Vietnam’s new Law on Electronic Transactions No. 20/2023/QH15 (LOET 2023) was promulgated by the National Assembly on June 22, 2023, and will replace the existing Law on Electronic Transactions No. 51/2005/QH11 (LOET 2005) when it enters into effect on July 1, 2024. The LOET 2023 is aimed at facilitating transactions carried out in an electronic environment in all sectors. Derived from the fundamental principles of the LOET 2005, the LOET 2023 is similarly considered a framework law, developed based on the Model Law on E-Commerce of the United Nations Commission on International Trade Law (UNCITRAL). The main points of interest of the LOET 2023 are summarized below.
1. Scope of Application
Unlike the LOET 2005, which explicitly excludes certain areas such as the issuance of certificates of land use rights and birth certificates from the scope of application, the LOET 2023 covers all areas without exception. However, the LOET 2023 will still not interfere with the regulations of substantive laws that stipulate the content, conditions, and forms of transactions in their respective areas (Article 1.2). The LOET 2023 also provides that it will only be applicable if other laws either allow or remain silent on the electronic execution of transactions; otherwise, if another law specifically does not permit a transaction to be carried out electronically, such law shall apply (Article 1.3). This emphasizes that the applicability of the LOET 2023 depends on the electronic readiness of specific sectors.
2. Enabling E-Transactions in All Sectors
For traditional transactions or contracts to be legally valid, they typically require written documentation, the signatures of the involved parties, and the seals of organizations or companies, if required by substantive laws or common practice. Additionally, certain sectors mandate further steps like notarization or certification, such as in property transactions like house sales or inheritance documentation. The questions then arise: How are these requirements mirrored in the electronic environment, and in the event of a dispute between parties, how can electronic transactions be used to support the parties to facilitate the transaction?
2.1 Data Messages
A data message is information generated, sent, received, and stored by electronic means (Article 3.4). There are two types of data messages under the LOET 2023 (Article 7): (i) data messages in the form of electronic documents, electronic certificates, electronic records, electronic contracts, emails, telegrams, telegraphs, facsimiles, and other electronic data interchange (EDI) forms according to regulations of law; and (2) data messages that are created and generated during transactions or converted from written documents.
The LOET 2023 retains the main content of provisions under the LOET 2005 on the legal validity of data messages and the recognition of the validity of data messages as written documents, as original copies, and as evidence. Regarding the rules for sending and receiving data messages, the LOET 2023 offers more extensive regulations than the LOET 2005, such as new provisions recognizing the representative of a party as the originator of a data message (Articles 14.2(a) and 15.1). Additionally, it addresses situations where a party erroneously inputs information via an automatic information system without the opportunity to rectify the error; in this case, the party making the error is allowed to retract the entered information if it meets stipulated conditions (Article 14.3).
The LOET 2023 also provides for conversion from written documents to data messages and vice versa so that parties can use either option where appropriate or allowed by law (Article 12). Interestingly, a prerequisite for converting written documents into data messages is that the resulting data message must include a distinct indication certifying its conversion from the written document, along with details about the entity or individual making the conversion (Article 12.1(c)). It is unclear whether merely scanning a document into PDF format without additional information about the converter qualifies as a data message converted from a written document. The LOET 2023 leaves it to the government to provide further guidance on conversion issues (Article 12.4).
2.2 Electronic Contracts
An electronic contract (e-contract) is a contract that is made in the form of a data message (Article 3.16). The LOET 2023 generally retains the principles and rules on e-contracts of the LOET 2005, but adds regulations to enable the signing and performance of e-contracts through automatic information systems (Article 34), and empowers line ministries to promulgate regulations on conclusion and execution of e-contracts in their respective fields (Article 34.2).
An interesting note is that when entering into and executing e-contracts, the parties have the right to reach agreements related to those e-contracts on technical requirements, conditions to ensure integrity, and confidentiality (Article 36.2). This means the parties could agree on e-signature technology, e.g., simple or complicated, depending on the nature and free will of parties. However, this principle seems to be weakened in regard to e-signatures of individuals, as discussed below.
2.3 Electronic Signatures and Digital Signatures
An electronic signature (e-signature) is a signature created in the form of electronic data attached to or logically associated with a data message to identify the signatory and certify the signatory’s approval of the data message (Article 3.11). Electronic data is data generated, processed, and stored by electronic means (Article 3.7).
A digital signature is an e-signature using an asymmetric algorithm consisting of a private key and a public key. The private key is used for digitally signing and the public key is used to verify the digital signature. The digital signature ensures the authenticity, integrity, and non-repudiation but does not ensure the secrecy of the data message (Article 3.12). Digital signatures are generally considered more secure than other e-signatures. Digital signatures and digital signature certification services have long and commonly been used in Vietnam (and in the world) in e-transactions.
