Vietnam’s New Cybersecurity Law: Consumer Protection or Blatant Censorship?


    As countries around the world continue to adjust to the difficulties of managing the internet and ensuring cybersecurity, Vietnam has made waves with its new cybersecurity law (“Cybersecurity Law”) that some have deemed “Stalinist” and “totalitarian.” This is not Vietnam’s first foray into cracking down on anti-government speech on the internet; the government has previously shut down online newspapers for publishing “nationally divisive” content, worked with Facebook to silence reporters, and arrested bloggers for public criticism.

However, Vietnam looks to extend its reach into the cyberworld with the Cybersecurity Law, which took effect on January 1st, 2019. Now, under threat of civil and criminal penalties, internet service providers must comply with new localization and content control rules at the request of the Ministry of Public Security. Notably, all covered entities, which include organizations, agencies, and businesses that provide online services to the Vietnamese population, must report data breaches to the Cybersecurity Task Force (“CTF”) immediately. More important, they must also be prepared to make three key adjustments to avoid penalties: localize the storage of users’ data; establish physical offices within the country’s borders; and control and censor content in accordance with Vietnamese law.

First, all covered entities must store their users’ data in Vietnam for varying periods of time, depending on the type of data. Personal data such as names, ID numbers, and biometrics must be stored for as long as the entity provides its service in Vietnam, while data created by users, such as uploaded information, and data regarding the relationships of users, such as friend or group information, must be stored for at least 36 months.

Second, certain covered entities which have misbehaved under the new law must establish local offices in the country. This includes any companies that have allowed their users to commit cyberattacks, cybercrimes, or other prohibited acts which disrupt Vietnamese national security and public order, as well as companies that have obstructed CTF policing or mishandled user data. Notably, the Ministry of Public Security has been granted broad discretion in determining whether a particular foreign internet service provider must establish a local office.

Third, covered entities must work to remove any information offending, opposing, or criticizing the Vietnamese government within 24 hours of receiving a request from the government. Entities are also expected to flag users who post such content, block them from receiving the company’s services, and potentially turn them over to Vietnamese authorities.

General Data Protection Regulation

These security measures stand out in stark contrast to the EU’s user-focused General Data Protection Regulation (“GDPR”), which took effect May, 2018. Both the Cybersecurity Law and the GDPR hold entities accountable for their management of users’ personal data, but the resemblance stops there. The Cybersecurity Law requires entities to report data breaches and empowers the Ministry of Public Security to mandate the establishment of a local office for such entities, but these measures seem to be more focused on punishing and controlling the internet service providers rather than protecting the consumer. Comparatively, the GDPR not only punishes companies for mishandling user data, but it also requires the employment of a data protection officer, bolsters the user’s ability to access the data that is held about them, and empowers users in some circumstances to force entities to erase their personal data. The other requirements of the Cybersecurity Law provide no obvious benefit for the average user.

Chinese Regulations

There are, however, clear benefits for the Vietnamese government, which seem to be mimicking the control scheme that has long been in place in China. Vietnam has not followed China in blocking Google, Facebook, Twitter, and thousands of other foreign websites, but the data localization and censorship policies bear a close resemblance to the regulations in China.

The Chinese data localization law, which took effect in 2017, requires critical information infrastructure operators (“CIIO”) to store all important data and personal information within China. Any person or entity that engages in crucial industries such as public communication, information services, and finance may be considered a CIIO, although it is unclear how broadly this term may be defined. Critics have claimed such a data localization policy only serves to enable the Chinese government to monitor and access private user data, and complained that such localization, combined with foreign investment restrictions, could expose companies to intellectual property theft. The Cybersecurity Law introduces similar risks for foreign entities conducting business in Vietnam, but the scope of the data localization requirement may be different. Rather than looking at the industry or potential impact of each covered entity, the Cybersecurity Law only exposes entities to the data localization requirement once they come afoul of the CTF or fail to comply with the censorship portions of the new law.

Beyond the ban on many popular foreign websites and services, Chinese laws strictly regulate the types of content that may be posted on the internet, ranging from sites that do not “actively propagate core socialist values” to information that “promotes ethnic hatred.” Regulations also require users to register their real names on internet forums, thus limiting anonymity and potentially discouraging free speech. Comparatively, Vietnam’s Cybersecurity Law only requires companies to work with the CTF to censor individual pieces of content that criticize the government or disrupt national peace and security.

However, the Cybersecurity Law has been written in vague enough terms that the average Vietnamese citizen may one day wake up to an internet landscape thoroughly censored and patched. Vietnamese authorities have already found Facebook in violation of its new Cybersecurity Law for failing to remove posts that contained “slanderous content” and “anti-government sentiment.” Under the new law, the government may require Facebook to pay a fine, establish an office in Vietnam, ban the offending user from the platform, and turn over the user’s personal information to Vietnamese authorities. Although the specific details are different, Vietnam’s new Cybersecurity Law ultimately looks suspiciously similar to the Great Firewall of China.


Daniel Yoon is a second-year law student at Columbia Law School. He holds a B.S. in International Affairs from the Georgia Institute of Technology and is the vice-president of the Prison Healthcare Initiative at Columbia.