Vietnam’s dangerous new cybersecurity laws

CC Image courtesy of G.L. Barone on Flickr, used under Creative Commons License

Vietnam’s new cybersecurity laws are less an exercise in security and more in control. The laws are a direct attack on online freedom of expression.


Vietnamese lawmakers will vote on new cybersecurity legislation during this summer session. The proposed laws will demand firms store their Vietnamese user data in Vietnam. Firms like Facebook and Google currently do not store this data locally. The practice is known as ‘data localisation’. Data localisation is already practiced in countries like China. The legislation will also insist internet companies operating in Vietnam open local offices.

Vietnam’s Ministry of Public Security (MoPS) insists that these laws are to protect Vietnam’s economic interests. It argues that local data centres will provide more IT jobs for Vietnamese workers.

The laws’ advocates also insist that it will deter tax avoidance from internet firms. Tech firms have been able to avoid domestic tax by storing user data abroad. Th new legislation would end the free transfer of data out of Vietnam. The new legislation would require government approval before firms can transfer data abroad. There is also a requirement for internet companies to open local offices.

Censorship and control are at the heart of the proposed legislation

Despite the government’s claims, control is at the heart of the new legislation. With localised data, the government will gain access to Vietnamese user’s data. Existing laws permit the government to force tech firms to hand local data over.

The presence of domestic offices would also provide an opportunity for government intimidation. Facebook and Google currently serve Vietnam from offices in Singapore. With Vietnamese offices, the government could pressure companies to administer stricter censorship. They could also pressure them into revealing individual dissident identities.

The claim that data localisation would bring jobs is also exaggerated. Data storage facilities and operations are almost entirely automated. The number of new jobs would be minimal. For example, Apple’s facility in North Carolina created only 50 positions.

Rather than strengthen Vietnam’s cybersecurity, the new laws could weaken it. Users’ data is only as secure as the national digital infrastructure. Vietnam’s digital infrastructure is not as developed that of Europe and Singapore. Data localisation would make it easier for hackers to steal users’ data.

Facebook and Google oppose the proposals but only to preserve their interests

Facebook, Google and other internet firms object to the legal proposals. However, it would be premature to call these companies free-speech champions.

Since mid-2017, Facebook reported 22 instances of blocking content in Vietnam. The tech giant claimed the content was in breach of local laws. On four occasions, Facebook also provided the Vietnamese government with user account data.

Google also blocked anti-government content. In 2017, the Vietnamese government requested that YouTube remove 6,500 YouTube videos.

Bad news for human rights activists

Activists have few champions left to fight for free speech online. A group named the Asia Internet Coalition (AIC) has attempted to raise its concerns with Prime Minister Nguyen Xuan Phuc. However, content restrictions have not featured in the discussions.

The bill received the approval of the Standing Committee in April. Its tabling at the summer session at the Legislative Assembly will be for the final vote. It is expected to pass.

The government is ushering through repressive cyber laws disguised as economic policy. Paradoxically, Vietnam’s cybersecurity will be more precarious than before. Data localisation will erode user anonymity and pose a threat to government critics. Vietnam’s online spaces for critical expression are under threat. Dark days are coming.