Vietnam’s Ministry of Public Security (MPS) has stated that data localisation requirements of the Law on Cybersecurity will be narrowed, reported The Business Times last week. The Law on Cybersecurity came into effect on January 1, 2019, and there were concerns among foreign and Vietnamese enterprises that they would be caught under the law’s data localisation requirements despite not having a physical presence in Vietnam.

Vietnam’s relevant provision on data localisation requires domestic and overseas telecom services providers, internet services providers, and value-added service providers in cyberspace who collect, analyse or process private data, to retain such data for a period of time specified by the Vietnamese government. These providers would also need to establish a representative office or a branch in Vietnam. These provisions are under legal guidance and there is still uncertainty as to how wide the state has intended to apply the provision.

What the government plans to change

Based on the recent discussion with the Ministry of Public Security, the government has proposed that only the companies which meet the following conditions would have to meet the requirement:

  • The company provides services on telecommunication networks, the internet or other cyberspace.
  • It collects, analyses or processes data on personal information, data generated by users in Vietnam.
  • It also applies to the companies which have been notified that its provider service has been used to commit violations of Vietnamese law but the company-
    • has not taken measures to handle violations.
    • resists, obstructs or fails to comply with requests of the relevant authorities in cooperating to investigate and handle such violation
    • neutralises and disables the effect of cybersecurity protection measures taken by the government.

Criticisms of Vietnam’s Law on Cybersecurity

  • Amnesty International had criticised Vietnam’s cybersecurity law stating that it could possibly stifle free speech for Vietnamese internet users as the companies might be forced to hand over large amounts of private information to the government, reported Al Jazeera.
  • The Asian Internet Coalition (AIC), which counts Google, Twitter, Apple, and Facebook among its members, had raised concerns over the law.