What do Intermediary Service Providers need to do to comply with the requirements in Vietnam
With over 72 million internet users, ranked 13th in the world, Vietnam is an important market for almost all major online platforms. Yet rampant online copyright infringement has exposed tensions between online platforms and right holders and put online platforms at regular risk of being held liable for copyright infringement. “Liabilities of Intermediary Services Providers (ISPs)” is therefore among the most notable additions in the amended IP Law, which came into effect on 1 January 2023. After a long wait, Decree 17/2023/ND-CP (“Decree 17”) was finally issued on 26 April 2023, providing the necessary guidance for ISPs to meet the requirements set out in the IP Law and protect themselves from copyright infringement claims.
General Liabilities of ISPs under the IP Law
- ISPs must implement technology measures and cooperate with authorities and right holders in copyright enforcement.
- ISPs enjoy “safe harbour” in the following circumstances:
- “Mere conduit” (i.e. only transmit or provide access to digital information).
- “Caching” (i.e. automatically, intermediately and temporarily store digital information for the sole purpose of making the information's onward transmission to other users of the service upon their request more efficient): ISPs must (i) not modify the information other than for technical reasons; (ii) comply with conditions on access to the digital information; (iii) comply with rules regarding the updating of the information, specified in a manner widely recognised and used by industry; (iv) not interfere with the lawful use of technology, widely recognised and used by industry, to obtain data on the use of the information; and (v) remove/block the information it has stored upon obtaining knowledge that the information at the initial source of the transmission has been removed/blocked.
- “Hosting” (i.e. store users’ digital information): ISPs don’t know that the content is infringing copyright and must remove/block it expeditiously once the knowledge is obtained.
- Other circumstances provided by the Government.
- To enjoy safe harbour, ISPs have no obligation to proactively monitor their services or seek evidence of infringement.
- Failure to fulfil “safe harbour” requirements as such amount to an act of copyright infringement.
Instead of creating a secondary liability for ISPs or indicating exclusive rights that ISPs have infringed, the IP Law chose to directly label “ISPs’ failure to fulfil safe harbour requirements” as copyright infringement. This provision offers a solid ground for ISPs being jointly liable for damages triggered by their users’ infringement.
Detailed Guidance on Liabilities of ISPs in Decree 17
Definition of ISPs
Besides descriptive definitions of each ISP type (i.e. mere conduit, caching, and hosting), Decree 17 provides a non-exhaustive list of entities that can be regarded as ISPs, e.g. enterprises providing services of internet access/connection, server leasing, data storage, social networks, and searching. Both domestic and offshore ISPs are governed by Decree 17.
General responsibility of ISPs
Decree 17 imposes on ISPs the following obligations, which are elaborated from those provided in the IP Law:
- provide contact points to an authority (not yet specified) of the Ministry of Culture, Sports and Tourism (MOCST) and publish the information on ISPs’ websites;
- warn their users of legal consequences of copyright infringement, authenticate and protect users’ information, provide information per authorities’ requests, and comply with authorities’ inspection activities; and
- where ISPs use copyrighted contents posted by their users for commercial purposes, seek rights holders’ consent and pay royalties.
and specifically for ISPs providing hosting services:
- develop tools (e.g. software, website, email, or e-portal) to receive takedown notices; and
- remove/block contents upon obtaining knowledge that the contents are copyright infringing and publish the internal procedure to deal with takedown notices.
Legal liability for ISPs
Under the IP Law, failure to fulfil “safe harbour” requirements as such amount to an act of copyright infringement. Decree 17 specifies that any ISPs that fail to fulfil “safe harbour” requirements will be jointly liable for compensation of the damages caused by their users’ infringement.
Safe harbour requirements and procedures
Definition of “knowledge”
To enjoy safe harbour, ISPs must remove/block contents expeditiously upon obtaining “knowledge” that they are infringing copyright. Decree 17 doesn’t define “knowledge” but specifies takedown notices from authorities/rights holders as evidence of ISPs’ “knowledge”, without mentioning whether the notices must be duly substantiated or not.
Protocols in dealing with takedown notices from authorities and rights holders
Decree 17 provides protocols for ISPs in dealing with takedown notices from authorities/rights holders, including a protocol dedicated for livestreams. In brief:
- Upon receiving notices from authorities, ISPs must remove/block the reported contents. Decree 17 doesn’t specify what must be included in authorities’ notices. The reported users however can challenge such removal/blocking later by appealing or initiating lawsuits against the authorities’ relevant administrative decisions.
- Upon receiving notices from rights holders, ISPs must temporarily remove/block the reported contents first and allow the reported users to submit counter-responses within a fixed timeframe before deciding whether to remove/block the reported contents permanently or to restore. After this round, rights holders/reported users must approach the courts/authorities for further complaints, and ISPs must follow the courts/authorities’ decisions.
Decree 17 specifies which information/documents are required in a takedown notice/counter-response, and its language indicates that ISPs must take action (i.e. remove, block or restore) upon receiving all of the required information/documents. No language in Decree 17 suggests that ISPs have to review merits of the takedown notice/counter-response (i.e. function as a “judge”), which is consistent with the fact that Decree 17 doesn’t require takedown notices from authorities/right holders to be duly substantiated to become evidence of ISPs’ “knowledge”. In filing takedown notice/counter-response, right holders/reported users must commit in writing that they will be responsible for all damages caused by their requests – which protects ISPs from all liabilities if they don’t review merits of the takedown notices/counter-responses and end up restoring infringing content or removing/blocking non-infringing content.
Please note that these protocols are applicable to circumstances where ISPs receive takedown notices from authorities/right holders only. There will be numerous other circumstances where ISPs can be regarded as having “knowledge” of content being copyright-infringing and therefore must remove/block it expeditiously. We recommend that ISPs, before introducing new mechanisms/technologies in copyright enforcement (e.g. AI proactively detecting and removing infringing contents), consult lawyers carefully to determine where “knowledge” may be obtained and ensure that they won’t lose safe harbour in applying such mechanisms/technologies.
Co-authors: Hung Tao and Quynh Ngo
 Article 198b.2 IP Law
 Article 198b.3 IP Law
 Article 198b.4 IP Law
 Articles 28.8 and 35.11 IP Law
 Article 110.1 Decree 17
 Article 110.2 Decree 17
 Article 110.1 Decree 17
 Article 198b.2 IP Law
 Article 111.2 Decree 17
 Article 111.3 Decree 17
 Article 111.5 Decree 17
 Article 111.6 Decree 17
 Article 111.1 Decree 17
 Article 111.4 Decree 17
 Articles 28.8 and 35.11 IP Law
 Article 112.1 Decree 17
 Articles 113.3 and 114.5 Decree 17