Governance & Risk Management , Legislation & Litigation , Privacy
Vietnam's 'Cybersecurity' Law Says Little on Security
Law Focuses More on Fighting Anti-Government SpeechOn Wednesday, just days after a new "cybersecurity" law took effect, Vietnam alleged that Facebook has violated the law by allowing users to post anti-government comments on the platform, according to news reports.
See Also: Cybersecurity Awareness Engagement Toolkit: Elevate Your Security Culture
The so-called cybersecurity law actually speaks little about IT security measures and instead focuses on various prohibited acts, such as spreading information that opposes the government of the Socialist Republic of Vietnam.
The law is expected to give sweeping power to the government to take down any content it deems misfit to its thought process.
It appears to cover all enterprises that provide services on telecommunication networks and the internet in Vietnam. It requires these companies to authenticate users upon registration and keep their information confidential, according to a report by Baker Mckenzie, a multinational law firm.
Under the new law, companies also must grant the government access to their information systems when there is "a serious breach of law or action causing serious loss to the public order and safety," the report says.
Other Requirements
Vietnam already has two regulations that place similar obligations on companies.
Decree 72, issued in 2013 to regulate internet businesses, imposes similar prohibitions and obligations on internet service providers, according to a report by the law firm Duane Morris.
In addition, Circular 38, issued in 2016 by the Ministry of Information and Communications, sets out a process by which offshore internet-based service providers must cooperate with the government to combat "bad" and 'toxic" content on the internet, the law firm explains.
According to a Google transparency report, since 2009, Google has received 67 requests from the Vietnam government for removal of material from Google's platforms and a number of requests for providing user data to the government. Google reports that it has accepted some requests and declined others.
The new law is expected to lead to government actions designed to force companies to comply with its requests. But the terms of the law lack details on what sort of action could be taken.
Another provision of the new law is a data localization requirement. It states that companies that collect, exploit, analyze or process personal information, information created by users in Vietnam and data on the relationship of the users must store all data locally for a period of time. But the law does not spell out whether companies need to have their own local servers.
The Right Steps
Cleary, Vietnam's new law compromises privacy and free speech in the name of national security.
Governments worldwide are struggling to balance privacy vs. security. But no government is justified in ignoring internet freedom and clamping down on all content that it finds objectionable.
On the other hand, social media companies and others do have a role to play in protecting against cyber threats and terrorism.
Vietnam and other nations need cybersecurity laws that actually focus on cybersecurity best practices, spelling out standards that companies need to meet. Cracking down on what the government labels as "propaganda" accomplishes nothing.