Vietnam’s new Cybersecurity Law was promulgated on June 12, 2018 and came into effect on January 1, 2019, with a majority of its provisions enforceable from the effective date. However, there are still certain provisions of the law which need to be further guided by implementing regulations and guidelines. There are currently draft guidelines under consideration, including:

• A decree to implement in detail some provisions of the law, which includes guidance on the important and controversial article 26 on data localization (to guide articles 10.4, 12.5, 23.1, 24.7, 26.4 and 36.5, among others);
• A decree to regulate in detail the procedures for application of cybersecurity protection measures (to guide article 5.2 of the law); and
• A decision of the prime minister on promulgation of the list of national security information systems (to guide articles 10.3 and 43.3 of the law)

As of the time of writing this update, none of the three proposed regulations has been promulgated. The draft decree that most concerns industry insiders is the first, which regulates data localization. The draft is now in the Office of the Government for consideration and approval but there has been no official news as to when it will be issued. Although there was some indication earlier in 2019 that the Government was expected to pass the decree by the end of the year, an unofficial source said that it appears to have now been delayed to Q1 of next year, 2020. The latest accessible version of the draft decree is the version dated August 21, 2019.

The Ministry of Public Security’s (MPS’s) process of drafting this decree has demonstrated the ministry’s willingness to be open to industry and public consultation, because the issues surrounding the data localization requirement have generated significant concerns and numerous comments from international organizations and companies. According to reports, up to September 2019, the MPS sent 216 letters to relevant ministries and agencies, both at the central and local levels, as well as organizations and experts for comments. Based on these consultations, the MPS has made some changes. For example, it made changes to the specifications of different types of data that needs to be stored in Vietnam and added more services which will give rise to a data localization requirement. In addition, the MPS reduced the number of conditions that trigger data localization from four to just three (in particular, leaving out the ambiguous condition of letting service users continue to carry out prohibited acts). However, it is still uncertain whether the final version the government will pass will be much different from or improve this version.

It is worth re-emphasizing that the most problematic provision of the Cybersecurity Law is article 26.3, which relates to the requirements of data localization. The article states:

“Domestic and foreign enterprises providing services on telecommunication networks or the internet or value-added services in cyberspace in Vietnam with activities of collecting, exploiting, analyzing, and processing personal information data, data on the relationships of service users, or data generated by service users in Vietnam must store such data in Vietnam for the period prescribed by the government. Foreign enterprises mentioned in this clause must open branches or representative offices in Vietnam.”

The draft decree has narrowed down this broad language. Based on the draft decree, storing data and/or having branches or representative offices in Vietnam is required for foreign service providers only for the protection of national security, social order and safety, social ethics and health of the community, and when there are legal bases for a full determination on the three following factors:

• Such enterprise provides regulated services:
• Such enterprise carries out activities of collecting, exploiting [using], analyzing and processing the regulated types of data; and
• Such enterprise has been warned that the services it provides are used to commit a breach of the laws of Vietnam and it does not take any measures for avoiding, dealing with, fighting against or preventing such breach, or resisted, obstructed, or ignored requests from the relevant authorities.

Regulated services include: telecom services; services of data storage and sharing in cyberspace; supply of national or international domains to service users in Vietnam; e- commerce; online payment; intermediary payment; service of transport connection via cyberspace; social networking and social media; online electronic games; and services of providing, managing or operating other information in cyberspace in the form of a message, phone call, video call, email or online chat.

Regulated types of data include:

• Data on personal information of service users in Vietnam, including data with information in the form of symbols, writing, numbers, images, sounds or similar forms in order to accurately determine the identity of any one person;
• Data generated by service users in Vietnam, including account names for use of services, duration of use of services, credit card information, email addresses, IP addresses for the latest login and logout, and registered telephone numbers attached to the account or data relevant to the data on personal information of service users; and
• Data on the relationships of service users in Vietnam, including friends, and groups with which the users connect or interact.

Relevant authorities include the Department for Cybersecurity and Prevention of High-tech Crime under the Ministry of Public Security and/ or the Cyber Task Force, which comprises the Department for Cybersecurity and Prevention of High-tech Crime under the Ministry of Public Security and the Cyber Operations Command under the Ministry of National Defense.

If an enterprise were required to store data or have a branch or representative office in Vietnam, it would receive an MPS decision requiring it to store data and/or establish a branch or representative office in Vietnam. Within six months from the date of the MPS’s decision, the enterprise must complete the storing of data and/or establishing of a branch or representative office in Vietnam. Compared to the previous draft, this draft has significantly shortened this period from 12 months to six months, which is a disadvantage for enterprises. The period for storing data will start from the date on which the enterprise receives a request for storage of data until such request ends. The period for the storage of data will be at least 12 months. The period for having a branch or representative office in Vietnam will start from the date on which the enterprise receives a request until the enterprise no longer operates in Vietnam or provides regulated services in Vietnam.

How has the Cybersecurity Law affected foreign service providers since it came into effect nearly 12 months ago? Clearly, foreign service providers now face more risks if they do not take steps to restrict sensitive content or respond to takedown requests. According to reports, a senior official at the Ministry of Information and Communications recently commented that foreign companies’ compliance relating to content issues has greatly increased. For example, according to the official, cooperation with takedown requests in some areas related to content has increased from 20-30% to nearly 80-90%. In addition, the official added that it is also expected that the enforcement of the Cybersecurity Law will result in greater compliance among service providers when the authorities request them to provide service users’ identities if a violation of the law is detected.