Vietnamese Police Wants to Control People’s Credit Information, Log Chat, and Political Opinions with New Cybersecurity Law

On or about October 3, 2018, the Ministry of Public Security of Vietnam quietly released their draft decree on the implementation of the country’s freshly minted Cybersecurity Law of 2018. As of press time, the MPS has yet to announce the draft decree to the public on its website. Instead, they only sent it to a few selected businesses and governmental agencies to collect feedbacks.

It is expected that this draft will undergo a few revisions.

We are highlighting a few critical points from the first version dated October 3, 2018, as follows:

1. Police’s Administration Of People’s Credit Card’s Numbers, Personal Financial History, And Political Opinions

The issue which generated the most public concern regarding the new Cybersecurity Law that was passed by Vietnam’s National Assembly on June 12, 2018, has centered around the definition of “Internet user’s personal data.” The new law summarily discussed the requirement for Internet providers to store users’ data in Vietnam and provide them to the authorities upon request. The draft decree now seeks to define this term, “personal data,” in details at Article 2, Section 2:

“Personal data is information in the form of symbols, words, numbers, pictures, sounds, or any like forms to identify the accurate identity of an individual, including:

1. Data concerning personal information: name and surname, date of birth, place of birth, nationality, profession, position, place of residence, contacting address, email address, telephone number, identification card number, personal identification number, passport number, social benefits insurance card number, credit card number, health conditions, medical history record, financial history record, interests, strengths, political opinions, ethnic origin, race, philosophical beliefs, societal position, biometrics;
2. Data created by individuals: the content of personal interaction, usage function, realizing conduct, time, acting frequency, selected information chosen to be uploaded, synchronizing or importing from a device;
3. Data concerning the individual’s relationships: friends, pages, accounts, keywords, groups that the users connected to or interacted with.”

However, the above section does not constitute the entire list of all data which businesses are required to store and provide to the Bureau of Cybersecurity, Prevention and Opposing High Technology Crimes of the MPS.

Under Article 54, the draft decree further adds: “information used to create a user’s account” and “data occurred during the use of services, including access history, information regarding the payment for services, IP address used for accessing services, search history habits, log chat, time of the transaction.”

Moreover, the Bureau of Cybersecurity could also demand businesses to provide information concerning a user’s devices including “information about the device, attributes, activities, identification number, signal, data regarding the installation of the device, network and connectivity, cookie data.”

2. Businesses Have To Permanently Store Users’ Data, With A Few Exceptions

Regarding personal data and information used to initialize a user’s account, the draft decree explicitly

that businesses to permanently store the data, either according to the length of their operation or until they cease to provide services.

For data which could only be generated later, such as IP address, log chat, search habits, they would have to be stored for 36 months.

3. Governmental Agencies And Businesses Providing Services Will Have One Year From January 1, 2019, To Prepare For Compliance

The final version of the decree and the Cybersecurity Law are both projected to take effect at the same time, which will be on January 1, 2019. Accordingly, governmental agencies, businesses, and related organizations will then have one year to bring themselves in compliance with such regulations concerning the storage of data, and providing them to Vietnamese authorities upon request, as well as establishing their representative offices or branches in Vietnam.

It means foreign technology companies that have been providing services to Vietnamese users, such as Google and Facebook, would have to prepare their data center, the technology infrastructure for data storage, as well as registering and opening their offices in Vietnam before January 1, 2020. During the same 12-month period, the Bureau of Cybersecurity under the MPS would also establish their own data center to “store, manage data to be turned over from businesses,” according to Section 6, Article 58.