Vietnam | New Decree on Internet Services and Online Information

9 December 2024

Vietnam

Foreign investments
Information Technology
Privacy - Data Protection

The Government of Vietnam has issued a new decree governing internet services and online information, which shall come into force on 25 December 2024. Decree No. 147/2024/ND-CP, promulgated on 9 November 2024, supersedes the previous Decree No. 72/2013/ND-CP and its amendments.

This comprehensive legislation, comprising over 200 pages and 62 appended forms, addresses a wide array of internet and online topics. These include inter alia, internet services, domain names, cross-border information provision, social network services, aggregated information websites, online game services, and app store services.

Key Provisions

Cross-Border Information Provision

Offshore service providers, including those offering social network and app store services on a cross-border basis, are subject to stricter requirements if they either lease data storage in Vietnam or meet a threshold of 100,000 or more total visits per month from Vietnam for six consecutive months. These providers must:

Notify the Authority of Broadcasting and Electronic Information (ABEI) of their contact information
Monitor and remove illegal content
Store and manage user data as required
Authenticate social network user accounts using Vietnamese mobile numbers or identification numbers
Submit annual and ad hoc reports to the ABEI
Handle user complaints

Only cross-border providers who have notified the ABEI of their contact details may offer live stream and revenue-generating services. Non-compliance may result in blocks and penalties.

Social Networks

Decree 147 establishes distinct regimes for offshore and onshore social network services:

Offshore providers meeting the aforementioned threshold must notify the ABEI of their contact information.
Onshore providers reaching 10,000 total visits per month for six consecutive months or 1,000 regular users per month must obtain a Social Network Licence.
Other onshore providers with low traffic must obtain a Notification Certificate from the ABEI.

The decree also regulates livestream activities by stipulating conditions for social network service providers to offer livestream functions and for social network accounts to conduct livestream activities.

Online Games

Foreign organisations and individuals are prohibited from providing online games to service users in Vietnam on a cross-border basis. To offer such services, they must establish a local enterprise in Vietnam.

This new decree is expected to have a significant impact on both onshore and offshore service providers in the respective fields and may tighten the regulatory landscape for internet services and online information provision in Vietnam.

If 2017 was the year of Initial Coin Offerings, 2018 was the year of Blockchain awareness and testing all over the world. From ICO focused guidelines and regulations respectively aimed to alarm and protect investors, we have seen the shift, especially in Europe, to distributed ledger technology (“DLT”) focused guidelines and regulations aimed at protecting citizens on one hand and promote DLT implementations on the other.

Indeed, European Union Member States and the European Parliament started looking deeper into the technology by, for instance, calling for consultations with professionals in order to understand DLT’s potentials for real-world implementations and possible risks.

In this article I am aiming to give a brief snapshot of firstly what are the most notable European initiatives and moves towards promoting Blockchain implementation and secondly current challenges faced by European law makers when dealing with the regulation of distributed ledger technologies.

Europe

Let’s start from the European Blockchain Partnership (“EBP”), a statement made by 25 EU Member States acknowledging the importance of distributed ledger technology for society, in particular when it comes to interoperability, cyber security and efficiency of digital public services. The Partnership is not only an acknowledgement, it is also a commitment from all signatory states to collaborate to build what they envision will be a distributed ledger infrastructure for the delivering of cross-border public services.

Witness of the trust given to the technology is My Health My Data, a EU-backed project that uses DLT to enable patients to efficiently control their digitally recorded health data while securing it from the threat of data breaches. Benefits the EU saw in DLT on this specific project are safety, efficiency but most notably the opportunity that DLT offers data subject to have finally control over their own data, without the need for intermediaries.

Another important initiative proving European interests in testing DLT technologies is the Horizon Prize on “Blockchains for Social Good”, a 5 million Euros worth challenge open to innovators and tech companies to develop scalable, efficient and high-impact decentralized solutions to social innovation challenges.

Moving forward, in December last year, I had the honor to be part of the “ Workshop on Blockchains & Smart Contracts Legal and Regulatory Framework” in Paris, an initiative supported by the EU Blockchain Observatory and Forum (“EUBOF”), a pilot project initiated by the European Parliament. Earlier last year other three workshops were held, the aim of each was to collect knowledge on specific topics from an audience of leading DLT legal and technical professionals. With the knowledge collected, the EUBOF followed up with reports of what was discussed during the workshop and suggest a way forward.

