You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

Search
Close this search box.
February 20, 2025

A Closer Look at Vietnam’s Decree 147 on Internet Services and Online Information

Subscribe to Updates

Vietnam’s Decree No. 147/2024/ND-CP on the management, provision, and use of internet services and online information (Decree 147) was issued on November 9, 2024, and came into effect on December 25, 2024. Decree 147 represents a more stringently regulated digital landscape in Vietnam, creating challenges not only for offshore service providers offering cross-border services but also for onshore providers. As these new regulations impose stricter requirements, particularly in areas like content control, user authentication, data storage, and service license/notification, companies will need to adapt quickly to maintain compliance and minimize legal risks.

The following are some of the key topics covered by Decree 147.

[Note: Shortly after the issuance of Decree 147, Vietnam began a government restructuring process, with the aim of streamlining the government by consolidating and eliminating various ministries and agencies. Thus, the decree’s references to authorities such as the Authority of Broadcasting and Electronic Information (ABEI) and the Ministry of Information and Communications (MIC) are subject to change.]

1. Cross-Border Information Provision

Cross-border information provision is defined broadly as the provision by overseas organizations and individuals of information and online information content services for service users in Vietnam to access or use. This wide-ranging definition encompasses various types of cross-border services, including social network services, online game services, and app store services. However, cross-border provision of online game services remains prohibited under Decree 147 (see further details below).

Offshore providers of services on a cross-border basis who lease data storage in Vietnam or meet a threshold of 100,000 or more total visits per month from Vietnam for six consecutive months (“regulated cross-border providers”) must adhere to stricter requirements. Specifically, they are required to, among other requirements:

  • Notify the relevant authority of their contact information, including the location of the main server providing the service, within 60 days of reaching the total visit threshold.
  • Inspect, monitor, prevent, and remove any content, services, and applications that violate the law within 24 hours from the time of a request from the relevant authority, and within 48 hours of receiving complaints from Vietnamese users regarding content, services, and applications that violate Article 8 of the Cybersecurity Law (which lists a wide range of prohibited acts in cyberspace, such as cyberterrorism, spreading malware, and advertising or trading in banned goods/services).
  • Store personal data of users from Vietnam, such as full name, date of birth, email, and Vietnamese mobile phone number (or ID number), and delete this data when the storage period expires.
  • Provide information of users from Vietnam to the relevant authority upon request for investigation and for law enforcement purposes.
  • Authenticate social network user accounts via users’ Vietnamese mobile phone numbers or ID numbers if they do not have Vietnamese mobile phone numbers, or if they use the livestream feature for commercial purposes; and ensuring that only verified accounts can post information (write posts or comments, livestream) and share content on social networks.
  • Classify and display warnings of content that is not suitable for children.
  • Receive and handle complaints from service users.
  • Provide tools for searching and scanning content as requested by the relevant authority.
  • Report annually to the relevant authority on their service provision to users from Vietnam and on an ad hoc basis regarding matters of national security, social order, and emergency upon the authority’s request.

Failure to comply with these obligations allows the relevant authority to enforce technical measures to block non-compliant content, services, and applications, as well as impose administrative penalties.

Only cross-border service providers who have notified the relevant authority of their contact information are allowed to provide livestream features or provide revenue-generating activities in any form.

2. Social Network Services

Regulated offshore social network service providers will be required to meet the obligations outlined above on cross-border information provision.

Onshore social network services, offered by organizations or enterprises with legal status in Vietnam, are categorized as either “high-visitor” or “low-visitor” based on the number of regular visitors. The high-visitor category includes social networks with total monthly visits of 10,000 or more (based on a monthly average over six consecutive months) or with more than 1,000 regular users in a month (“regular” is not further defined). High-visitor onshore social network service providers are required to obtain a license from the relevant authority to operate, while low-visitor providers must obtain a notification confirmation from the authority to provide social network services.

Only licensed onshore providers are permitted to provide livestream features or engage in revenue-generating activities of any kind. Therefore, if a low-visitor onshore provider intends to offer livestream features or revenue-generated services, it must apply for a social network service license.

