Vietnam’s new Law on Cybersecurity was finally adopted by the National Assembly on June 12, 2018, after more than a dozen drafts and wide debate in the business and government sectors. This Cybersecurity Law imposes tremendous obligations on both onshore and, especially, offshore companies providing online services to customers in Vietnam.

The companies subject to this Cybersecurity Law are domestic and foreign companies providing services to customers in Vietnam over telecom networks or the internet such as social networks, search engines, online advertising, online streaming/broadcasting, e-commerce websites/marketplaces, internet-based voice/text services (OTT services), cloud services, online games, and online applications.

In particular, the new law sets out the following requirements:

• Owners of websites, portals, and social networks must not provide, post or transmit information against the Vietnamese government or inciting/prejudicing riots, security, public order, humiliation, slander, or untruthful information.

  This means websites and social network operators must not post or allow their users to post “anti-state,” “offensive” or “inciting” contents on their websites/social networks, and must develop mechanisms for monitoring, verifying, and taking down prohibited content posted by their users. This requirement may diminish the website/social network operators’ “safe harbor” under other valid legislation that protects them from the responsibility to monitor or supervise digital information of their users, or investigate breaches of the law arising from the process of transmitting or storing digital information of their users.

• Domestic and foreign companies providing services over telecom networks or the internet or value-added services in cyberspace in Vietnam must:

1. authenticate users’ information upon registration;
2. keep user information confidential;
3. cooperate with Vietnamese authorities to provide information on their users when such users are investigated or deemed to have breached laws on cybersecurity;
4. prevent and delete “anti-state,” “offensive” or “inciting” contents from their platforms within 24 hours after receiving a request from competent authorities;
5. store in Vietnam within certain time limits (which are to be further prescribed in detail by the government) users’ personal information, data on service users’ relationships, and data generated by service users in Vietnam (definitions and scopes of all such user-related data are not clearly provided under the law); and
6. for foreign service providers in particular, establish branches or representative offices in Vietnam.

It is worth noting that, under the version of the law adopted by the National Assembly, the restrictions on cross-border transfer of Vietnamese users’ information outside of Vietnam (which appeared in earlier drafts of the law and which were a concern of the business community) seem to have been removed. Under the adopted version of the law, under one interpretation, both onshore and offshore online service providers appear to no longer be required to “only” store their users’ information inside Vietnam and comply with certain assessment procedures before transferring “critical data” outside of Vietnam. The adopted version of the law seems to relax these restrictions by requiring the online service providers to store the Vietnamese users’ information within Vietnam for a certain period of time. However, during the statutory retention time, the law does not appear to expressly prohibit the online service providers from duplicating the data and transferring/storing such duplicated data outside of Vietnam.

This data localization requirement will surely create additional burdens for foreign online service providers supplying services to customers in Vietnam. Moreover, foreign online service providers are also required to establish a branch or representative office in Vietnam if, during the provision of services, they “collect, exploit, analyze or process” Vietnamese users’ information.

Another requirement found in previous drafts, that offshore service providers must locate servers in Vietnam, has been removed from the final version. However, by requiring offshore service providers to “store” Vietnamese users’ information in Vietnam, the offshore service providers, as a practical matter, will likely need to locate servers in Vietnam, either by directly owning/operating the servers or leasing servers owned/operated by other service providers in Vietnam, to store such information.

Any onshore and offshore online service providers wishing to provide services to customers in Vietnam need to assess the Cybersecurity Law and prepare themselves to comply with these requirements before they take effect on January 1, 2019.

Currently, there are various issues that are unclear under the Cybersecurity Law, such as the penalties for non-compliance with these requirements and measures for the Vietnamese authorities to enforce offshore service providers. One question is whether the government should exclude foreign online service providers who have a small number of subscribers in Vietnam from the requirements on data localization and establishment of business presence in Vietnam, as it seems impractical for these companies to invest and comply with these requirements.

Time will be needed for the Vietnamese government to prepare to implement the Cybersecurity Law. The expectation is that subordinate legislation will soon be issued to clarify the details on the implementation of the Cybersecurity Law.