VIETNAM - CYBERSECURITY - COMPARING VIETNAM’S CYBERSECURITY LAW WITH ITS COMMITMENTS UNDER THE CPTPP, EVFTA

1. VIETNAM - CYBERSECURITY - COMPARING VIETNAM’S CYBERSECURITY
LAW WITH ITS COMMITMENTS UNDER THE CPTPP, EVFTA
Vietnam’s latest Law on Cybersecurity came into force on 1 January 2019. The law sets out
rights and obligations on domestic and foreign companies providing services to customers in
Vietnam over telecom networks or the Internet. The two provisions of the Law that are the
most controversial are arguably Data Localization (offshore and onshore online service
providers are required to store Vietnamese users’ information within the country for a period
of time) and Commercial Presence (the same companies must establish a commercial
presence in Vietnam either in the form of a branch or representative office). It has been
questioned whether these provisions are contradicting international treaties that Vietnam is a
signatory to, including the CPTPP and the EVFTA. In answering this question, we shall
examine Vietnam’s commitments under each Agreement.
Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP):
No import tax to be imposed on e-commerce transactions. However, Vietnam has the right
to impose local taxes, fees and charges on "electronically transmitted content", provided that
such taxes, fees or charges are in accordance with provisions of the Agreement.
Cross-border transfer of information by electronic means is allowed. The cross-border
transfer of information, data by electronic means is only for business activities or a legal entity.
Vietnam has the right to have separate requirements for data transfer by electronic means and
take necessary measures to implement legitimate public policies, but on the condition that the
policies does not create disguised barriers to trade or are applied in a discriminatory or arbitrary
manner.
Data localization requirement is not mandatory. Vietnam is not allowed to require the use
or location of servers in the host country as a business condition. However, Vietnam has the
right to make specific management requirements regarding the use or location of servers,
including requirements to ensure communications security and confidentiality; and take
necessary measures to implement legitimate public policies, but on the condition that the
policies does not create disguised barriers to trade or are applied in a discriminatory or arbitrary
manner.
CPTPP countries agreed not to sue Vietnam if its cybersecurity regulations are deemed to be
inconsistent with the CPTPP Agreement (specifically, two obligations of free cross-border
information flow and server localization in the E-Commerce Chapter) within 2 years after the
date of entry into force of the CPTPP Agreement.
Reserving measures related to national security and defense, public order and privacy.
Vietnam has the right to have separate management requirements for cross-border transfer of

2. data or information by electronic means, using or locating servers (including requirements to
ensure communications security and confidentiality); Vietnam has the right to take necessary
measures to implement legitimate public policies, but on the condition that they do not create
a disguised trade barrier or are applied in a discriminatory or arbitrary manner.
The validity of electronic authentication and electronic signatures must not be
denied. However, Vietnam may require that, for a particular category of transactions, the
method of authentication meets certain performance standards or is certified by an authority
accredited in accordance with its law. In practice, though not stated in the law, all application
dossiers to the local Department of Planning and Investment still require wet ink signature,
even if the investor is abroad.
EU-Vietnam Free Trade Agreement (EVFTA):
The issue of Cybersecurity could be found in Chapter 8 of the EVFTA, Section F of which
states that “the Parties, recognizing that electronic commerce increases trade opportunities in
many sectors, shall promote the development of electronic commerce between them, in
particular by cooperating on the issues raised by electronic commerce under the provisions of
this Chapter of EVFTA”.
As committed under the EVFTA, Vietnam and EU shall maintain dialogues on regulatory
issues raised by electronic commerce, which shall, inter alia, address the following issues:
•the recognition of certificates of electronic signatures issued to the public and the facilitation
of cross-border certification services;
•the liability of intermediary service providers with respect to the transmission or storage of
information;
•the treatment of unsolicited electronic commercial communications;
•the protection of consumers in the ambit of electronic commerce; and
•any other issue relevant for the development of electronic commerce.
This dialogue may take the form of exchange of information on the EVFTA’s Parties'
respective laws and regulations on the issues referred to above issues as well as on the
implementation of such laws and regulations.
From the above, it could be seen that the international treaties leave a lot of room for Vietnam
to develop its own regulations. In other words, due to their vague language and absent of further
guidance, the provisions are open to the discretion of the local authorities. As such, to answer
the question at the beginning, the Law on Cybersecurity and accompanying legal documents
stipulating that foreign enterprises operating commercially in cyberspace must set up a

3. representative office and store data in Vietnam for a period of time is not contrary to
international practice outlined in the CPTPP and EVFTA.
***
Please do not hesitate to contact the author Dr. Oliver Massmann
under omassmann@duanemorris.com. Dr. Oliver Massmann is the General Director of Duane
Morris Vietnam LLC, Member to the Supervisory Board of PetroVietnam Insurance JSC and
the only foreign lawyer presenting in Vietnamese language to members of the NATIONAL
ASSEMBLY OF VIETNAM.