Although not binding, these reports give a reasonably clear guideline to the industry on how existing laws at a European level apply to the technology, or at least should be interpreted, and highlight areas where new regulation is definitely needed. As an example let’s look at the Report on Blockchain & GDPR. If you missed it, the GDPR is the Regulation that protects Europeans personal data and it’s applicable to all companies globally, which are processing data from European citizens. The “right to erasure” embedded in the GDPR, doesn’t allow personal data to be stored on an immutable database, the data subject has to be able to erase data anytime when shared with a service provider and stored somewhere on a database. In the case of Blockchain, the consensus on personal data having to be stored off-chain is therefore unanimous. Storing personal data off-chain and leaving an hash to that data on-chain, is a viable solution if certain precautions are taken in order to avoid the risks of reversibility or linkability of such hash to the personal data stored off-chain, therefore making the hash on-chain personally identifiable information.

However, not all European laws apply to Member States, therefore making it hard to give a EU-wide answer to most DLT compliance challenges in Europe. Member States freedom to legislate is indeed only limited/influenced by two main instruments, Regulations, which are automatically enforceable in each Member State and Directives binding Member States to legislate on specific topics according to a set of specific rules.

Diverging national laws have a great effect on multiple aspects of innovative technologies. Let’s look for instance at the validity of “smart contracts”. When discussing the legal power of automatically enforceable digital contracts, the lack of a European wide legislation on contracts makes it impossible to find an answer applicable to all Member States. For instance, is “offer and acceptance” enough to constitute a contract? What is considered a valid “acceptance”? What is an “obligation”? “Can a digital asset be the object of a legally binding agreement”?

If we try to give a EU-wide answer to the questions such as smart contract validity and enforceability it is apparently not possible since we will need to consider 28 different answers. I, therefore, believe that the future of innovation in Europe will highly depend on the unification of laws.

An example of a unified law that has great benefits on innovation (including DLT) is the Electronic Identification and Trust Services (eIDAS) Regulation, which governs electronic identification including electronic signatures.

The race to regulating DLT in Europe

Let’s now look briefly at a couple of Member States legislations, specifically on Blockchain and cryptocurrencies last year.

EU Member States have been quite creative I would say in regulating the new technology. Let’s start from Malta, which saw a surprising increase of important projects and companies, such as Binance, landing on the beautiful Mediterranean Island thanks to its favorable (or at least felt as such) legislations on DLT. The “Blockchain Island” passed three laws in early July to regulate and supervise Blockchain projects including ICOs, crypto exchanges and DLT, specifically: The Innovative Technology Arrangements and Services Act regulation that aims at recognizing different technology arrangements such as DAOs, smart contracts and in future probably AI machines; The Virtual Financial Assets Act for ICOs and crypto exchanges; The Malta Digital Innovation Authority establishing a new supervisory authority.

Some think the Maltese legislation lacks a comprehensive framework, one that for instance, gives legal personality to Innovative Technology Arrangements. For this reason some are therefore accusing the Maltese lawmakers of rushing into an uncompleted regulatory framework in order to attract business to the island while others seem to positively welcome the laws as a good start for a European wide regulation on DLT and crypto assets.

In December 2018, Malta also initiated a declaration that was then signed by other six Members States, calling for collaboration for the promotion and implementation of DLT on a European level.

France was one of the signatories of such declaration, and it’s worth mentioning since the French Minister for the Economy and Finance approved in September a framework for regulating ICOs and therefore protecting investors’ rights, basically giving the AMF (French Authority for Financial Market) the empowerment to give licenses to companies wanting to raise funds through Initial Coin Offerings.

Last but not least comes Switzerland which although it is not a EU Member State, it has great degree of influence on European and national legislators when it comes to progressive regulations. At the end of December, the Swiss Federal Council released a report on DLT and the law, making a clear statement that the existing Swiss law is sufficient to regulate most matters related to DLT and Blockchain, although some adjustments have to be made. So no new laws but few amendments here and there, which will allow the integration of the specific DLT applications with existing laws in order to ensure legal certainty on certain uncovered matters. Relevant areas of Swiss law that will be amended include the transfer of rights utilizing digital registers, Anti Money Laundering rules specifically for decentralized trading platforms and bankruptcy when that proceeding involves crypto assets.

