Vietnam’s new Telecom Law 2023 was promulgated on November 24, 2023, and will take effect on July 1, 2024, for most telecom services. For three newly introduced telecom services—OTT telecom services, internet data center services, and cloud computing services—implementation and compliance will be delayed until January 1, 2025. These new services will be explored briefly below.

The Ministry of Information Communication (MIC) is currently in the process of developing a number of decrees and circulars that will detail the implementation of the Telecom Law 2023, including one main decree that guides the new law in general. This decree is scheduled for prompt promulgation to coincide with the law’s effective date of July 1, 2024.

The draft version of this decree, dated February 22, 2024 (“Draft Decree”), was shared for consultation with international organizations, associations, and enterprises by the Vietnam Telecom Agency (VNTA) in early March 2024 to gather feedback. The Draft Decree is expected to undergo further revisions before being sent to relevant state agencies for input and submission to the Ministry of Justice for assessment by the end of March 2024. The MIC anticipates submitting the subsequent version to the government by April 15, 2024.

New Telecom Services: OTT Telecom Services, IDC Services, and Cloud Computing Services

In comparison to the Telecom Law 2009, the Telecom Law 2023 has three new telecom services:

• Basic telecommunications services on the internet (OTT telecom services) are defined as services whose primary functions including the sending, transmission, and receipt of information between two persons or a group of people using telecommunications services on the internet (Article 3.8 of the Telecom Law 2023). By incorporating the term “primary functions” into the definition, the Telecom Law 2023 aims to exclude services such as ride-hailing platforms where the primary function is transportation, not telecom services for sending and receiving messages between users. This intention has been clearly confirmed by the VNTA in its series of consultation meetings with industry groups during the development process of the new law.
• Internet data center (IDC) services are services that provide functions including processing, storage, and retrieving information for users via the telecom network by partially or fully leasing a data center.
• Cloud computing services are telecom services that provide functions including processing, storage, and retrieving information for users over the telecom network via cloud computing.

Under the Draft Decree (Article 5.3), these three new services are all classified as “value-added telecom services.”

Indications of Light-Touch Management Principle

Unlike traditional telecom services, these three new services will be subject to a light-touch management principle. While this was not clearly provided in the new Telecom Law 2023, which left it to future decrees to provide further guidelines, the Draft Decree reflects this intention much more clearly.

Cross-border service provision: In particular, the Draft Decree excludes these three new services from the requirement of subjecting offshore companies to sign a commercial agreement with a local licensed telecom company for service provision. Providers of these three new services only need to notify the VNTA before service provision.

Nevertheless, there are certain unclear matters that require refinement in a subsequent version of the Draft Decree. One such issue is whether offshore service providers can commence services immediately after notifying the VNTA, or if they must wait for the VNTA to issue a confirmation of notification. During its meeting for gathering feedback in early March 2024, the VNTA affirmed that offshore companies could provide services immediately upon notification, eliminating the need for any confirmation, and noted that it will consider removing the confirmation requirement from the Draft Decree.

Onshore service provision: The Draft Decree has also lifted the foreign ownership restriction applied to these three new telecom services. It requires onshore service providers of OTT telecom and cloud computing services to merely notify VNTA before providing their services. Onshore IDC service providers must register with VNTA before beginning service provision.

Similarly, there is ambiguity regarding whether IDC service providers must wait for the issuance of a confirmation of registration before providing the services, or can provide the services immediately upon registration. In response to this query, VNTA clarified that IDC service providers are required to obtain a registration certificate before commencing their services.

Key Obligations of Service Providers

The Draft Decree introduces a few key obligations of service providers:

• Verify information about users’ mobile phone numbers before providing services, and store users’ information (service username and mobile phone number) and information about the service usage for the duration specified in the cybersecurity law with regard to OTT telecom service providers.
• Store and manage user information (full name and telephone or email for individuals; organization name and address, and full name, telephone or email of contact person for organizations) with regard to IDC and cloud computing services. The industry has expressed concerns that this Draft Decree might pose a trade barrier, as current trends among OTT service providers involve minimizing the collection and storage of users’ personal information, aligning with their obligations for personal data protection. By reducing the collection and storage of personal information, not only are costs lowered, but the risk of user data leakage during system attacks is also diminished. Despite these concerns, VNTA has justified the inclusion of telephone numbers, asserting that they are essential for tracking violators in the event of violations through OTT services. Furthermore, VNTA highlighted the effective management of junk SIM cards by the MIC, reducing the risk of being unable to trace individuals based on such junk SIM cards. It is worth noting that the name provided to OTT service providers is the service username, not the actual name of the users.
• Protect state secrets pursuant to the law on protection of state secrets: This requirement introduces compliance risks as service providers primarily serve as intermediaries without direct access to user information, which is typically encrypted. In response, VNTA has expressed an intention to review and clarify the wording, emphasizing that the obligation applies when service providers are aware of violations but fail to comply with authorities’ requests to prevent or stop such violations.