronic documents, electronic certificates, electronic records, electronic contracts, emails, telegrams, telegraphs, facsimiles, and other electronic data interchange (EDI) forms according to regulations of law; and (2) data messages that are created and generated during transactions or converted from written documents.

The LOET 2023 retains the main content of provisions under the LOET 2005 on the legal validity of data messages and the recognition of the validity of data messages as written documents, as original copies, and as evidence. Regarding the rules for sending and receiving data messages, the LOET 2023 offers more extensive regulations than the LOET 2005, such as new provisions recognizing the representative of a party as the originator of a data message (Articles 14.2(a) and 15.1). Additionally, it addresses situations where a party erroneously inputs information via an automatic information system without the opportunity to rectify the error; in this case, the party making the error is allowed to retract the entered information if it meets stipulated conditions (Article 14.3).

The LOET 2023 also provides for conversion from written documents to data messages and vice versa so that parties can use either option where appropriate or allowed by law (Article 12). Interestingly, a prerequisite for converting written documents into data messages is that the resulting data message must include a distinct indication certifying its conversion from the written document, along with details about the entity or individual making the conversion (Article 12.1(c)). It is unclear whether merely scanning a document into PDF format without additional information about the converter qualifies as a data message converted from a written document. The LOET 2023 leaves it to the government to provide further guidance on conversion issues (Article 12.4).

2.2 Electronic Contracts

An electronic contract (e-contract) is a contract that is made in the form of a data message (Article 3.16). The LOET 2023 generally retains the principles and rules on e-contracts of the LOET 2005, but adds regulations to enable the signing and performance of e-contracts through automatic information systems (Article 34), and empowers line ministries to promulgate regulations on conclusion and execution of e-contracts in their respective fields (Article 34.2).

An interesting note is that when entering into and executing e-contracts, the parties have the right to reach agreements related to those e-contracts on technical requirements, conditions to ensure integrity, and confidentiality (Article 36.2). This means the parties could agree on e-signature technology, e.g., simple or complicated, depending on the nature and free will of parties. However, this principle seems to be weakened in regard to e-signatures of individuals, as discussed below.

2.3 Electronic Signatures and Digital Signatures

An electronic signature (e-signature) is a signature created in the form of electronic data attached to or logically associated with a data message to identify the signatory and certify the signatory’s approval of the data message (Article 3.11). Electronic data is data generated, processed, and stored by electronic means (Article 3.7).

A digital signature is an e-signature using an asymmetric algorithm consisting of a private key and a public key. The private key is used for digitally signing and the public key is used to verify the digital signature. The digital signature ensures the authenticity, integrity, and non-repudiation but does not ensure the secrecy of the data message (Article 3.12). Digital signatures are generally considered more secure than other e-signatures. Digital signatures and digital signature certification services have long and commonly been used in Vietnam (and in the world) in e-transactions.

The LOET 2023 specifies three types of e-signatures:

  • Specialized e-signatures are e-signatures created and used by agencies and organizations for their particular purposes in accordance with their functions and tasks (Article 22.1(a)).
  • Public digital signatures are digital signatures used in public activities (there is no definition of what constitutes “public activities”) and secured by public digital signature certificates (Article 22.1(b)).
  • Specialized digital signatures for official use are digital signatures used in official activities and secured by e-certificates verifying them (Article 22.1(c)). Specialized e-signatures and digital signatures must meet stipulated conditions (Articles 22.2 and 22.3).

The LOET 2023 explicitly recognizes the legal validity of e-signatures by stipulating that their legal validity is not denied merely because they are in electronic form (Article 23.1). A secure specialized e-signature or a digital signature has the same legal validity as the signature of that individual on a written document (Article 23.2). A secure specialized e-signature is one that has been granted a safety certificate by the Ministry of Information and Communications (MIC) (Article 25.2). If an agency or organization uses a specialized e-signature in transactions, or seeks recognition of a secure specialized e-signature, it must register with the MIC to obtain a safety certificate for the secure specialized e-signature (Article 25.3).

Notably, the LOET 2023 lacks clear regulations regarding an individual’s e-signature. Consequently, it remains uncertain whether individuals can use self-created e-signatures in e-transactions. The combination of Article 23.2 and Article 22.1(b) suggests that individuals may be required to use a public digital signature in their e-transactions, which would significantly limit individual choice in selecting suitable technologies and potentially posing a burden on individuals engaging in e-transactions. This could be seen as a regression compared to the LOET 2005, which fully respects the parties’ freedom to choose e-signature technologies tailored to the nature of their transactions.