Onshore social network service providers face stricter requirements than regulated offshore social network service providers as they must additionally meet obligations including having at least one server in Vietnam to serve investigations and information provision at the request of the relevant authority, connecting to the monitoring system of the relevant authority for statistics and user access monitoring, and being subject to inspections by the authority.

Within 90 days from the effective date of Decree 147 (i.e., by March 25, 2025), both onshore and regulated offshore social network service providers are required to authenticate the identities of their active users. Additionally, within this same timeline, licensed onshore social network service providers are required to review and report to the relevant authority the number of total visits per month from Vietnam for six consecutive months, as well as the number of regular users per month.

Both onshore and offshore social network service providers must temporarily or permanently block social network accounts, community pages, community groups, and content channels that frequently violate the law. Temporary blocking will be applied at the relevant authority’s request when these accounts, community pages/groups, or channels have been found to violate the law at least five times within a 30-day period or at least 10 times within a 90-day period. The temporary block must be implemented within 24 hours of the relevant authority’s request and will last from 7 to 30 days, depending on the number and severity of the violations. A permanent block will be enforced when such accounts, community pages/groups, or channels publish illegal content that impacts national security or have previously been temporarily blocked at least three times as per request from the relevant authority.

If onshore social network service providers do not comply with the request of the relevant authority, the authority will suspend the provision of social networking services or revoke the license.

3. Online Game Services

Decree 147 expressly provides that offshore entities providing online game services to users in Vietnam must establish an enterprise in compliance with the decree and with regulations on foreign investment to provide such services. As a result, the cross-border provision of online games remains prohibited.

Online games are still categorized into four types: G1 games have interaction among multiple players via the game server; G2 games only have interaction between players and the game server; G3 games have interaction among multiple players without interaction between players and the game server; and G4 games are downloaded from the internet without interaction among players or between players and the game server.

Enterprises may provide G1 games after obtaining a license to provide G1 game services and a decision on release of a G1 game. Meanwhile, to provide G2, G3, and G4 games, enterprises must obtain a certificate of game service provision and a notification confirmation of G2, G3, or G4 game release. The license to provide G1 game services and certificate of game service provision for G2, G3 and G4 game services have a 10-year maximum duration while the decision and notification confirmation of game release has a 5-year maximum duration.

Decree 147 explicitly introduces regulations that prohibit the release of online games that feature content and scenarios resembling prizewinning games in casinos or games using images of playing cards. This regulation is designed to prevent transformation of online games into gambling activities in the virtual realm.

The main responsibilities of online game service providers include:

  • Having at least one server in Vietnam to serve the purposes of investigations by the relevant authority and handling of user complaints.
  • Having a website that introduces and provides services, displaying required information such as age-based game classification, rules for handling complaints and disputes, and details about the service provider.
  • Implementing measures to mitigate the negative impacts of each game, including registering, storing, authenticating, and managing player content and information, and ensuring that only players who provide complete and accurate information can participate, and players are warned about the effects of excessive gameplay.
  • Implementing technical measures to manage forums, shared content, and interactions between players.
  • Not advertising online games without a decision on G1 game release or notification confirmation of G2, G3, or G4 game release.
  • Submitting service provision reports regularly every six months and on an ad hoc basis when requested by the relevant authority.
  • Being subject to inspections, examinations, and enforcement actions by the relevant authority.
  • Connecting to legitimate payment methods only.
  • Storing player information for the duration of service use and for six months after a player stops using the service. Providers must also establish a system to connect to the national population database to verify player information upon request by the relevant authority.

4. App Store Services

Regulated cross-border app store service providers will be required to meet the obligations outlined above for cross-border information provision. Additionally, they are required to remove any apps that violate the law within 24 hours of receiving a request from the relevant authority; comply with Vietnamese payment regulations; and ensure that any online game service providers offering services to users in Vietnam provide the decision on G1 game release or notification confirmation of G2, G3, G4 game release before uploading their games to the app store.

5. Telecom, Internet, Web Hosting, Data Center, and Telecom Application Services

Telecom, internet, web hosting, data center and telecom application service providers are required to report to the relevant authority within 24 hours of self-discovery or receipt of feedback or complaints from users about content, services, and applications that violate Article 8 of the Cybersecurity Law; remove infringing content within 24 hours of request from the relevant authority; and handle requests and complaints about intellectual property in accordance with intellectual property laws. Additionally, they are required to submit annual reports to the relevant authority on data storage rental services provided in Vietnam to foreign entities for providing cross-border information to Vietnamese users, as well as ad hoc reports when requested by the relevant authority.

