A new Law on Cybersecurity (Luật an ninh mạng) (the CSL 2018) will come into effect from 1 January 2019 in Vietnam. Not only providing measures to secure the cyber-environment which to some extent has been regulated by the Law on Cyber-information Safety dated 19 November 2015, the CSL 2018 also includes various provisions to control the contents posted or published on the cyber-network. Below are some salient issues of the CSL 2018.
Scope of the CSL 2018
The CSL 2018 applies to all agencies, organizations and individuals involving in the protection of cybersecurity, which is broadly defined as the assurance that activities in cyberspace not causing harm to the national security, social order and safety, lawful rights and interests of agencies, organizations and individuals. In particular, the CSL 2018 will apply to overseas organisations, which have users residing in Vietnam such as Google or Facebook.
The CSL 2018 covers all networks of IT infrastructure, telecommunication, Internet, computer systems, databases, information processing, storage and controlling systems, and regulates activities of every enterprise providing services in cyberspace and Internet users including e-commerce, websites, online forums, social networking and blogs.
Operators of information system (Chủ quản hệ thống thông tin)
The CSL 2018 imposes various obligations on an operator of an information system. Under the Law on Cyber-information Safety according to which, an operators of information systems means any agencies, organizations or individuals having directly managing authority to an information system.
Critical Information Systems and Non-critical Information System
The CSL 2018 categorizes information systems into (i) the information systems critical to national security (Critical Information Systems) and (ii) those not falling under the Critical Information Systems (Non-critical Information Systems).
Critical Information Systems are generally defined as the information systems which, if subject to an incident, infiltration, hijacking or operational control, distortion, interruption, stoppage, paralysis, attack destruction will seriously compromise cybersecurity. It appears that the list of Critical Information System under the CSL 2018 is broader than those already prescribed under Decision 632 of the Prime Minister dated 10 May 2017 (Decision 632). Currently, Decision 632 covers telecommunication areas and the information network within the Communist Party’s and governmental agencies of which the Ministry of Information and Communication (the MIC) or the Government Office is the administrator (chủ quản). The Critical Information Systems now include, inter alia, the information system in the areas of energy, finance, banking, telecommunication, transportation, natural resource and environment, chemical, healthcare, culture, and press. Probably, Decision 632 could be supplemented with more areas being critical to national security and involvement of relevant ministries other than the MIC.
Non-critical Information Systems, though not defined clearly, should be any information systems administered by private organizations and enterprises.
Prohibited acts on cyberspace
The CSL 2018 prohibits using cyberspace to conduct any of the following acts:
- Using cyberspace, IT and electronic media in order to breach the laws on national security, social order and safety;
- Organizing, activating, colluding, instigating, bribing, cheating or tricking, manipulating, training or drilling people to oppose the State of the Socialist Republic of Vietnam;
- Distorting history, denying revolutionary achievements, destroying the national solidarity block, conducting offences against religion, gender discrimination or racist acts;
- Providing false information, causing confusion among the citizens, causing harm to socioeconomic activities, causing difficulties for the operation of State agencies or of people performing public duties, or infringing the lawful rights and interests of other agencies, organizations and individuals;
- Activities being prostitution, social evils or human trafficking; publishing information which is lewd, depraved or criminal; or destroying the fine traditions and customs of the people, social ethics or health of the community; and
- Inciting, enticing or activating other people to commit crime.
One could see that the list of prohibition is quite general and vague (e.g. distorting history or rejecting revolutionary achievement) allowing the authority to substantial discretion.
Data localization requirement
“Personal information”, “data of relations of services users”, “data created by service users” in Vietnam collected, analyzed, processed by either domestic or foreign enterprises providing services in the telecommunication network, internet and value-added services in cyberspace in Vietnam must be stored in Vietnam. In addition, foreign enterprises having these activities have to set up representative office or branches in Vietnam.
Currently many foreign companies are supplying services to users in Vietnam on the cross-border basis. To comply with these requirements, foreign companies would probably have to increase their costs for setting up and maintaining storage equipment in Vietnam.