In addition, the LOET 2023 explicitly states that the use of other electronic confirmation methods that are not recognized as e-signatures for indicating the approval of data messages by signatories must comply with the provisions of other relevant laws (Article 22.4). This seems to exclude electronic verification methods such as one-time passwords (OTP), text messages (SMS), and biometrics, which are commonly used in banking and customs sectors, and defers regulation of such methods for substantive laws in specified sectors to regulate.

2.4 Electronic Seals

While the LOET 2005 has separate provisions on e-signatures for signatures and e-signatures for company seals, the LOET 2023 seems to merge both into a single e-signature requirement. In particular, according to the LOET 2005, where the law requires a document to be signed, such requirement with respect to a data message will be satisfied if the e-signature used to sign such data message meets stipulated conditions of security and authentication (Article 24.1 of the LOET 2005). Where the law requires a document to be affixed with the seal of an entity, such requirement with respect to a data message will be satisfied if the data message is signed with an entity’s secure e-signature which meets stipulated conditions (Article 24.2 of the LOET 2005).

The LOET 2023 does not use the word “seal” but uses “certification” instead. Article 23.3 regulates that if the law stipulates that a document must be certified by an agency or organization, such requirement with respect to a data message will be satisfied if the data message is signed by a secure specialized e-signature or digital signature of that agency or organization. Article 23.2 regulates that a secure specialized e-signature or digital signature has the same legal validity as the signature of that individual on a written document. This suggests that when a company uses its secure specialized e-signature or digital signature, this satisfies both signature and certification requirements, thus, serving both functions as a signature and a company seal at the same time.

2.5 Notarization and Certification

In certain sectors where substantive laws require documents to be notarized or certified, the requirement is fulfilled if the document is notarized according to the regulations of the laws on notarization, or certified according to regulations of the LOET 2023 and the laws on certification (Article 9.2). In other words, unless the laws on notarization explicitly prohibit notarization via electronic means, transactions which require notarization, such as sales contracts for houses, could be notarized electronically according to the rules specified in the laws on notarization.

3. Enabling Cross-Border E-Transactions

The LOET 2005 provides principles for recognition of foreign e-signatures and foreign e-signature certificates (Article 27.1 of LOET 2005). However, to date, guidance on implementation has only been provided under Decree 130/2018/ND-CP, which focuses exclusively on legal recognition for foreign digital signatures, leaving a gap in regulations for other technological aspects of foreign e-signatures. This shortcoming has hampered the advancement of cross-border e-transactions involving Vietnamese entities. The LOET 2023 is expected to deal with this deficiency.

According to the LOET 2023, subjects using recognized foreign e-signatures and recognized foreign e-signature certificates are foreign organizations and individuals, and Vietnamese organizations and individuals who transact with foreign organizations and individuals via electronic means, but whose domestically issued e-signatures and e-signature certificates have not been recognized in the other country (Article 26.3).

Conditions for foreign e-signatures and e-signature certificates to be recognized in Vietnam include (Article 26.2):

  • They must conform to the standards and technical regulations on e-signatures and e-signature certificates stipulated by Vietnamese law, or recognized international standards or international treaties to which Vietnam is a member; and
  • The foreign e-signature certificate is created based on complete and authenticated identification information of the foreign organization or individual.

Article 26.1 of the LOET 2023 also provides conditions for recognizing foreign e-signature certification service providers in Vietnam, which include the requirement of having a representative office in Vietnam (Article 26.1(dd)). It is not explicitly clear whether to be recognized in Vietnam, foreign e-signatures must be associated with foreign e-signature certificates that are issued by foreign e-signature certification service providers recognized in Vietnam. This matter will be guided further by the Minister of the MIC (Article 26.4).

4. Electronic Certificates

Electronic certificates (e-certificates) are licenses, certification papers, certificates, confirmation documents, and other approval documents issued by competent agencies and organizations in the form of electronic data (Article 3.5).

