On 1st January 2019, Vietnam joined the list of other ASEAN countries in introducing a law on cybersecurity. The new Vietnamese law is somewhat similar to a law passed recently by China, which forces tech companies like Apple to host data on local servers, which allows the Chinese government to access for example private iCloud data from its Chinese users.
According to the law, Vietnam’s authorities will have the discretion to determine when expression might be identified as ‘illegal’ and restricted. It bans Internet users in Vietnam from organizing activities for ‘anti-state purposes’ or to be allowed to distort the nation’s history.
In Part 1, we ended our article with the question that most cybersecurity laws don't directly explain what lawmakers meant by cybersecurity and what the cybersecurity professionals understand it to be. To the cybersecurity professionals, actual attacks are designed to disrupt, deny, degrade, manipulate, or destroy information systems and/or the information that cut across organisations and countries is a clear cut issue but to the lawmakers, the inclusion of dissemination of content considered 'fake' or illegal is also a cybersecurity issue.
Not surprisingly, Vietnam is following the Chinese model where the country is now in the process of developing its own social media and internet platforms, as a way of decreasing reliance on foreign organisations like Facebook as well as to increase its ability to fight cyber-crime and hostile content. In a time when some foreign global companies have been accused with being closely tied with their governments (e.g., telecommunications, computer security), the ability to compel the activities of these foreign organisations in a sovereign state seems a practical approach.
In Thailand, it was reported that the government is preparing a draft cybersecurity law that would give a new government agency, a newly created National Cybersecurity Committee (NCSC) the authority and sweeping powers to access the computers of individuals or private companies, make copies of information, spy on internet traffic, order the removal of content, or even seize computers without judicial oversight and enter private property without court orders. The NCSC could also summon businesses or individuals for interrogation and force them to hand over information belonging to other parties. Criminal penalties would be imposed for those who do not comply.
The law was supposed to have been approved for legislation end of 2018. Again, in this case, the meaning of cybersecurity as defined by the lawmakers transcends the understanding and definition of cybersecurity law by cybersecurity professionals. For both Vietnam and Thailand, the introduction and possible introduction of new laws on cybersecurity has raised alarms amongst the foreign business community. Facebook incurred the wrath of the Vietnamese government when on 10 January 2019, a mere 10 days after the legislation became law in the country, the government of Vietnam publicly accused Facebook of violating its cybersecurity laws.
Our government has announced in October last year that it will review and amend the Personal Data Protection Act (PDPA) to reflect the current and future needs of the country in view of the speed of development in cyberspace. Recently the Deputy Minister for MITI also mentioned that the government is looking at attracting quality and high technology companies to invest in Malaysia.
We should take heed of such developments.