Building law on cyber security: A must in current situation

The draft Law on Cyber Security, which is scheduled to be passed by the 14th National Assembly at its ongoing session, contains some new provisions which raise public concerns. The Vietnam Law and Legal Forum, under the Vietnam News Agency, talks with Lieutenant General Hoang Phuoc Thuan, Director of the Cyber Security Department of the Ministry of Public Security, about some controversial issues governed by the draft law.
June 06, 2018 | 10:39

The draft Law on Cyber Security, which is scheduled to be passed by the 14th National Assembly at its ongoing session, contains some new provisions which raise public concerns. The Vietnam Law and Legal Forum, under the Vietnam News Agency, talks with Lieutenant General Hoang Phuoc Thuan, Director of the Cyber Security Department of the Ministry of Public Security, about some controversial issues governed by the draft law.

Building law on cyber security: A must in current situation

Full-time National Assembly deputies discussed the draft Law on Cyber Security at a conference held by the NA Standing Committee on April 4th, 2018. (Photo: VNA)

Q: Over the past few years, the cyber security situation has developed complicatedly. Series of cyber-attacks and security incidents have been reported by local media. Could you elaborate on the necessity to make the Law on Cyber Security in Vietnam today?

Lieutenant General Hoang Phuoc Thuan: The cyber security situation in the world and Vietnam is undergoing complicated developments. There are tens of thousands of cyber-attacks that target Vietnam’s information system happening every year. Fake news, fabrication, calumniation, aspersion, outrage, and incitation of violence have become rampant in the cyberspace, particularly in social networks. Cyberspace has somehow turned into an “asylum” for crimes and violations. Cybercrime, particularly such organised ones as gambling, organisation of gambling, swindling to appropriate property, and trading in fake or banned goods, has developed complicatedly. This situation is attributable to the lack of a legal framework in the field of cyber security.

The formulation and promulgation of the Law on Cyber Security aims to meet the urgent requirements arising from the country’s cyber security situation and the need to protect the national security, the State’s secrets, social order, and lawful rights and interests of organizations and inpiduals. The Law will also help address existing shortcomings and limitations in the state management of cyber and information security and further promote the role of line ministries and functional agencies in assurance of cyber and information security. Additionally, the enactment of the Law can also be regarded as a complete and timely institutionalisation of the Party’s policies on cyber security, while ensuring compliance with the 2013 Constitution’s provisions on human rights, fundamental rights of citizens and safeguard of the Fatherland. The Law’s provisions conform to international practice as a matter of fact that many countries in the world have issued their own cyber security laws.

It can be said that cyberspace exists in all aspects of social life, including e-commerce. The draft law contains specific provisions requiring user data and important data to be stored in the country. So what subjects will be governed by these provisions and which data will be stored within Vietnam’s territory?

As we all know, many countries have set forth requirements for domestic storage of important data, for example, the United States, Canada, Russia, Germany, China, Indonesia, Greek, Bulgaria, Denmark, Finland, Sweden, Turkey, Venezuela, Columbia, Argentina, and Brazil. On May 25th, the European Union’s General Data Protection Regulation officially came into force, empowering EU citizens to look up, change or delete their personal information, thus they can control their personal data when joining forums and social networks. The EU also requires service providers to inform service users of how their personal information will be used and commit to not providing such information to third parties. Violating companies may be fined up to EUR 20 million or 40 percent of their worldwide turnover. Looking at these examples, we can see that the draft Law’s provisions are appropriate and progressive.

It can be confirmed that the draft Law on Cyber Security neither forces all organizations and inpiduals to comply with these provisions nor requires storage of all data. Based on the requirements for ensuring and safeguarding national security, social order and fine cultural and ethical values and traditions of Vietnam, the Government will specify which types of organisations and agencies and which kinds of data will be governed by these regulations.

There have been opinions that these aforesaid data storage requirements do not conform to Vietnam’s international commitments and will block cross-border data flows and reduce the country’s GDP. What is your opinion?

When elaborating these regulations, the Drafting Board carefully reviewed Vietnam’s commitments as well as treaties which the country has acceded to, including the WTO’s commitments and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP). Hence, I can affirm that the draft Law’s provisions on data storage are not contrary to or violate the country’s commitments. They also do not prevent Vietnam from fulfilling its international commitments.