An e-certificate will be legally valid when it meets the following conditions (Article 19.1):

  • It is signed by a digital signature of a competent agency or organization;
  • The information in it can be accessed and used in a complete form; and
  • If the law requires the time relating to the e-certificate, it must be time-stamped

To be recognized and used in Vietnam, an e-certificate issued by a competent foreign agency or organization must be granted consular legalization, unless exempted as per Vietnamese law (Article 19.2).

E-certificates can be transferred if the law permits, but must meet stipulated conditions (Article 20.1). The information system to store and process e-certificates must be ensured to meet at least Level 3 of network information security in accordance with the Law on Network Information Security (Article 21.2).

The LOET 2005 uses the term “e-certificate” but denotes a different meaning, referring to the verification of a signing person or organization, similar to the concept of e-signature certificates under the LOET 2023.

5. Trust Services

Trust services include (i) timestamp services, (ii) data message certification services, and (iii) public digital signature certification services (Article 28.1). Timestamp services are services for attaching time information to data messages (Article 31.1). Data message certification services include services of storing and verifying the integrity of data messages and services of sending and receiving secure data messages (Article 32). Public digital signature certification services are services of certifying digital signatures in public activities (Article 33.1).

Although these trust services are new content compared to the LOET 2005, timestamp services and public digital signature certification services are not new services, and have been regulated under Decree No. 130/2018/ND-CP. The LOET 2023 retains and incorporates certain framework regulations of state management of timestamp services and digital signature services regulated in this decree. In particular, the LOET 2023 provides that these trust services are conditional business services and subject to licensing with a license duration of 10 years (Articles 28.2, 28.3).

6. Information Systems Serving E-Transactions

The LOET 2023 adds a new chapter (Chapter VI) on information systems serving e-transactions, which are defined as a combination of hardware, software, and databases established with the main purpose of serving e-transactions and ensuring the authenticity and reliability of e-transactions (Article 45.1). A digital platform serving e-transactions is an information system that creates an electronic environment allowing parties to conduct transactions, provide and use products and services, or develop products and services (Article 45.2). An intermediary digital platform serving e-transactions is a digital platform whose administrator is independent of the parties performing the transaction (Article 45.3).

E-transaction accounts are used to conduct e-transactions, store transaction history, and ensure the accuracy of the order/process of transactions of the account holder, and as evidence of the transaction history of the parties to e-transactions (Article 46.2). Agencies, organizations and individuals can choose to use e-transaction accounts based on their needs, unless otherwise provided for by law (Article 46.3). The transaction history of an e-transaction account will have legal validity for proving the transaction if it fulfills stipulated conditions (Article 46.4).

Administrators of information systems serving e-transactions are required to, among other things, provide information by electronic means for inspection purposes; report at the request of state management agencies in charge of e-transactions; and share data to serve state management of e-transactions (Article 47.1). Large intermediary digital platforms are required to, among other things, publish the mechanism to handle problems or content violating Vietnamese law arising in e-transactions and annually report to the MIC on incidents of taking advantage of the information system to violate Vietnamese law (Article 47.2). Extremely large intermediary digital platforms are required to, among other things, publish the basis used to make recommendations to users and allow users to opt out of such recommendations and uninstall any applications without affecting basic technical features of the system (Article 47.3). The government is to provide further guidance on the responsibilities of administrators of large and extremely large intermediary digital platforms based on the scale, number of users in Vietnam, or number of accesses from users in Vietnam of such platforms (Article 47.4).

7. Open Data

The LOET 2023 adds new content regarding the open data of state agencies, which is defined as data that is published or disclosed by a state agency for other parties to freely use, reuse, and share, in order to promote e-transactions, digital transformation, and development of the digital economy and digital society (Article 43.1). Organizations and individuals are free to access and use open data without being requested to provide identification, and are allowed to freely copy, share, exchange, and use open data or combine open data with other data, and use open data in their commercial or non-commercial products or services unless otherwise provided by law (Articles 43.3, 43.4).

