Cybersecurity regulations to cause massive hit to IT firms

Under Clause 4, foreign enterprises that provide telecommunications and/or internet services in Vietnam are required to “obtain licences for their operations and locate their representative offices and servers with Vietnamese user data stored on them in the territory of the Socialist Republic of Vietnam,” and any violation will be stringently punished under legislation.”

Some say this provision has the potential to impede the digital economy and the growth of internet services in Vietnam.

“We respectfully highlight that it is not only foreign companies who will be affected by data localisation policies, in fact, smaller companies are more likely to be Vietnamese and the cost for smaller businesses will be proportionately higher than for larger companies,” said an Asia Internet Coalition (AIC) statement on the draft law sent to the compiler, the Ministry of Public Security.

AIC is an industry association made up of leading internet and technology companies such as Google, Facebook, Apple, Twitter, LinkedIn, Expedia, PayPal, Rakuten, LINE, and Yahoo.

According to AIC, at a time when Vietnam is looking to conduct an IT Law Review to benefit from the digital economy and promote Vietnam 4.0, “data localisation policies should be avoided for the private sector.”

“Companies should be allowed to choose the best option for their company regardless of location. Locating data servers locally does not increase cybersecurity for data and it can be counterintuitive as cybercriminals can more easily identify the location of the data for cyberattacks since the search zone is now narrowed down to data servers within a country (as opposed to letting companies decide globally where to locate their or their customers’ data),” said AIC’s managing director Jeff Paine.

“An effective cybersecurity strategy is one where there is good execution of ever-evolving best practices in security to the combined areas of technology, processes, people, and physical facilities,” he said.

According to AIC, companies have made huge investments to ensure that their data centres are secure. Thus, forcing companies to locate servers locally “would make them more vulnerable to attacks as the systems and network might be less sophisticated, and generally harder to update with the latest security software.”

“We strongly suggest any data localisation requirement be limited to only government information systems,” said the AIC statement.

Meanwhile, some National Assembly members have also expressed discontent with Article 34(4) of the draft law. They said it is necessary to clarify the definitions of “providers of telecommunications and/or internet services” and “providers of technological platforms and social media” such as Facebook, Google, and Skype, which have now become very popular in Vietnam, where there are 80 million Facebook accounts and 50 million internet users.

“I think the provision that foreign firms have to locate their representative offices and servers in Vietnam will become infeasible, which may prompt giants like Facebook, Google, and Yahoo! to leave Vietnam. This means that more than 50 million local internet users will be heavily affected,” said deputy Vu Xuan Cuong from the northern province of Lao Cai at last week’s National Assembly group-based discussion.

Echoing this view, deputy Nguyen Lan Hieu representing the southern province of An Giang said this regulation “will cause difficulties to technological investors in Vietnam and discourage them from investing in the country.”

“As far as I’m concerned, Google currently has only four data centres in the world. But now we want it to establish one centre in Vietnam. I think it’s impossible,” Hieu said.

Deputy Nguyen Viet Dung from Ho Chi Minh City also opposes the regulation.

“Facebook is a global service provider. If it operates in 200 nations, will it be required to place its servers in all of these nations? That’s very costly and impossible,” said Dung, who is also director of the city’s Department of Science and Technology.

Early this month, Vietnam Chamber of Commerce and Industry (VCCI) sent its comments on the draft law to the National Assembly’s Committee on National Defence and Security, saying that if the regulation is implemented, it will break commitments that Vietnam made when joining the World Trade Organization and the European Union-Vietnam Free Trade Agreement.

Under such commitments, unrestricted market access for cross-border telecommunications services are provided for firms of all shapes and sizes.

The proposal also goes against a commitment relating to Location of Computing Facilities (Article 14(13)) in the Electronic Commerce Chapter of the Trans-Pacific Partnership, which is now the Comprehensive and Progressive TPP.

Specifically, Article 14(13) requires that “no party shall require a covered person to use or locate computing facilities in that party’s territory as a condition for conducting business in that territory.”