Telecom and internet enterprises must also, among other obligations:

  • Implement necessary technical measures to block access to content, services, and applications that violate the law within 24 hours of receiving a request from the relevant authority, e.g., Department of Cybersecurity and High-Tech Crime Prevention (A05) of the Ministry of Public Security (MPS).
  • Implement measures to monitor, collect, and detect information that violates the law at the request of the relevant authority (for violations of copyright and intellectual property, in compliance with intellectual property law).
  • Provide information and data related to telecom and internet subscribers suspected of violations to enable accurate identification of offenders, upon request from the relevant authority, e.g., A05 under the MPS.
  • Refuse, suspend, or terminate connections to online games without proper licenses or certificates to provide game services or decisions/notification confirmations for game release.
  • Comply with the relevant authority’s requests to coordinate, report, and carry out other measures as requested by the authority.

6. Public Internet Access Points

Owners of public internet access points in hotels, restaurants, airports, coffee shops, and other public spaces who offer paid internet access services must register as internet agency businesses and sign internet agency contracts, while those offering the services for free are not required to do so.

Internet agents are required to display an “internet agent” sign with their registration number. If the location also serves as a public online gaming point or public internet access point, this information must also be clearly indicated on the sign. When providing online game services, internet agents also have the responsibilities of an owner of a public online gaming point. Additionally, they must not organize or allow internet users to use computer features at their business location to perform prohibited acts.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

