At the fifth session of the 14th National Assembly, Cyber Security Law was adopted with approval of 86.86 per cent of deputies. With seven chapters, 43 articles, the Cyber Security Law stipulates the activities of protecting national security and ensuring social order and safety on cyberspace as well as responsibilities of related agencies, organizations and individuals.
This law will come into force on January 1, 2019 but there are still a lot of arguments, especially from foreign investors.
Commenting on Cyber Security Law, Executive Director of AmCham AdamSitkoff talked to TheLEADER that this law faces two problems.
The first one is cover areas that are already in other laws, which creates inconsistence and “if you are company, you do not know what exactly to do”.
The second one is that “cybersecurity should be about cybersecurity and we want it to improve Vietnam’s cybersecurity, not the law affecting other things that control what you can read on the internet or what you can watch on TV as well as things like where the data has to be stored,” said he.
The Executive Director of AmCham insisted that “this is not about just Google or Facebook, it is a very complicated problem relating to supply chain which runs on data of users”.
“It doesn’t matter whether you’re making a Japanese car or shoes that Lebron James wore, it required data that goes across border and so, the idea that a country tries to control information is an idea of the past,” affirmed Adam Sitkoff.
According to the representative of AmCham, “we need to worry about what it can do for business growth, what it can do for job opportunities for young Vietnamese people, for your friends’ ability to communicate, entertain, work and anything else like that as well as its impact on everything else”.
He emphasized that “The best thing to do now is look at how other countries are making their rule” and confirmed the support of the US businesses to the Government of Vietnam in the development of institutional environment for digital economy.
Michael Kelly, Chairman of American Chamber of Commerce in Vietnam (AmCham), “strongly supports the Government’s objective of promoting the development of the internet and digital economy in Vietnam while ensuring data security and the protection of Vietnamese Internet users”.
The representative of the US’s enterprises in Vietnam said: “Our members have serious concerns about local office requirements, rules regarding data users and local storage of data, and other unnecessary and costly burdens that hurt businesses but will not help improve Vietnam’s cyber security posture.”
Sharing the same view, a report from Investment and Trade working group of VBF emphasized that a number of provisions in the Law on Cyber Security, specifically on data residency, will severely impact the current development of Vietnam’s digital economy and will halt its growth prematurely.
In particular, Article 26.3 of the Law on Cyber Security requires that local and foreign enterprises providing services on telecommunications networks, Internet and value-added services on cyberspace in Vietnam who collect, exploit, analyses, process data on personal information, data on relationship of the service users, data created by service users in Vietnam must store those data in Vietnam for a period of time specified by the Government.
Foreign enterprises operating in this field must have branch or representative office in Vietnam.
According to the report, the nature of forced localization limits Vietnamese business’ ability to access tools necessary to lower IT costs, innovate, and scale rapidly.
“Data localization policies are shown to reduce inward investment to the country, due to the added cost for companies to buy local server equipment,” the working group of VBF stressed.
Nguyen Thi Thu Ha, government affairs manager of Citibank, also shared her concerns about Cyber Security Law in VBF’s document. “Foreign banks in Vietnam are mostly using databases/servers of their parent banks. The requirement that the representative agency and Vietnam-based users’ data must be located in Vietnam will be prohibitively expensive and unsafe in terms of information security.”
“We think that it should be acceptable that when a Vietnamese regulatory/investigative authority requests some information from the bank, which latter provides in time, and that should suffice as meeting the local authorities’ requests rather than insisting on localization,” she stressed.