On June 12, 2018, Vietnam's National Assembly passed the contentious Law on Cybersecurity ("Law"), which will go into effect on January 1, 2019. The Law has hallmarks similar to China's Cybersecurity Law that took effect in 2017. The Law, however, contains a number of even broader provisions that may adversely impact foreign businesses operating in Vietnam. These provisions include the following.
Content and User Control and Monitoring
The Law introduces prohibitions on the use of cyberspace to conduct any activity that could disrupt national security or public order or adversely impact the reputation of any organization or individual. Telecoms and internet service providers are required to enforce and monitor these prohibitions.
Critical Information Systems Requirements
Operators of Information Systems Critical to National Security ("CIS") will have data localization and other broad obligations with respect to the management of their CIS and related data. CIS sectors include defense, national security, government, news media and national information systems for the economic, energy, finance, banking and transportation, chemical, health, cultural, national resources, and environment sectors.
Localization Requirements
Foreign companies providing telecommunications or internet services in Vietnam must:
- Establish offices in Vietnam;
- Store the personal information of Vietnamese users and "other important data" in Vietnam and perform a security assessment prior to any cross-border data transfer; and
- Bring their technology products involving cyber services into compliance with "quality assurance" standards before they can be released to the market.
There has been widespread international concern over the Law. The U.S. Embassy in Vietnam issued a statement on June 8, 2018, indicating that the draft legislation "may present serious obstacles to Vietnam's cybersecurity and digital innovation future, and may not be consistent with Vietnam's international trade commitments." Currently, there are no regulations relating to implementation of the Law, and many concepts remain undefined. Companies with operations in, or that deal with, Vietnam should continue to monitor developments closely.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.