Vietnam has released its latest draft decree on cybersecurity. It is intended to provide the government with control over all email and social media in the country. It requires companies such as Google, Microsoft, Facebook and others to setup local offices inside the country. They must also store all data on servers that are hosted inside the country.
This is the latest move to enact a law that was passed by legislators in June. Since then, the Vietnamese Government has come under increasing pressure from outside the country to modify the requirements of the original law.
What is this all about?
In June, the Vietnam National Assembly passed a cybersecurity law. It claimed that the law was required to maintain public order and protect the country. To achieve those goals, it set out draconian requirements on companies who provide digital access to its citizens. The law is aimed at all companies, both those in country and those offshore.
One requirement was that all those companies should set up offices inside the country. This presents a significant challenge for social media platforms used by those protesting against the government. By having offices and data stored in country, the government will find it easier to gain access to the data and to identify dissidents.
Compounding that situation is the requirement that all providers of services should Know the User. This means gathering significant amounts of data about each user far beyond that required to deliver the service. Personal data including religion, gender, location, biometrics and financial are all expected to be gathered and stored under this law.
This is not just about tracking dissent. Those providing business services such as banking and online shopping come under the law as defined in June. It also covers services such as healthcare.
What has changed?
In its coverage of this new draft decree, Reuters claims that the amount of data required has been reduced. It says that: “The data required to be stored ranged from job titles to contact details, credit card information, biometric data and medical records, according to the draft decree.
“The type of data required seemed to have shortened from an earlier version of the draft decree seen by Reuters last month, which also included information on peoples’ ethnicity and political views.”
There is now a two month consultation period for public consultation. It is likely that the major Internet players will want to avoid local operations. They will no doubt argue about cost and complexity. However, that is unlikely to change the mind of the government. It wants access to this data and control over what its citizens say.
What does this mean
Requiring data localisation is nothing new. It is being demanded by countries around the world and not just those who are seen as being excessively controlling. Inside the EU, Germany has enacted its own data localisation laws. It has done so to protect the privacy of its citizens.
At the same time, demands for greater access to what people do online is coming from all governments. The US, for example, has a number of extraterritorial laws that demand access to data stored all over the world, even in different countries. The demand for access is to combat crime and terrorism.
In Vietnam, this is more insidious. It is about preventing dissent and giving the government greater control over its citizens. It is, in many ways, simply following the lead of China who has invested billions to track and identify any online dissent. However, its demands go further than those of China. While this draft decree has softened from the original law it is still arguably the most draconian in the world.
One of the ironies of this law is the claim that it is to prevent cyber attacks against Vietnamese citizens, companies and the government. Vietnam is one of the cyber security hot spots that most cyber security companies call out as the source of cyber attacks.
For now, we will have to wait and see if Western government and the large Internet companies can soften this law further.