On January 1, 2019, Vietnam’s new cybersecurity law went into effect. Under this law, foreign companies with clients or customers in Vietnam are subject to a data localization requirement and cybersecurity audits. While the law has not been officially published, a copy of the passed draft has been released by VnEconomy (the electronic version of Vietnam Economic Times). The English translation of the draft decree is available on Jurist.
Most of the commentary on the covered entities has focused on the providers of social networks and other technology giants. However, the broad language of the law potentially captures a much wider range of business activities. According to the draft decree, the law appears to cover “any domestic or foreign enterprise which provides services on telecom network, on the internet, or added services in cybersecurity in Vietnam and which also collects, processes, exploits or analyzes personal data on users, data created by users in Vietnam or data about user relationships.” However, there is no clear definition of “provide service” and “collect data” under the law. Therefore, the law potentially covers any U.S service providers in Vietnam, including social media services (e.g., Facebook, Youtube), tech companies (e.g. Uber, Airbnb), banks which provide online service, and even the online gaming industry.
Companies covered by the law face onerous obligations under the new law. Article 26.3 requires covered entities to store data and have branches or representative offices in Vietnam. Data required to be stored in Vietnam includes data on personal information of service users in Vietnam, data generated by service users in Vietnam, and data about the relationships of service users in Vietnam. Data on user’s personal information must be stored in Vietnam during the lifetime of the covered entity as long as the covered entity operates its service in Vietnam. Data uploaded by users and data about user relationships must be stored for at least 36 months, and system logs must be stored for at least 12 months. Article 26.2 requires covered entities to comply with any government request to delete data Vietnam deems illegal and to cooperate with the authorities to provide information about their users when such a user is investigated or deemed to be in breach of the law. The law identifies various categories of illegal data, most of which are forms of criticism against the Vietnamese government, embarrassing or slanderous language, or violations of national security. The illegal content should be removed within 24 hours of receiving notification from the government.
Major concerns about the law include compliance risks and costs, freedom of speech, and free trade. First, the covered entities are worried about huge costs and risks related to the data localization requirement. It is not clear how the Vietnamese government would enforce this localization requirement. Will the companies be required to store their data in a government designated third party? If it is the case, how safe will such Vietnam local service providers will keep the foreign companies’ data? What kind of business presence can be regarded as a branch or office in Vietnam? How many employees should be located there? Those answers are all unclear.
Second, the law risks violating Vietnam’s international trade commitments. Vietnam has signed up to international trade rules such as the 11-Country Comprehensive and Progressive Agreement for Trans-Pacific Partnership (TPP-11). Several of Vietnam’s trading partners within TPP-11, including Australia, New Zealand, and Japan, have publicly criticized the new law’s localization requirement.
Third, Vietnamese dissidents, human rights activists, and bloggers are protesting the law. Human Rights Watch criticized the law as an abuse of internet users’ right to privacy. The overly-broad blanket approach to data localization and audit will have serious consequences for economic growth, investor confidence and opportunities for local businesses.
Vietnam’s new cybersecurity law has created ripple effects throughout the Asian-Pacific. In January, Vietnam’s Ministry of Information and Communications (MIC) accused Facebook of violating the new cybersecurity law by allowing users to post slanderous and anti-government posts and refusing to hand over information on offending accounts. On May 22, 2018, the Thai Cabinet approved in principle a revised draft of Thailand’s first personal data protection act (Draft Act). The Draft Act means that companies doing business in Thailand or handling the data of Thai citizens will need to apply a stricter requirement to the use of personal data. In July 2018, the Indian government recommended that “all critical personal data” should be processed in India and presented a draft bill potentially following Vietnam’s data localization trend.