Hefty changes wrought by new Law on Cybersecurity

January 26, 2019 | 15:00
(0) user say
Vietnam’s newly-effective Law on Cybersecurity provides for far-reaching scope of targets, defined as “enterprises providing services on telecommunication networks, Internet, value-added services in the cyberspace”. It may be understood that social network and web companies like Facebook and Google may be obliged to comply with this new law. Vaibhav Saxena, legal consultant of Vietnam International Law Firm, provides a deep analysis about the possible impacts on business and investors.
hefty changes wrought by new law on cybersecurity
Vaibhav Saxena

The Cybersecurity Department of the Ministry of Public Security (MPS) reported that 35 of the total 2,769 websites/web portals placed under the control of state authorities have been attacked, had their contents modified, and control seized during the first six months of 2018.

Accordingly, the Vietnamese government has promulgated the Law on Cybersecurity for the protection of national security and public order in the cyberspace to fill a gaping hole in the country’s legal framework, covering cyberattacks and the security of citizens’ online data.

Implementation of the law

This law strictly prohibits conduct that uses IT and electronic media as a means to breach the laws on national security, social order, and public safety, as well as other illegal acts comprising of cyberattacks, cybercrime, and crimes committed using an online platform, for example distorting historical information, insulting/defaming national heroes, public figures, and religions or violating the laws of Vietnam, among others.

The infringement of information classified as belonging to information systems that are crucial to the national security and governed under exclusive regulations is also on the list of banned acts. Depending on the level and seriousness of the breach of the law, punitive actions shall be taken accordingly, including disciplinary procedures, penalties for administrative offences, and criminal prosecutions.

General implementation methods include examinations, inspections, and auditing information systems by the authorised parties (mainly being the MPS and information system administrators) to discover signs of cyberattacks, cyberterrorism, and other breaches of the law.

The MPS shall have utmost authoritative power among relevant actors to exercise the state administration of the Law on Cybersecurity, to conduct investigations and inspections where necessary, and to deal with violations of the provisions under the Law on Cybersecurity, together with the Ministry of Defense and a number of other authorities.

Notwithstanding the specified division of information and preventive measures, the law currently lacks criteria to determine if any particular information is indeed “untruthful,” “subversive,” or “opposed to the state.”

Due to the lack of specific statutory authority to deal with such matters, the existing framework is interpreted to empower the MPS to inspect in case of any unusual cyber act.

The Law on Cybersecurity provides for far-reaching scope of targets, defined as “enterprises providing services on telecommunication networks, internet, value-added services in the cyberspace.” It may be understood that so-called service providers only consists of those operating and providing services on the basis of personal information/service users’ relations using telecommunication networks, for instance social network and web companies like Facebook and Google, which may be obliged to comply with this new law.

Enterprises collecting information directly from their clients and using solely telecommunication networks as a channel to trade products (for example internet banking) are not supposed to be among the governed subjects. However, crucial provisions and difficulties during exact interpretation ensue that the provisions of law may be taken as related and may be applied jointly.

The law requests that information systems other than those crucial for national security be subject to inspection and supervision as well. Two scenarios are provided: (a) When there is a breach of the law on cybersecurity infringing national security or materially affecting social order and safety; (b) When there is a request from the information system administrator.

“Information system administrator” is defined as an agency, organisation or individual competent to directly manage an information system. While it should be interpreted to mean the person in charge of managing the information system, for example the CEO of the company that is in-charge, this provision still creates ambiguity as the MPS is somehow considered to be the body overseeing all information systems.

The law also stipulates that enterprises must authenticate information when a user registers a digital account, provide user information to the Cybersecurity Task Force if so requested in writing to assist any investigation.

Similarly, upon request by the Cybersecurity Task Force or by a competent authority under the Ministry of Information and Communications, enterprises must stop the sharing of or delete information with content in breach of the law and cease the supply of services to those who uploaded/posted such information.

Enterprises must also save/maintain system logs in order to support the investigation and deal with breaches of the Law on Cybersecurity within a specified period to be stipulated by the government.

Domestic and foreign service providers doing business in telecom networks, Internet services, and other value added services in the cyberspace in Vietnam (cyberspace service providers) carrying out activities in relation to collecting, using, analysing, and processing data classified as personal information, data about service users’ relationships, and data generated by the service users in Vietnam must store such data in Vietnam for a specified period to be stipulated by the government.

Practical issues

Promulgation and enforcement of the law is a complicated process and requires several aspects to be considered during drafting to ensure its rightful applicability. At present, a number of challenges may be identified.

First of all, it is a requirement to keep system logs in Vietnam as well as retain data in the country. It shall be hard for multinational companies that belong to the “service providers” group, they operate across many countries and store client and transaction data in data centres located in only few countries. In case these companies must store data exclusively in Vietnam, this will incur tremendous costs and changes to the otherwise normal operations.

Also, transferring data across borders is crucial to the financial service industry to: (i) provide core products and services to customers, (ii) manage risks on a holistic basis across affiliates and borders, and (iii) comply with the financial regulatory requirements in various jurisdictions, including KYC and AML regulations. The prevention of data transfer (to keep information within Vietnam only) is likely to hamper the business of said enterprises.

Additionally, enterprises are obliged to provide user data to the authorities when requested. This, in turn, obviously causes service providers to lose customers and profit as consumers will more likely opt out of using such services in fear of having their personal information scrutinised and collected or used for other purposes.

Enterprises, especially startups and small- and medium- sized enterprises (SMEs) will apparently suffer from more cost burdens and changes to facilities in order to abide by the law, in particular to set up a physical office in Vietnam just to do business in the country.

These issues would have unfavourable impacts and also erect barriers to the negotiation and the adoption of multilateral trade agreements that promote trade liberalisation and minimise technical barriers to trade. With regards to imposing data localisation and local presence requirements, the Law on Cybersecurity seems to deflect from Vietnam’s commitments under the Agreement on Trade in Services (GATS) and it stands a possibility to be questioned by the World Trade Organization.

On one hand, the promulgation of the law may affect some interests that the country members of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) benefit from and may result in difficulties for international companies depending on the free flow of data across borders.

It could be seen that to facilitate digital trade, the CPTPP encourages its members to promote paperless trading between businesses and the government, such as customs forms being put in electronic format, as well as providing for electronic authentication and signatures for commercial transactions.

However, Vietnam’s restrictions on data storage and data flow shall lead to numerous obstacles with regards to data localisation and the cross-border transfer of data.

On the other hand, it may increase the challenges to the ratification of the EU-Vietnam Free Trade Agreement.

As we are currently waiting for further guidance for the enforcement and execution of this law, the addressed problems pose significant concerns and insecurities to all targets of the law, but implementation of this law is yet to be witnessed to clarify the intent for such a policy.

What the stars mean:

★ Poor ★ ★ Promising ★★★ Good ★★★★ Very good ★★★★★ Exceptional