Vietnam

Cybersecurity in Vietnam

The latest current Law on Cybersecurity of 2018 applies strict network security protection regulations, along with rules for handling violations in order to improve order maintenance and network security protection. The goal being to create a healthy and safe cyberspace for Vietnamese citizens.

What is the Cybersecurity Law of 2018?

The Cybersecurity Law of 2018 consists of 7 chapters with 43 articles of law that strictly regulate national security protection activities. These are the responsibility of the relevant agencies, individuals and organizations that ensure the safety and security of society on cyberspace.

When did the Cybersecurity Law of 2018 take effect?

On June 12, 2018, after receiving 87% of votes from the National Assembly deputies, the Law on Cybersecurity of 2018 was passed and officially took effect on January 1, 2019.

Highlights of the Law on Cybersecurity of 2018

Some highlights of the 2018 Cybersecurity Law include:

It is strictly forbidden to post false information

According to Article 8 of this Law, the following acts are strictly prohibited in the network environment:

  • Acts of violation of the law on national security, social order and safety specified in Article 18.1 of this Law;
  • Organizing, operating, colluding, instigating, bribing, deceiving, enticing, and training people against the State of the Socialist Republic of Vietnam;
  • Distorting history, denying revolutionary achievements, undermining the great national unity bloc, insulting religion, discriminating based upon gender or race;
  • Disseminating false information that causes confusion among the people, causes damage to socio-economic activities, causes difficulties for the operation of state agencies or those that perform official duties, infringes upon the legitimate rights and interests of the people, or the laws of other agencies, organizations and individuals;
  • Engaging in prostitution, social evils, or human trafficking; the posting of lewd, depraved, or criminal information; undermining the nation’s fine customs and traditions, social morality or the health of the community;
  • Instigating, enticing, or inciting others to commit crimes

Foreign enterprises must store user data in Vietnam

According to Article 26.3 of the 2018 Cybersecurity Law:

  • Domestic and foreign enterprises providing services on telecommunications networks, the Internet, and additional services in cyberspace in Vietnam that collect, analyze and process data concerning personal information, the relationship of service users, and data which is created by service users in Vietnam, must store this data in Vietnam for the period prescribed by the Government;
  • Additionally, foreign enterprises must set up representative offices or branches in Vietnam.

Network services must be halted at the request of the authorities

Should there be a request from the Ministry of Information and Communications or the Cybersecurity Protection Force under the Ministry of Public Security, domestic and foreign businesses must cease providing value-added services on cyberspace, the Internet, and telecommunications networks for organizations or individuals that have posted the information specified in Clauses 1 to 5, Article 16 of this Law.

Enterprises must provide user information for investigation

Domestic and foreign enterprises providing services on telecommunications networks, the internet, and value-added services in cyberspace must be responsible for authenticating users’ information when registering for digital accounts and keeping user information and accounts secure as prescribed.

In particular, enterprises must be prepared to provide all user information to the Cybersecurity Protection Force of the Ministry of Public Security (when required) to support in the investigation and handling process for acts violating the law on network security.

Any offending information online must be removed within 24 hours

When users post or share prohibited information, businesses must prevent the sharing and delete all infringing information within 24 hours – of receiving a request from the Ministry of Industry and Trade, Information and Communication or Cybersecurity Protection Force under the Ministry of Public Security.

In addition, businesses are required to maintain user logs on the system for a specified time to assist with the investigation and handling of violations of the law on network security.

Children on cyberspace must be protected

Article 29 of the 2018 Cybersecurity Law, which is considered an extremely humane regulation, provides that:

  • Children have the right to be protected, to access information, to participate in social activities, to have fun and to be entertained, and to maintain their personal privacy and other rights when participating on cyberspace;
  • Owners of information systems, service providers on telecommunications networks, the Internet, and value-added services on cyberspace are responsible for controlling content on the information system or on services provided by the Internet. Enterprises must avoid causing harm to children or infringing upon children’s rights. They must also prevent sharing and delete information with content harmful to children, that infringe upon children’s rights, as well as promptly notifying and coordinating with the specialized cyber security force under the Ministry of Public Security for handling;
  • Agencies, organizations and individuals participating in activities on cyberspace are responsible for coordinating with the competent agencies in protecting children’s rights on cyberspace, and stopping information with content harmful to children in accordance with this Law and the laws on children;
  • Agencies, organizations, parents, teachers, caregivers and other relevant individuals have the responsibility to ensure the rights of children and to protect children when participating on cyberspace as prescribed by the laws on children;
  • The specialized cybersecurity protection force and functional agencies are responsible for applying measures to prevent, detect, stop and strictly process cyberspace violations that are harmful to children or infringe upon them or their rights.