February 17, 2025
Thailand’s draft Emergency Decree on Technology Crimes Suppression, which we covered in a client alert in January 2025 primarily addressed to telecom operators and financial institutions, is expected to have significant implications for a wide range of business operators.  The draft emergency decree has already been approved by the cabinet but may undergo further developments as it continues in the legislative process. In this article, we will highlight the material impacts of the draft emergency decree on overseas and local fintech operators. Expanded Definition of “Technology Crimes” The definition of “technology crimes” now includes the following acts of forgery or alteration: Forging or altering the identity of individuals and biometric characteristics by utilizing computer or communication systems or other electronic means to commit offenses. Forging or altering symbols, trademarks, or seals of groups (e.g., foundations, community enterprises) or juristic persons, including acts by juristic persons using individuals or juristic persons as nominal directors or shareholders, regardless of whether such individuals or legal juristic persons reside in Thailand. Forging or altering digital or online platforms, regardless of the platform’s location or legal status. Individuals who conspire, utilize, assist, or support the commission of these offenses will face the same penalties as the principal offender. Business Operator Definition The scope of “business operators” is now expanded to cover various fintech and digital asset operators beyond those under the Payment Systems Act (PSA). The draft emergency decree now includes the following operators, whether they are legally authorized or not: Business operators under the PSA and business operators who operate “as if” they are payment system operators Business operators under the Royal Decree on Digital Asset Businesses or business operators who operate “as if” they are digital asset business operators. Foreign exchange business operators. Disclosure and Exchange of Information Business operators must disclose
Read More
February 7, 2025
Vietnam’s political system is currently undergoing a significant reorganization to streamline government operations and improve efficiency. In this regard, Plan 141/KH-BCDTKNQ18, issued on December 6, 2024, provided guidelines on the restructuring of existing ministries, ministerial-level agencies, and government-affiliated agencies. Accordingly, the number of ministries is being reduced from 18 to 14 through mergers and consolidations and the establishment of a new Ministry of Ethnic and Religious Affairs. The number of ministerial-level agencies is being reduced to three, and government-affiliated agencies to five. Similar streamlining is happening at provincial levels. The newly consolidated state agencies will assume all functions, rights, and responsibilities of the merged entities, and will continue handling all ongoing matters previously handled by the former agencies. Some examples of these changes include the following: The Ministry of Science and Technology (MOST) will oversee telecommunications, IT applications, cybersecurity, e-transactions, and national digital transformation, which had previously been managed by the Ministry of Information and Communications (MIC). MOST will also be responsible for issuing licenses related to these areas, such as licenses for G1 online game services and telecommunication services. The Ministry of Culture, Sports, and Tourism will assume the responsibility of press management, previously under the MIC. The Ministry of Finance will assume state management functions related to investment, previously handled by the Ministry of Planning and Investment. Provincial Departments of Finance will issue Investment Registration Certificates and Enterprise Registration Certificates, a responsibility previously held by the Departments of Planning and Investment. The Ministry of Home Affairs will oversee labor and employment matters. Provincial Departments of Home Affairs will be authorized to issue work permits and will be the designated authorities for companies to register their internal labor regulations. Official Letter No. 35/CV-BCDTKNQ18 dated January 23, 2025, mandated that all ministries submit their draft decrees outlining their functions,
Read More
February 6, 2025
The Thai government has proposed amendments to the Gambling Act B.E. 2478 (1935), aiming to address the growing influence of online gambling activities and strengthen regulatory oversight. These amendments, if enacted, would introduce significant changes, particularly concerning online gambling operators, participants, and related advertising activities. The draft amendment is currently in the public hearing process, which is scheduled to conclude on February 14, 2025. Key highlights of the proposed amendments are discussed below. Online Gambling In the proposed amendment, “online gambling” refers to gambling via a computer system or electronic system either through the internet or through remote communication. Organizing, participating in, or engaging in any type of online gambling is prohibited unless authorized by the competent authority. This opens the door for the authorization of casino-style online gambling in Thailand. However, the proposed amendment also imposes strict penalties on both operators and gamblers engaging in unauthorized online gambling: Anyone who organizes unauthorized online gambling is subject to imprisonment for 7–12 years. This penalty also applies to those responsible for managing electronic systems or tools used to facilitate gambling, as well as anyone involved in advertising, promoting, or deceiving others, either directly or indirectly, to engage in online gambling without proper authorization. Any person who engages in unauthorized online gambling is subject to imprisonment for 1–3 years. Dealers, supervisors of gambling or gambling activities, runners conveying wagers or other betting information, and owners of premises who knowingly permit such unauthorized activities are subject to imprisonment for 5–7 years. Penalties for Unauthorized Offline Gambling Operators The proposed amendment revokes the previous penalties under the Gambling Act and proposes stronger penalties. Both the original penalties and the proposed replacements depend on the type of gambling activity under the law, which classifies gambling activities into two types—list A and list B. List
Read More
February 3, 2025
On January 28, 2025, the Office of the Personal Data Protection Committee (PDPC) hosted Data Privacy Day 2025, bringing together over 1,000 participants from both the public and private sectors. The event underscored the importance of personal data protection and aimed to raise nationwide awareness while fostering a culture of compliance. During the event, the PDPC reaffirmed its commitment to strengthening Thailand’s data protection framework to align with international standards. The initiative also emphasized the collective goal of achieving zero data breaches. During the first session of the event, Mr. Prasert Jantararuangtong, deputy prime minister and minister of digital economy and society, delivered a speech highlighting the role of personal data protection in fostering Thailand’s digital economy. He emphasized that strong data protection measures enhance business credibility, build consumer trust, and attract foreign investment. He also addressed the PDPC’s “zero data breach” policy and the ongoing issue of data leaks, which have been exploited by call-center scam operations to deceive the public and cause financial harm. Additionally, Mr. Prasert announced that the Thai cabinet has approved a draft amendment to the Emergency Decree on Cyber Crime Prevention and Suppression B.E. 2566 (2023), commonly referred to as the “Cyber Crime Decree.” The draft will now proceed to the Council of State for review before its official enactment. Key provisions of the amendment include holding financial institutions, telecom providers, and social media platforms accountable for technology-related crimes; requiring compensation for victims; and enforcing stricter security measures. Cyber offenses, including personal data trading, face harsher penalties of up to THB 5 million in fines or five years of imprisonment. Authorities are also empowered to suspend suspicious SIM cards for committing illegal activities and expedite monetary refunds for victims without court approval. In the second session, the Office of the PDPC presented its
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Fraudulent Communications

| Legal Notice