Supervision of Critical Information Systems
Critical Information Systems are subject to assessment by the competent authorities and can only be put into operation after certified as satisfying cyber-security conditions. Critical Information Systems may be inspected on a regular basis or upon the occurrence of an event specified under this law. The operators of the Critical Information Systems are responsible for supervising the systems, formulating mechanisms for automatic warnings and receipts of warnings of threats to cyber-security, and making plans to deal with those situations.
Supervision of Non-critical information Systems
Non-critical Information Systems may be put under a cyber-security inspection by the Cybersecurity Task Force when there is a violation of cybersecurity law infringing national security or causing serious damages to the social order and safety. The Cybersecurity Task Force may conduct the examination after delivering a written notice at least 12 hours before the examination to the administrator of a Non-critical Information System. The components subject to an examination include software, hardware, digital equipment; data stored, processed and transferred within the system; and State secret protection methods.
That having said, the CSL 2018 does not set out clear basis and procedures to determine there is a violation of the CSL 2018. For example, the CSL 2018 prohibits using cyberspace to distorting history, denying revolutionary achievements, destroying the national solidarity block, conducting offences against religion, gender discrimination or racist acts. It would be difficult and arguable to determine an act as distorting history and thus violating that provision. As such, the provisions may create uncertainty for enterprises that provide services in cyberspace and hold customers’ data during their provision of services.
Service providers on the cyber space in Vietnam have to comply with many requirements to monitor content uploaded and disseminated in cyberspace:
- All websites, portals or specialized pages on social networks of agencies, organizations and individuals must not provide, upload or transmit the information with propaganda against the State, incites riots, or which disrupts security or causes public disorder, causes embarrassment or which is slanderous or violates economic management orders (prohibited content);
- To verify users’ account registration and to provide users’ information when receiving written requests from the competent authorities of cyber security;
- To prevent the sharing of information and delete prohibited content within 24 hours upon receiving a request by the Cyber-security Task Force or the MIC, and to archive the relevant system log (nhật ký hệ thống) for investigation purposes; and
- To cease the provision of service to organizations and individuals who upload prohibited information.
It could be very difficult and costly for a network administrator to determine and filter the prohibited content as some of them are ambiguous. For example, the CSL 2018 defines the information being propaganda against the State to comprise content (i) distorting or defaming the people’s administrative authorities; (ii) initiating psychology warfare, inciting invasive war, causing division or hatred between ethnic groups, religions and people of all countries; and (iii) insulting people, the national flag, national emblem, national anthem, great men, leaders, famous people or national heroes. When reading these restrictions, one may be confused, for example,
- who are considered as “great men”, leaders, famous people or national heroes?
- whether a new public research with a different viewpoint about achievements of a “national hero” can be considered as insulting the “national hero”?
- can this regulation deprive the rights of people to criticize the leadership and governance of an administrative system or certain officials of that system?
Specialized forces responsible for enforcing the CSL 2018 (Cybersecurity Task Forces) will be appointed under the Ministry of Public Security and the Ministry of National Defense. The Cybersecurity Task Forces have broad power under the CSL 2018 with limited oversight. For example, the Cybersecurity Task Forces is not required to follow the procedures similar to those under the Criminal Proceeding Codes for conducting inspection of an information system or collecting user data and is not required to keep confidential the information that they are collecting.
Under the CSL 2018, consequences of violating the laws on cybersecurity may be in disciplinary forms, administrative or criminal responsibilities. In the case of commercial legal entity, when considering whether criminal responsibilities is applicable for its violation of the CSL 2018, the entity should determine whether such violation falls under the scope of crimes applicable to commercial legal entities under the new Criminal Code 2015.
The requirements of the CSL 2018 could increase expenses, compliance responsibilities for and pose a dilemma for service providers between compliance and customer data protection. Many requirements under the CSL 2018 will be subject to further guidance of the Government. Therefore, affected organizations and individuals should keep following the instruments guiding this law.
This post is contributed by Nguyen Bich Ngoc, an associate at Venture North Law.