Vietnamese Government to reinforce cybersecurity, online IP protection, and regulate cloud computing services
- To better address current issues with the Internet today, the Vietnamese Government issued a draft decree amending Decree 72 for public consultation this month (“Draft Amendment”), following a draft outline of the Draft Amendment published last year.
- The Draft Amendment requires the providers of data center services, including cloud computing offerings to now obtain a business license and set out rights and obligations of such providers and their customers.
- The Draft Amendment supplements several obligations imposed on cross-border information providers. This includes the storage of data, set up of branch or representative office in Vietnam according to Cybersecurity Law, and the handling of requests for temporarily locking/removal of illegal contents, including those infringing intellectual property rights upon users’ requests.
Decree No. 72/2013/ND-CP dated 15 July 2013 (“Decree 72”) on Internet services and online information has been one of key legal instruments in the realm of cyberspace, with some coining the decree as “Vietnam Internet Decree”. Despite the amendments made to Decree 72 in 2018, it appeared that many notable issues of the Internet today were still not addressed.
Government oversight of these services has become inevitable .The growing influence of foreign Internet service providers has also certainly played a critical role in pressuring Vietnam’s Government to address these issues quickly. In addition, Vietnam’s data center market is booming and projected to reach US$ 1641 million by 2025 due to the general shift of enterprises to cloud platforms and the growing embrace of IoT, big data and cloud-based solutions.
Last year, Vietnam’s Government issued a draft outline of a decree amending Decree 72, and on 5 July 2021 the draft decree was published. The Draft Amendment is now under public consultation with the phase looking to complete by 5 September 2021.
This article will focus on the proposed provisions on obligations of cross-border information providers and data center services.
Obligations of Cross-Border Information Providers
Current legislation requires organisations and individuals involved in cross-border provision of information via digital platforms (e.g. websites, social networking sites, online applications, search engines) to (1) provide the Ministry of Information and Communications (“MIC”) with their contact information, including name, address, and local contact point, and (2) collaborate with MIC to take down or block access to illegal content on their platforms. These requirements are imposed on those who (i) rent digital information storage facilities in Vietnam, or (ii) are used or accessed by at least one million monthly internet users in Vietnam. The Draft Amendment has proposed to expand the reach of criteria (2) to those who have 100 thousand monthly unique visitors and to impose the following additional obligations of cross-border information providers:
- Block access to illegal services (apart from illegal information) per MIC’s request;
- Enter into content cooperation agreement with the Vietnamese press when providing information cited from the local media on the basis of copyright regulations;
- Store data and set up a branch or representative office in Vietnam according to Cybersecurity Law and its guiding regulations;
- Establish a department dedicated to receiving, processing and responding to requests from competent authorities in accordance with Vietnamese law, and resolve and respond to complaints from Vietnamese users;
- Handle Vietnamese users’ complaints within 24 hours from receipt of the complaints; temporarily lock or remove the complained content that affects the lawful rights and interests of others if the complaint is valid, and notify the uploader of the reasons for the locking/ removal and email address of the complainant (if any);
- Allow only accounts, community pages, and content channels in Vietnam that have notified contact information to MIC to livestream and participate in revenue-generating services in any form, in case of cross-border information provision via social networking sites;
- Publicise policies and procedures to support customers in handling network safety and security issues in a concise, clear, visible and perceivable manner; and
- Submit an annual report by 31 December or an ad-hoc report on cross-border information provision activities upon request of MIC (Department of Radio, Television and Electronic Information).
The content of the above-mentioned annual/ad-hoc report to MIC is required to cover, among others, the number of user accounts and unique visitors, revenue in Vietnam, Vietnamese users’ complaints that have been handled, number of illegal contents that have been handled, and contact information upon the time of report.
Notably, the Draft Amendment has proposed that upon MIC’s request, cross-border information providers must establish a mechanism able to take down/restrict content and temporarily lock/remove upon Vietnamese users’ requests in relation to these two types of illegal contents: 
- Information affecting the normal physical and mental development of children;
- Information infringing upon the intellectual property rights of others.
If enacted, this provision under the Amended Decree may become the first to require cross-border information providers to take actions against IP infringing content per users’ requests.
Inspired by the recent Australian new media law and pressure on social media platforms to share revenue with the traditional press, a new requirement to enter into content cooperation agreement with the Vietnamese press when providing information cited from the local media has now also established.
Data center services
The Draft Amendment introduced definitions of the data center services, including dedicated server, co-location, data storage services, and cloud computing. Cloud computing was defined to include Infrastructure as a service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).
Business license requirement. The Draft Amendment requires providers of data center services to apply for a business license for offering data center services before the MIC. In addition, provision of data center services to clients abroad must also be properly informed to the MIC. Providers must (i) follow the relevant technical standards in designing, building, and operating the data center; (ii) have software and applications to manage and store customer information; and (iii) possess a procedure in place to verify information and protect customers’ data.
Further obligations. On the basis of finding their clients conducting illegal activities, providers of data center services are compelled to stop serving and to report their clients to the authorities. The authorities can also request them to stop serving the violating clients. In addition, the providers cannot transfer their clients’ data abroad and must sufficiently apply measures to protect the data. Records of client information should be kept for at least five years after the services of data center for that client ended.
The Draft Amendment also requires that the contract of data server services include without limitation to information of prohibited activities, agreed level of services and technical standards, and identifiable information of the customers.
The Draft Amendment impacts all major players in the tech industry, including cloud service providers, social media platforms, and cross-border information provider. Both local and overseas tech-based Internet service providers are recommended to keep a close watch on the developments of the Draft Amendment, as relevant changes on Internet regulations will call for timely compliance.
Authors: Yen Vu, Trung Tran, Khanh Nguyen
 Vietnam Data Center Market Prospects & Upcoming Trends and Opportunities Analyzed for Coming Years, https://www.marketwatch.com/press-release/vietnam-data-center-market-prospects-upcoming-trends-and-opportunities-analyzed-for-coming-years-2021-06-03?siteid=bigcharts&dist=bigcharts&tesla=y
 Article 1.17 of the Draft Amendment on proposal to amend Article 22 of Decree 72
 The illegal information as prescribed in Clause 1, Article 5 of this Decree
 Article 1.3 of the Draft Amendment on proposal to amend Article 5 of Decree 72
 Article 1.2 of the Draft Amendment on proposal to add Article 3.41 to Decree 72
 Article 1.71 of the Draft Amendment on proposal to add Article 44d to Decree 72
 Article 1.71 of the Draft Amendment on proposal to add Article 44h to Decree 72
 Article 1.71 of the Draft Amendment on proposal to add Article 44e to Decree 72