ICT Update: Vietnam's National Assembly Passes Law on Cybersecurity

ICT Update | June 13, 2018
Authors: Matt Solomon, Ella Duangkaew, Ryan DelGaudio

On June 12, Vietnam’s National Assembly passed its controversial Law on Cybersecurity with an 86% majority. The approved version (Draft 18) includes slight revisions to the provisions specifying what types of enterprises will be required to store user data within Vietnam. For more information, view the Council’s June 11 update here. The Vietnamese Government will need to issue a unilateral decree for its implementation, which may take six to eight months to draft and finalize, before the Law comes into effect on January 1, 2019.

For the past 10 months, the US-ASEAN Business Council and its partner associations have undertaken a targeted advocacy campaign to address the potential negative impacts of the Law. Draft 18 (found here in English—this document does not include the most recent changes, and is not the final version) contains provisions that criminalize a variety of potentially unintended and non-malicious actions, expand content restrictions, transfer the onus of policing Vietnamese cyberspace violations to corporations and web platforms, and further broadens data localization requirements for foreign and domestic businesses. The Council drafted five formal submissions to the Ministry of Public Security, the National Assembly, and other key governmental stakeholders (please click here to access the Council’s submissions).

Despite the Law’s passing, the business community’s engagement has contributed to heightened domestic and international interest in the impact of the legislation for multiple stakeholders, demonstrated by position papers from local ICT associations, the Vietnam Chamber of Commerce and Industry, and several non-governmental organizations. These advocacy efforts, paired with large domestic protests over the weekend, resulted in the Ministry of Public Security promising greater transparency and clarity in drafting the law’s implementing decree.

The Council plans to continue its multifaceted engagement with the Government of Vietnam over the course of the Law’s implementation, and will continue to seek clarity on the Law’s vague provisions. For example, Article 26 mandates that data must be stored locally, but does not specify that data cannot be stored outside of Vietnam. The clause may then be interpreted as requiring companies to maintain the availability of data in Vietnam for a duration to be specified by the government. Indeed, the vague wording of certain provisions leaves significant room for the Council and the Government of Vietnam to negotiate implementing regulations that minimizes the burden placed on businesses operating in Vietnam and mitigates other potential impacts. Please contact Ella Duangkaew (eduangkaew@usasean.org) and Matt Solomon (msolomon@usasean.org) with any questions.