“Eavesdropping” on conversations is cyber espionage

According to Article 17 of the 2018 Cybersecurity Law, the following acts are considered cyber espionage:

  • Appropriating, buying, selling, seizing, or intentionally disclosing information considered to be state secrets, work secrets, business secrets, personal secrets, family secrets and private information which action affects the honor, prestige, dignity, or lawful rights and interests of agencies, organizations and individuals;
  • Deliberately deleting, damaging, losing, or altering information that is a state secret, work secret, business secret, personal secret, family secret or private information which is transmitted and stored on cyberspace;
  • Deliberately altering, canceling or disabling technical measures developed and applied to protect state secrets, work secrets, business secrets, personal secrets, family secrets or private information;
  • Posting on cyberspace state secrets, work secrets, business secrets, personal secrets, family secrets and private information in contravention to the law;
  • Deliberately listening to or illegally recording conversations;
  • Other acts which intentionally infringe upon state secrets, work secrets, business secrets, personal secrets, family secrets and private information.

Encourage organizations and individuals to participate in the dissemination of cybersecurity knowledge

The State endeavors to encourage agencies, organizations and individuals to implement educational programs and popularizing cybersecurity policies to raise awareness of cybersecurity throughout the country.

Simultaneously, ministries, branches, agencies and organizations must implement educational activities and disseminate knowledge about cybersecurity for cadres, civil servants, organizations and agencies within the Ministry.

The Provincial People’s Committees must disseminate knowledge about the 2018 Cybersecurity Law to local agencies, organizations and individuals.

Answering Questions about the Cybersecurity Law of 2018

How does the 2018 Cybersecurity Law protect human rights?

Reviewing the provisions of the Cybersecurity Law of 2018, it can be seen that the law protects six fundamental human rights: (i) the right to life and the right to personal freedom; (ii) the right of equality before the law and to protection under the law; (iii) the right not to have one’s privacy, family, home or correspondence interfered with; (iv) the right not to have one’s honor or reputation infringed upon; (v) a citizen’s right to freedom of thought, belief and religion; and (vi) a citizen’s right to freedom of speech and expression.

How will violations of the provisions of the Law on Cybersecurity of 2018 be handled?

According to Article 9 of the 2018 Cybersecurity Law, in cases where the cybersecurity law has been violated, punishment will depend on the severity and nature of the violation. Violators will be disciplined and administratively sanctioned (and be required to provide compensation if causing damage) or be examined for penal liability in accordance with law.

What are the responsibilities of agencies, organizations and individuals using cyberspace?

According to Article 42 of the 2018 Law on Cybersecurity, agencies, organizations and individuals using cyberspace are responsible for:

  • Complying with the provisions of the law on network security;
  • Timely providing information related to network security protection, network security threats, and acts infringing upon network security to the competent agencies and network security protection forces;
  • Complying with requests and instructions of the competent authorities protecting network security; assist and create conditions for agencies, organizations and responsible persons to take measures to protect network security.

What measures do network security protection measures include?

According to Article 5 of the 2018 Cybersecurity Law, measures to protect network security include the following:

  • Network security assessment;
  • Assessment of network security conditions;
  • Checking network security;
  • Monitoring network security;
  • Responding to and resolving network security incidents;
  • Fighting to protect network security;
  • Using cryptography to protect network information;
  • Preventing or requesting to suspend the supply of network information; prohibiting or temporarily suspending the activities of setting up, providing and using telecommunications networks or the Internet as well as forbidding the manufacture and use of radio transmitters and receivers in accordance with the law;
  • Requesting deletion or granting access to delete illegal information or false information on cyberspace that infringes upon national security, social order and safety, and the lawful rights and interests of agencies, organizations and individuals;
  • Collecting electronic data related to activities that infringe upon national security, social order and safety, and the legitimate rights and interests of agencies, organizations and individuals on cyberspace;
  • Blocking or restricting the operation of the information system; temporarily suspending or requesting to halt the operation of the information system, or revoking domain names in accordance with the law;
  • Prosecuting, investigating, and adjudicating according to the provisions of the Criminal Procedure Code;

Other measures as prescribed by the law on national security and the law applicable to administrative violations. This article contains legal knowledge and technical terms. Readers who have questions or need to discuss expertise related to the regulations on implementing Vietnam’s cybersecurity law, please contact our lawyers at info@letranlaw.com.

 

Author:

Stephen Le Le & Tran Lawyers Vietnam IHC

Stephen Le

Tags: Cybersecurity, Vietnam Cybersecurity law
Related Articles by Firm
Related Articles
IHC Magazine: Dec 2024 issue with Counsel of the Year Awards 2024 and focus on Dispute Resolution
In this issue, we celebrate the IHC Counsel of the Year Awards, featuring insights from winning teams, delve into the future of dispute resolution with insights from in-house counsel, and sit down with Ben Bury, General Counsel of Gammon Construction, ...
Related Articles by Jurisdiction
Latest Articles
IHC Magazine: Dec 2024 issue with Counsel of the Year Awards 2024 and focus on Dispute Resolution
In this issue, we celebrate the IHC Counsel of the Year Awards, featuring insights from winning teams, delve into the future of dispute resolution with insights from in-house counsel, and sit down with Ben Bury, General Counsel of Gammon Construction, ...