Conclusions

To summarize, from the approach taken during the past year, it is apparent that there is great interest in Europe to understand the potentials and to soon test implementations of distributed ledger technology. Lawmakers have also an understanding that the technology is in an infant state, it might involve risks, therefore making it complex to set specific rules or to give final answers on the alignment of certain technology applications with existing European or national laws.

To achieve European wide results, however, acknowledgments, guidelines and reports are not enough. The setting of standards for lawmakers applicable to all Member States or even unification of laws in crucial sectors influencing directly or indirectly new technologies, will be the only solution for any innovative technology to be adopted at a European level.

The author of this post is Alessandro Mazzi.

Poland has recently become quite famous for its skilled and resourceful IT specialists. Each year thousands of new computer engineers (programmers, developers, testers, designers etc.) enter into the market, warmly welcomed by domestic and multinational companies. A big part of these young talents open their own firm or business as free lancers developing software for clients from European countries as well as from US, Canada, Japan, China, etc.

However, companies who want to cooperate with these partners and assign software development to a Polish IT company or freelancer should be aware that the copyright law in Poland is very strict, as it mainly protects the creator and not the client. Therefore, to be on a safe side, it is better to follow these 7 basic rules:

Never start cooperation with an IT specialist or an IT company without a formal agreement. And I mean a real agreement, in a written form, with signatures of persons who can validly contract on behalf of the companies. The form is very important because – under Polish law – copyrights transfer and exclusive license agreements not fulfilling form conditions are null and void. Moreover, if there is no agreement, Polish copyright rules will apply to all intellectual property matters.
Please remember that software is a creation protected by copyright law. Therefore you should consider whether you want to acquire the entire intellectual property rights or you just need a license. If you need a full IP transfer, you need to put it expressly in the agreement; otherwise you will only get a non-exclusive licence. And these, in several cases, will not be useful from a business point of view. If a license is enough, it is advisable to agree if it will be exclusive or non-exclusive.
When drafting an IP clause, be detailed and clear. If you want to be able to decompile and disassembly the binary code, specify it in the IP clause. If you want to be able to introduce modifications to the source code, specify it in the IP clause. If you want to sublicense the software, specify it in the IP clause. The IP clause shall contain the description of any way you want to use the software, whether on mobile devices or on personal computers, any other electronic device or via internet (e.g. cloud computing). And believe me, when I write “specify it in the IP clause” it means that you really, really have to put it there. Otherwise it will be null and void and you may face a situation where your smart IT engineer, after getting paid, will sue you for the IP infringement.
Remember that you should indicate the timeframe and the geographical scope of the license or IP transfer. If you do not specify it expressly in the agreement, you will only be entitled to a 5-year license, automatically expiring afterwards.
Draft carefully a clause related to termination of the agreement. Under Polish law the licensor may terminate the license agreement granted for an indefinite period of time upon 1-year notice. If you do not want to find yourself in a situation where you lose the software IP rights in the middle of a big project, make sure that from the very beginning you are on a safe side.
Make sure that your partner is obliged to transfer you upon request all software documentation and the source code.
Make sure that you have a good indemnification clause with no limitation of liability. Often Polish IT companies subcontract some part of the development work to free lancers. You never know if they will conclude proper agreements with their subcontractors and if they will legally acquire the IP of the software that they will later sell you. There is always the risk that in the future some Polish IT engineer you never met will raise IP infringement claims against you, trying to prove that he/she actually developed the software. In such a situation an indemnification clause will help you recovering the costs from your partner.

The Court of Justice of the European Union (CJEU) ruled, on December 20, 2017, that the service provided by Uber cannot be regarded as a digital service.

The question raised

The request for preliminary ruling was referred by a decision made by the Juzgado de lo mercantil de Barcelona relating to a dispute between the Asociacion Profesional Elite Taxi and Uber where the first considers that the second offers a paid service consisting of connecting non-professional drivers with persons who wish to make urban journeys, without holding any local administrative license nor authorization.