As we know, all bilateral and multilateral commitments have exceptions serving security, public order, culture, and community well-being. This means that interests of member states to international commitments are always upheld and respected for. There is no commitment that forces us to give up these interests. In fact, some member states of the WTO have enacted similar regulations and, therefore, set precedents for Vietnam without violating WTO commitments.

As for the opinion that these regulations will block cross-border data flows, I can confirm that nothing is hindered here by this draft Law. Cloud computing technology enables data access from everywhere, regardless of whether such data is stored in Vietnam or the U.S. The draft Law only requires the storage of some kinds of data in Vietnam but not restrict access to such data.

Recently, some persons cited statistics of the European Center for International Political Economy (ECIPE), saying that data localisation may reduce Vietnam’s GDP by 1.7 per cent and foreign investment by 3.1 per cent. However, they seemed to “forget” that such statistics came from a report titled “The costs of data localization: Friendly fire on economic recovery” released by the ECIPE four years ago (March 2014). The report, which was prepared based on the most negative scenarios, also put forth similar forecasts for the EU, China, India, the Republic of Korea, Indonesia, and Brazil. However, reality has proven the opposite. In 2015, one year after the ECIPE gave its evaluations, Vietnam attained the highest GDP growth rate in the 2010-2015 period and has managed to maintain an impressive growth until now. The EU and other countries mentioned in the report are now managing personal data in a more and more stringent manner. So, we can see that these predictions are wrong and the quotation of such statistics without complete context is intended for unclear purposes.

When there is a scientific and thorough approach to the draft Law’s provisions, one will find that the data storage requirement is conformable with domestic laws and international practice and not contrary to treaties which Vietnam has acceded to and does not obstruct activities of businesses. However, some opine that this requirement is infeasible now when all enterprises use cloud computing and server virtualisation/virtual private servers for data storage. What’s your opinion on this issue?

As I have said, cloud computing technology permits data to flow regardless of where such data are stored. Therefore, the data storage requirement in the draft Law is technologically feasible and will not create any obstruction. Similar rules have been adopted by many countries. In fact, according to statistics we knew, Google and Facebook have installed or hired nearly 2,000 servers in our territory in order to improve their service quality. This shows that data storage is not only technologically feasible but also helpful to improve connectivity and quality of services.

At present, it is assumed that all enterprises doing business in cyberspace related to Vietnam will have to open representative offices in the country, which would cause difficulties to enterprises as they have to bear higher cost and carry out more formalities. What’s your opinion on this matter?

We understand that this assumption stems from legitimate concerns of enterprises. We are clearly aware of the importance of foreign enterprises operating in Vietnam. The draft Law itself is aimed at protecting the lawful rights and interests of organisations and inpiduals, including foreign enterprises. Therefore, the draft Law’s provisions are not intended to cause difficulties to enterprises as well as will not oblige all enterprises to set up their representative offices in Vietnam.

However, Vietnamese laws, including the 2005 Commercial Law and the 2017 Foreign Trade Management Law and their implementing regulations, stipulate that all foreign countries’ trade promotion organisations must open representative offices in Vietnam. We all see the fact that enterprises providing cross-border services like Google and Facebook are doing profitable business in Vietnam.

As far as I know, Google has set up some 70 representative offices and Facebook 80 representative offices in countries around the world. In the Southeast Asia, Google and Facebook have opened representative offices in Singapore, Malaysia and Indonesia. Why they have to do so if not because the establishment of representative offices facilitates their operation.

The reality is that our domestic organisations and businesses are subjected to many legal regulations when operating electronic newspapers, websites, social networks, etc. They are also responsible for our security, public order, culture, social morality, fine customs and habits. However, providers of cross-border services into Vietnam are almost free of any constraints and such obligations. Therefore, the registration of legal entities by foreign enterprises in Vietnam will help us create a fair and responsible business environment.

However, due to our international commitments, the draft Law does not mandate all enterprises to open representative offices but it will be based on national security and social order and safety requirements, and the Government will issue detailed regulations.

By the way, we would like to thank the contributions of the public, business community and international friends who have helped us complete the draft Law through nearly 30 times of revisions. We would like to continue to receive comments and hope that people, organisations and businesses in the country and abroad to endeavor together with the authorities of Vietnam to protect cyber security, contributing to building a safe and healthy cyberspace, contributing significantly to the socio-economic development of every nation and the world./.

VNF/VLLF

Phiên bản di động