Vietnam’s Cybersecurity Draft Law: Made in China?

During the first part of last year’s November, the National Assembly of China passed the Law on Cybersecurity and established its effective date to be June 1, 2017.

Then come June 2017, five days after said law went into effect in China, the Vietnam’s Ministry of Public Security (MPS) sent their own proposal regarding a draft of the Cybersecurity Law to the Vietnamese government. It has been claimed that this draft law was the result of a legislative process which began to take place since July 2016, when the National Assembly scheduled Cybersecurity Law as one of its agenda’s items then. The MPS then also established their own drafting team and an editing group to work on the drafts of Vietnam’s Cybersecurity Law in late March this year.

After going through various collections of public comments and four draft versions of the law, the final draft (Draft Law) now is in the hands of the National Assemblymen and women. It would be among the items to be discussed when they meet at the end of 2017, and if all things go according to plan, Vietnam’s Cybersecurity Law will get approved and signed into laws by the middle of next year.

Yet, whether purposefully or unintentionally, Vietnam’s Draft Law has shocked many people because it is almost identical to that of China’s.

In their proposal submitted to the government, the MPS stressed that they have researched, and thus taken into considerations Cybersecurity laws from China, Japan, the Czech Republic, South Korea, and the U.S when drafting the Draft Law.

I have to make it clear that I do not have any evidence to conclude the Vietnamese government has indeed copied China’s Cybersecurity Law. Moreover, if both countries are functioning under an identical political system, then the use of identical legislative tools would be very understandable. This is even more likely when the MPS openly admitted that they have considered Chinese laws as stated. Besides, copying or learning from other countries’ legislative experiences do not necessarily mean negative consequences.

However, let’s just go straight to comparing Vietnam’s 4th draft of the Cybersecurity Law currently sitting on the desks of the National Assembly’s members and the English translation of the Chinese laws, to see how much they are alike to one another, and whether such similarities will bring negative consequences to Vietnamese people.

1. Two documents, one technical term

There is one technical term in the Vietnamese Draft Law that one should pay close attention to, which is the “critical information system regarding national security” in Article 9.

In the China’s version, there is a similar technical term: “critical information infrastructure” in Article 31.

Both laws centered on these two technical terms, and their definitions are also very much alike. Both are used to define any information, that if being under attack, they would bring harms to national security, social order and public safety.

That information – as mentioned in both Vietnam’s and China’s Cybersecurity Law – would then include energy, finance, transportation, media, and publications, as well as electronic governance.

However, the Draft Law of Vietnam also includes military-security, national secrets, banking, natural resources and environment, chemicals, medicine, and other national security structures.

The Draft Law also does not distinguish between private companies and government agencies when applying the concept of “critical information system regarding national security”. Based on the context of said law’s wordings, the targeted entities are implied to be both of them. The government and the enforcing authorities could also interpret this law as broad as possible.

Baker & McKenzie, in their analysis of the Chinese Cybersecurity Law, has warned all companies whose may have established relationships with those entities which fall under the regulatory perimeters of said law, that this law could very well be applicable to them.

The agencies and enterprises who are within the application of this law shall abide the technical measures and regulations as set by the government, and submit themselves to be under the direct control and observation of the MPS. They will have to obtain all necessary business permits to operate and maintain their equipment while at the same time, must cooperate with the authorities in monitoring users’ information.

These regulations between Vietnam and China are identical.

2. Directly target information considered to be dangerous to the regime

It is not surprising to learn that both Vietnam and China are extremely concerned about cybersecurity.

As detailed in the proposal from the MPS, the Draft Law of Vietnam focuses on underlining the importance of “preventing, fighting against, and neutralizing all activities using cyberspace to intrude national security; subverting against the Socialist Republic of Vietnam; propagandizing to destroy the ideology, the internal affairs, and the common national unification; inciting mass protests; and obstructing cybersecurity, from the reactionary forces and those who are enemies of the State”.

Further, Article 22 of the Draft Law clearly states that the Vietnamese government would apply all necessary technical methods to treat such information.

Article 12 of the Chinese Cybersecurity Law has a similar provision when it prohibits Internet users from using “the network to engage in activities endangering national security, national honor, and interests, inciting subversion of national sovereignty, the overturn of the socialist system, inciting separatism, undermining national unity, advocating terrorism or extremism, inciting ethnic hatred and ethnic discrimination, disseminating violent, obscene or sexual information, creating or disseminating false information to disrupt the economic or social order, as well as infringing on the reputation, privacy, intellectual property or other lawful rights and interests of others, and other such acts”.

3. Requiring all Internet users to provide true identity

Article 47 of the Vietnamese Draft Law specifically demands all Internet service providers to require “users to provide true and correct personal information. If any user refuses to comply, the service providers shall have the responsibility to deny that user service”.