Related Professionals

Industries

Technology

Practices

Corporate/M&A

Location

RELATED INSIGHTS​

April 4, 2024
On March 18, 2024, the president of the Supreme Court of Thailand announced the establishment of a specialized Technology Crime Division within the Criminal Court of Thailand. This represents a significant commitment to cybercrime within the Thai judiciary and a step forward in Thailand’s ability to investigate cybercrime. The rise in cybercrime investigations in recent years has made it increasingly difficult for Thailand’s traditional criminal courts to consider and issue enforcement orders in support of ongoing investigations in a timely manner. The new Technology Crime Division addresses this challenge. This new division has jurisdiction over cybercrime and technology-related crime, fraud or extortion using computers, and criminal offenses relating to personal data protection laws. In addition, this new division has jurisdiction over all requests from competent law enforcement officers seeking court orders under the Computer Crimes Act B.E. 2550, the Personal Data Protection Act B.E. 2562, and the Cybersecurity Act B.E. 2562. The Technology Crime Division will have trainees and judges with expertise in technology and cybercrime—not only to facilitate expert prosecution of cybercrime but also to offer critical and time-sensitive support to law enforcement investigations of alleged cybercrime. The Technology Crime Division is not yet operational. The president of the Supreme Court is expected to announce the division’s opening date in the coming months. For more details on Thailand’s measures for dealing with cybercrime, please contact Michael Ramirez at [email protected] or Piyawat Vitooraporn at [email protected].
Read More
March 29, 2024
Thailand’s Cybersecurity Regulating Committee (CRC) released a notification under the Cybersecurity Act on February 22, 2024, setting key operational obligations for critical information infrastructure (CII) organizations. The notification takes effect on June 20, 2024. CII organizations are state or private entities that carry out services related to national security, public services, banking and finance, information technology and telecommunications, transportation and logistics, energy and public utilities, or public health. CII organizations will be identified by the National Cyber Security Committee (NCSC) and notified of their status. The key obligations of CII organizations are laid out below. Reporting to the National Cyber Security Agency (NCSA) CII organizations must provide the following to the NCSA: A list of executive and operational staff, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list within 15 days following any changes. A list of internal departments or individuals who are the responsible persons, owners, and holders of the computer systems, along with emergency contacts who can be reached within 60 minutes in the event of a cyber threat. The NCSA must be notified of any updates to this list at least 7 days prior to any changes (or within 15 days after the change if there is a necessary reason). Policies, Guidelines, and Procedures As specified in the National Cyber Security Committee (NCSC) guidelines, CII organizations must prepare the following internal documents by June 20, 2025: Cybersecurity practice guidelines, consisting of an inspection plan, risk assessment, and incident response plan. Cybersecurity standards framework, consisting of measures for risk identification, risk prevention, threat detection and monitoring, incident responses, and resilience and recovery. CII organizations must also prepare the following: Mechanisms, procedures, and steps for monitoring and detecting
Read More
March 29, 2024
Vietnam’s Ministry of Public Security (MPS) is drafting two reports to present to the government in May 2024 to advocate for the development and adoption of a Law on Personal Data Protection. These reports include an assessment of the policy impact of the proposal to develop a personal data protection law, and an assessment of the current state of social relations related to personal data protection. Decree No. 13/2023/ND-CP on Personal Data Protection (PDPD), adopted in April 2023, became the first comprehensive legal instrument on data protection in Vietnam. When the National Assembly was debating its text and adoption in 2022 and 2023, questions were raised as to the status of this new regulation and the legality to adopt a decree before a law. In accordance with the public announcements made throughout the development of the PDPD assuring that a law would be developed at a later stage, the MPS is now advocating for the development of a Personal Data Protection Law and has drafted the two reports pursuant to the Law on the Promulgation of Legal Documents. The main arguments advanced by the MPS in the two reports are as follows: As the right to privacy is enshrined in the Constitution, any restrictions thereof must be made through a law and not a decree. The MPS is notably referring to the lawful basis for processing and limited exceptions to consent under the PDPD. This may be a sign that the MPS intends to widen the exceptions to consent under the new law. The definitions of “personal data” and “personal data protection” need to be harmonized to consolidate the regulatory framework. The MPS indicates that there are 69 legal documents directly related to “personal data protection” in Vietnam with more than 10 different definitions, while “personal information” appears in
Read More
March 28, 2024
Recently, Vietnam has witnessed a dramatic increase in cyber fraud, causing significant financial losses and posing a grave threat to both Vietnamese and foreign entities. With the increasing reliance on digital technology and the widespread adoption of online platforms, the country has become fertile ground for cybercriminals to exploit vulnerabilities and conduct various fraudulent activities. This article aims to present an overview of addressing cyber fraud in Vietnam and offers practical advice for businesses to safeguard themselves from becoming victims of such illicit activities.
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2023 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Legal Notice