Draft decree to find hold on Facebook and Google

Cross-border service firms may have to establish representative offices in Vietnam from 2019

Key provisions

Enterprises providing e-commerce, e-payment, social networks, and online video games like Facebook and Google will have to archive data and establish a representative office in Vietnam.

The Ministry of Public Security has released the draft decree detailing some articles of the Law on Cyber ​​Security to gather comments from November 2 to December 2.

One of the notable contents of the draft is the provision that data pertaining to Vietnamese users must be archived in Vietnam (Article 24).

The personal information of Vietnamese users includes their full name, date and place of birth, nationality, occupation, title, place of residence, email address, telephone number, identity card number, personal identification number (instead of family register number), citizenship number, passport number, social security card number, credit card number, health status, medical records, and biometric data.

Data provided by users in Vietnam can be created by uploading, syncing or importing information from any kind of device. Data on the users’ relations in Vietnam need to store include: friends, groups that users connect or interact.

In addition, the draft decree also stipulates that enterprises must archive data and set up branches or representative offices in Vietnam (Article 25).

The companies subject to the law are domestic and foreign companies providing services to customers in Vietnam over telecom networks or the internet, such as: telecommunications services; hosting services, sharing data on cyberspace; providing national or international domain names to service users in Vietnam; ecommerce; online payment; intermediary payment; transport services conducted via cyberspace; social networking and social media; online video games; and email. Besides, a series of special enterprises will be tasked by the government to gather, exploit, analyse, and process data of kinds stipulated in Article 24 of this decree.

Further clarity on issues such as the duration of storing users’ data and restrictions on the cross-border transfer of data may be provided through subsequent decrees and circulars.

In addition, the draft also regulates the duration of data storage. Accordingly, the time users’ information is stored depends on the operation time of the business or until the service is no longer available, but at least 12 months.

The data generated by users in Vietnam, including uploading, synchronisation or input from equipment or data on the relations of users in Vietnam, including friends and groups that users connect or interact with, must be archived within 36 months.

Within 12 months from the requirement date of the Minister of Public Security, enterprises must archive data, set up branches or representative offices in Vietnam.

Illegal content and acts

Illegal content under the Law on Cyber Security is mainly addressed in the following articles:

• Article 8: Prohibited acts such as inciting people against the state, distorting history, gender discrimination, religious offenses, racism, posting untruthful information, and human trafficking. In addition, it includes network terrorism, cybercrimes, and network attacks on information systems critical to national security;
• Article 16: Prevention and handling of information in cyberspace that are used for propaganda against the Socialist Republic of Vietnam, instigating violent disturbances, disrupt security or disturb public order, are embarrassing or slanderous, or are in violation of the economic management order;
• Article 17: Prevention of and fighting against cyberespionage, protection of state secrets, work secrets, trade secrets, personal secrets, family secrets, and private life on cyberspace;
• Article 18: Prevention and handling of uses of cyberspace, information technology or electronic means in violation of legislation on national security, public safety and order;
• Article 29: Protection of children on cyberspace.

The government believes that this law is necessary for national security and the protection of citizens, as Vietnam lacks a legal framework for cybersecurity issues.

The full reaction of international companies operating in the field is yet to be seen. The draft decree, if adopted, will take effect from January 1, 2019.