At the same time, Internet service providers must establish their own verification system to ensure the accuracy and veracity of the information provided by the service users according to Article 33.

Article 24 of the Chinese Cybersecurity Law has the same language as those contained in the Vietnamese Draft Law’s Article 47.

Once businesses and the State can obtain users’ detailed personal information, there will be no guaranty that they would not use it for improper purposes, and would not harm such users.

4. The server is required to be localized within Vietnam’s territory and the providers will have to transmit their data overseas

This requirement has proven to be the most controversial in the past few days among the public in Vietnam.

Article 34 of the Draft Law requires “foreign corporations and providers, in order to provide telecommunications and Internet services in Vietnam, must … obtain business permits to operate, maintain a local representative agency, and the server which manages Vietnamese users’ data shall be stored within the national territory of the Socialist Republic of Vietnam”.

Article 48 further provides, all personal information and important data concerning national security shall be stored within the national territory of Vietnam. In the event that someone wants to transfer such information overseas, then a security assessment shall be performed according to the related governmental agencies’ requirements.

These rules and regulations have caused many Vietnamese concerns, that Google, Facebook, other social media platforms, email providers, and cloud computing service providers will soon pack up and leave Vietnam’s market.

Surprisingly, Article 37 of the Chinese version also provides for similar regulations as the two above-mentioned Draft Law’s articles.

As recent as this past June, tech giant Apple had to cooperate with a Chinese corporation to invest in a database center to comply with this specific provision. Microsoft, IBM, and Amazon had complied as well.

5. Forcing users and providers to act as informants

If the Draft Law gets passed into law, Internet users, telecom and Internet providers must cooperate thoroughly with the government.

Article 45 requires those who engage in activities using cyberspace must strictly comply with the government’s guidelines and shall allow the government to enforce their cybersecurity’s measures and safeguards.

Moreover, all service providers must work with the government to provide actual identities of those Internet users, while at the same time, shall have the responsibility to fend off all information which is deemed to be detrimental to the State, according to Articles 46 and 47.

Again, we find the same regulating language in China’s Cybersecurity Law. This time is located at Article 28, which demands that “network operators shall provide technical support and assistance to public security organs’ and state security organs; lawful activities preserving national security and investigating crimes”.

6. Forcing tech companies to follow government’s technical standards

Article 46 mandates all businesses involved in the production and putting in commerce digital products, as well as providing Internet services, shall be in accordance with the provisions of laws and with the “mandatory quality assurance of State standards”, before releasing their products to the market.

The State also shall pass laws which set the standards for the hardware and software to be used with the above-mentioned technical measures, as well as make sure that the applicable entities shall comply.

This provision also serves as the legal basis for the State to enact the necessary decrees and orders, regulating the specificity of the technical measures mentioned and how to enforce such measures.

Compare to China, the Chinese government had required all new computers to be pre-installed with the automatic content-control software – Green Dam – and also forced businesses, including Google, to have this software installed on all their computers.

The fact that the Vietnamese government had become increasingly more and more interfering with the technical measures regarding the high-tech market highlights the fact that it has opened the doors for corruption and abuse of power from the MPS, the Ministry of Defense (MOD), Ministry of Science and Technology, and other related governmental agencies.

7. Forcing all entities that have relations with “critical information” to be evaluated by the State when buying hardware and software.

Articles 11, 16, and 48 of the Draft Law gives the MPS, the MOD, and other State’s agencies, the authority to review equipment, networks products, and services which may be related to the national critical data system before they could be put into use or upgrade.

This is similar to Article 35 of China’s Cybersecurity Law.

Accordingly, this regulation means that any governmental agency or private business – who maintains an information system which related to energy, national finance, banking, transportation, chemicals, medicine, natural resources and environment, media, news and publishing, shall go through the MPS and/or the MOD when purchasing the necessary hardware, software, Internet service provider for their operation.

It probably makes sense to see this regulation being applied to government’s agencies, but the fact that it is stepping into fields such as banking, medicine, news, and publishing, raises questions about the State’s ambition in controlling information in society at large.

These regulations would grant the police and military the all-access key to both government’s agencies’ and private businesses’ hardware and software. This would be an opportunity for them to exert pressure on other agencies, businesses, as well as putting the whole society at risk for corruption and abuse of power.

The above were only seven strikingly obvious similarities between the Vietnam’s Draft Law and China’s Cybersecurity Law. With an in-depth reading of both documents, one probably finds, even though smaller, much more alike features.

This article is translated into English by Tran Vi from the article “Dự luật An ninh mạng: Hàng Việt Nam ‘Made in China’?“ that was published on Luat Khoa magazine on November 4th, 2017.