The LOET 2023 specifies three types of e-signatures:
- Specialized e-signatures are e-signatures created and used by agencies and organizations for their particular purposes in accordance with their functions and tasks (Article 22.1(a)).
- Public digital signatures are digital signatures used in public activities (there is no definition of what constitutes “public activities”) and secured by public digital signature certificates (Article 22.1(b)).
- Specialized digital signatures for official use are digital signatures used in official activities and secured by e-certificates verifying them (Article 22.1(c)). Specialized e-signatures and digital signatures must meet stipulated conditions (Articles 22.2 and 22.3).
The LOET 2023 explicitly recognizes the legal validity of e-signatures by stipulating that their legal validity is not denied merely because they are in electronic form (Article 23.1). A secure specialized e-signature or a digital signature has the same legal validity as the signature of that individual on a written document (Article 23.2). A secure specialized e-signature is one that has been granted a safety certificate by the Ministry of Information and Communications (MIC) (Article 25.2). If an agency or organization uses a specialized e-signature in transactions, or seeks recognition of a secure specialized e-signature, it must register with the MIC to obtain a safety certificate for the secure specialized e-signature (Article 25.3).
Notably, the LOET 2023 lacks clear regulations regarding an individual’s e-signature. Consequently, it remains uncertain whether individuals can use self-created e-signatures in e-transactions. The combination of Article 23.2 and Article 22.1(b) suggests that individuals may be required to use a public digital signature in their e-transactions, which would significantly limit individual choice in selecting suitable technologies and potentially posing a burden on individuals engaging in e-transactions. This could be seen as a regression compared to the LOET 2005, which fully respects the parties’ freedom to choose e-signature technologies tailored to the nature of their transactions.
In addition, the LOET 2023 explicitly states that the use of other electronic confirmation methods that are not recognized as e-signatures for indicating the approval of data messages by signatories must comply with the provisions of other relevant laws (Article 22.4). This seems to exclude electronic verification methods such as one-time passwords (OTP), text messages (SMS), and biometrics, which are commonly used in banking and customs sectors, and defers regulation of such methods for substantive laws in specified sectors to regulate.
2.4 Electronic Seals
While the LOET 2005 has separate provisions on e-signatures for signatures and e-signatures for company seals, the LOET 2023 seems to merge both into a single e-signature requirement. In particular, according to the LOET 2005, where the law requires a document to be signed, such requirement with respect to a data message will be satisfied if the e-signature used to sign such data message meets stipulated conditions of security and authentication (Article 24.1 of the LOET 2005). Where the law requires a document to be affixed with the seal of an entity, such requirement with respect to a data message will be satisfied if the data message is signed with an entity’s secure e-signature which meets stipulated conditions (Article 24.2 of the LOET 2005).
The LOET 2023 does not use the word “seal” but uses “certification” instead. Article 23.3 regulates that if the law stipulates that a document must be certified by an agency or organization, such requirement with respect to a data message will be satisfied if the data message is signed by a secure specialized e-signature or digital signature of that agency or organization. Article 23.2 regulates that a secure specialized e-signature or digital signature has the same legal validity as the signature of that individual on a written document. This suggests that when a company uses its secure specialized e-signature or digital signature, this satisfies both signature and certification requirements, thus, serving both functions as a signature and a company seal at the same time.
2.5 Notarization and Certification
In certain sectors where substantive laws require documents to be notarized or certified, the requirement is fulfilled if the document is notarized according to the regulations of the laws on notarization, or certified according to regulations of the LOET 2023 and the laws on certification (Article 9.2). In other words, unless the laws on notarization explicitly prohibit notarization via electronic means, transactions which require notarization, such as sales contracts for houses, could be notarized electronically according to the rules specified in the laws on notarization.
3. Enabling Cross-Border E-Transactions
The LOET 2005 provides principles for recognition of foreign e-signatures and foreign e-signature certificates (Article 27.1 of LOET 2005). However, to date, guidance on implementation has only been provided under Decree 130/2018/ND-CP, which focuses exclusively on legal recognition for foreign digital signatures, leaving a gap in regulations for other technological aspects of foreign e-signatures. This shortcoming has hampered the advancement of cross-border e-transactions involving Vietnamese entities. The LOET 2023 is expected to deal with this deficiency.
According to the LOET 2023, subjects using recognized foreign e-signatures and recognized foreign e-signature certificates are foreign organizations and individuals, and Vietnamese organizations and individuals who transact with foreign organizations and individuals via electronic means, but whose domestically issued e-signatures and e-signature certificates have not been recognized in the other country (Article 26.3).
Conditions for foreign e-signatures and e-signature certificates to be recognized in Vietnam include (Article 26.2):
- They must conform to the standards and technical regulations on e-signatures and e-signature certificates stipulated by Vietnamese law, or recognized international standards or international treaties to which Vietnam is a member; and
- The foreign e-signature certificate is created based on complete and authenticated identification information of the foreign organization or individual.