The question at stake was clearly set by the Court. The starting point is the principle of freedom of services (article 56 TFUE) and its implementation by two directives: the 2000/31 Directive on e-commerce and the 2006/123 Directive on services in the internal market. On the other side, in each of these three set of rules (TFUE, 2000 and 2006 Directives), an exception is made for “transport services”. The question at stake was to know whether the service offered by Uber could be qualified as a digital service (subject only to the national law of establishment of the service provider) or as a transport service (which must comply with the 28 national laws on transport).

The decision of the Court

The Court first stated (i) that “an intermediation service consisting of connecting a non-professional driver using his own vehicle with a person wishes to make an urban journey is, in principle, a separate service from a transport service“, and (ii) that a transport service is defined as “the physical act of moving persons or goods from one place to another by means of a vehicle“. With this fine line between the two types of services, the Court then concluded that the hereabove intermediation service “meets, in principle, the criteria for classification as an “information society service” within the meaning of the Directive 2000/31“.

The CJEU ruled however that the very activity conducted by Uber is “more than an intermediation service consisting of connecting, by means of a smart phone application, a non-professional driver using his or her own vehicle with a person who wishes to make an urban journey“. The Court then explained that Uber “simultaneously offers urban transport services, which it renders accessible, in particular, through software tools such as the application (…) and whose general operation it organizes for the benefit of persons who wish to accept that offer in order to make an urban journey“.

The Court grounded its reasoning with the two following features to qualify Uber’s service as a transport service:

This intermediation service is “based on the selection of non-professional drivers using their own vehicle, to whom the company provides an application without which (i) those drivers would not be led to provide transport services and (ii) persons who wish to make an urban journey would not use the service provided by those drivers“.
“Uber exercises decisive influence over the conditions under which that service is provided by those drivers” (e.g. the maximum fare fixed by Uber, the amount cashed in first by Uber and then repaid to the drivers, the quality control of the vehicles and of the drivers by Uber with possible exclusion as a sanction).

The impact for startup using intermediation platforms

Although the Court mentions that the service of Uber is “more” than an intermediation service, and that the provider of this intermediation service “simultaneously offer” urban transport services, which imply that this intermediation service does however exist, the Court judged that specific features should invalidate this intermediation service as a digital service. A more up-to-date approach of what is today the Digital Single Market could have led the Court to choose another solution and stay on the digital side.

The reasoning of the Court does not really constitute a guideline for other intermediation platforms. The shortness of the reasoning might convey a more political decision applying to a US giant like Uber. The briefness of the reasoning may also show the inadequacy of the current EU regulation vis-à-vis the new trends of digital economy, specially the large variety of intermediation platforms business models (the « digital service » to which the Court referred has been defined in the 1998 directive).

It seems that this ruling will not materially impact Uber which is already subject to local transport rules in several EU countries.

This ruling will impact European Uber-like businesses as they will have to take into consideration this decision to build their offer: they will deal with 28 local regulations if they cannot qualify as a digital service. But should they fall into the transport service rules, intermediation platforms will have anyway to control whether national political and judicial authorities implement local transport rules in compliance with the general principles of the TFUE.

As regards service providers dealing with non-transport services, it is difficult to anticipate the real impact of this decision since this ruling is highly focused on the relation between liberalization of services and specific rules applicable to transport.

The author of this post is Christophe Héry.

Federico Vasoli

Practice areas

Corporate
Foreign investments
M&A

Contact Federico

Other articles that may interest you
Other articles by Federico

The Milestone EU-Mercosur Trade Deal

Distribution
Foreign investments

Argentina
Brazil
Italy
Uruguay

Vietnam Tackles Global Minimum Tax Implications

Corporate
Foreign investments

Vietnam

Incentives for green hydrogen production in Egypt

Foreign investments
Agency

Egypt

Insurance in FOS (Freedom of Service) – Joint liability with intermediaries for violation of GDPR

Insurance
Distribution

GDPR – Privacy by design and by default

Privacy - Data Protection

Europe
Portugal

EU – Distributed ledger technology – What happened in 2018

Contracts
Information Technology

Europe

Application of GDPR to hotel businesses

Tourism
Privacy - Data Protection

Italy

My Home, My Rules! For Personal Data, Europe Goes Extraterritorial

Privacy - Data Protection

Europe

GDPR – Entry into force and field of application

Privacy - Data Protection

Italy

Hong Kong removed from EU’s Tax Cooperation Watchlist

Hong Kong