Article 26.1 of the LOET 2023 also provides conditions for recognizing foreign e-signature certification service providers in Vietnam, which include the requirement of having a representative office in Vietnam (Article 26.1(dd)). It is not explicitly clear whether to be recognized in Vietnam, foreign e-signatures must be associated with foreign e-signature certificates that are issued by foreign e-signature certification service providers recognized in Vietnam. This matter will be guided further by the Minister of the MIC (Article 26.4).
4. Electronic Certificates
Electronic certificates (e-certificates) are licenses, certification papers, certificates, confirmation documents, and other approval documents issued by competent agencies and organizations in the form of electronic data (Article 3.5).
An e-certificate will be legally valid when it meets the following conditions (Article 19.1):
- It is signed by a digital signature of a competent agency or organization;
- The information in it can be accessed and used in a complete form; and
- If the law requires the time relating to the e-certificate, it must be time-stamped
To be recognized and used in Vietnam, an e-certificate issued by a competent foreign agency or organization must be granted consular legalization, unless exempted as per Vietnamese law (Article 19.2).
E-certificates can be transferred if the law permits, but must meet stipulated conditions (Article 20.1). The information system to store and process e-certificates must be ensured to meet at least Level 3 of network information security in accordance with the Law on Network Information Security (Article 21.2).
The LOET 2005 uses the term “e-certificate” but denotes a different meaning, referring to the verification of a signing person or organization, similar to the concept of e-signature certificates under the LOET 2023.
5. Trust Services
Trust services include (i) timestamp services, (ii) data message certification services, and (iii) public digital signature certification services (Article 28.1). Timestamp services are services for attaching time information to data messages (Article 31.1). Data message certification services include services of storing and verifying the integrity of data messages and services of sending and receiving secure data messages (Article 32). Public digital signature certification services are services of certifying digital signatures in public activities (Article 33.1).
Although these trust services are new content compared to the LOET 2005, timestamp services and public digital signature certification services are not new services, and have been regulated under Decree No. 130/2018/ND-CP. The LOET 2023 retains and incorporates certain framework regulations of state management of timestamp services and digital signature services regulated in this decree. In particular, the LOET 2023 provides that these trust services are conditional business services and subject to licensing with a license duration of 10 years (Articles 28.2, 28.3).
6. Information Systems Serving E-Transactions
The LOET 2023 adds a new chapter (Chapter VI) on information systems serving e-transactions, which are defined as a combination of hardware, software, and databases established with the main purpose of serving e-transactions and ensuring the authenticity and reliability of e-transactions (Article 45.1). A digital platform serving e-transactions is an information system that creates an electronic environment allowing parties to conduct transactions, provide and use products and services, or develop products and services (Article 45.2). An intermediary digital platform serving e-transactions is a digital platform whose administrator is independent of the parties performing the transaction (Article 45.3).
E-transaction accounts are used to conduct e-transactions, store transaction history, and ensure the accuracy of the order/process of transactions of the account holder, and as evidence of the transaction history of the parties to e-transactions (Article 46.2). Agencies, organizations and individuals can choose to use e-transaction accounts based on their needs, unless otherwise provided for by law (Article 46.3). The transaction history of an e-transaction account will have legal validity for proving the transaction if it fulfills stipulated conditions (Article 46.4).
Administrators of information systems serving e-transactions are required to, among other things, provide information by electronic means for inspection purposes; report at the request of state management agencies in charge of e-transactions; and share data to serve state management of e-transactions (Article 47.1). Large intermediary digital platforms are required to, among other things, publish the mechanism to handle problems or content violating Vietnamese law arising in e-transactions and annually report to the MIC on incidents of taking advantage of the information system to violate Vietnamese law (Article 47.2). Extremely large intermediary digital platforms are required to, among other things, publish the basis used to make recommendations to users and allow users to opt out of such recommendations and uninstall any applications without affecting basic technical features of the system (Article 47.3). The government is to provide further guidance on the responsibilities of administrators of large and extremely large intermediary digital platforms based on the scale, number of users in Vietnam, or number of accesses from users in Vietnam of such platforms (Article 47.4).
7. Open Data
The LOET 2023 adds new content regarding the open data of state agencies, which is defined as data that is published or disclosed by a state agency for other parties to freely use, reuse, and share, in order to promote e-transactions, digital transformation, and development of the digital economy and digital society (Article 43.1). Organizations and individuals are free to access and use open data without being requested to provide identification, and are allowed to freely copy, share, exchange, and use open data or combine open data with other data, and use open data in their commercial or non-commercial products or services unless otherwise provided by law (Articles 43.3, 43.4).