Comparative Cybersecurity Law in Socialist Asia.

• Author: Bui, Ngoc Son

TABLE OF CONTENTS I. INTRODUCTION II. SOCIALIST REGULATION OF CYBERSECURITY A. Background 1. China 2. Vietnam B. National Cyberspace 1. China 2. Vietnam C. Major Legal Issues 1. Prohibited Acts 2. Network Operators 3. Critical Infrastructure 4. Data Localization 5. Security Evaluation, Assessment, Inspection, and Supervision 6. Personal Data Regime D. Implementation 1. China 2. Vietnam III. COMPARATIVE ANALYSIS A. Convergences 1. Immediate Diffusion of Cybersecurity Law 2. The Socialist State: Cybersecurity as Regime Security 3. Socialist Legality and Cybersecurity 4. Statist Digital Rights B. Divergences 1. Technological Architecture 2. Exceptionalism vs. Universalism IV. CONCLUSION I. INTRODUCTION

The socialist states of China and Vietnam have comprehensively regulated cybersecurity. China's Cybersecurity Law, which has been arguably one of the most massive regulatory concerns for foreign businesses, (1) came into effect on June 1, 2017. (2) One year after China, Vietnam adopted a similar Cybersecurity Law on June 12, 2018, which came into effect on January 1, 2019. (3)

China's Cybersecurity Law represents the country's determination to build robust digital infrastructure against cybersecurity threats. China has also actively established new cybersecurity institutions, laws, guidelines, and standards in the past five years. (4) The promulgation of a series of cybersecurity laws and rules has echoed President Xi Jinping's pronouncement that "without cybersecurity there is no national security." (5) The enactment of the law drew intense criticism and opposition from foreign businesses, such as Amazon, IBM, Intel, and Microsoft. (6) Both the American Chamber of Commerce and European Chamber of Commerce cast serious doubt on the justification of this legislation. (7) Multinational bodies claimed that the law has possibly enabled more government censorship and surveillance, increased business operating costs and risk of intellectual property infringement, and reinforced the country's protectionism from global competition. (8) However, resistance against the law has gradually withered since the law came into effect in 2017.

The enactment of the Cybersecurity Law in Vietnam is a response to the booming internet in the country and potential threats to national security. Vietnam has over sixty-six million internet users among a population of over ninety-five million people. (9) The number of internet users per one hundred people is 68.70; the number of households with an internet connection is 19,158,310; and the number of households with an internet connection per one hundred households is 71.30. (10) In April 2019, the 5G Base Transceiver station was deployed in the Hoan Kiem Lake area (Hanoi), making Vietnam one of the earliest 5G countries in the world. It has a connection speed of 600-700Mbps--equivalent to the service speed provided to customers of the Verizon 5G network in the United States. (11)

While the Vietnamese government claims that this law is necessary to protect "national security, social order and safety, or the lawful rights and interests of agencies, organizations and individuals," (12) it has been met with vehement criticism from both local and international actors. Many critics believe that the Vietnamese Cybersecurity Law is a mere copy of China's Cybersecurity Law and that it undermines internet freedom and economic development. (13)

Domestic opposition to the law in Vietnam even led to legal mobilization. Two days before its adoption, on June 10, 2018, thousands of people in the capital of Hanoi, Ho Chi Minh City, and other provinces (Da Nang, Nha Trang, Binh Thuan, Binh Duong, Dong Nai, and Vung Tau) held peaceful protests against the Cybersecurity Bill, worrying that it would kill their constitutional rights to freedom of speech, freedom of information, and personal privacy. (14)

Vietnam's Cybersecurity Law was also subject to international criticism. Seventeen US lawmakers urged the CEOs of Facebook and Google to oppose it, believing that the law would "bolster the government's crackdown on online political activism." (15) Amnesty International also wrote a series of open letters to the executives of Apple, Facebook, Google, Microsoft, and Samsung, calling on these companies to "challenge" Vietnam's Cybersecurity Law on the grounds of fundamental human rights. (16)

Although one study has provided a thorough analysis of China's Cybersecurity Law, (17) so far, academic writings in English about Vietnam's Cybersecurity Law are largely absent, although it has been the subject of several popular policy commentaries. (18) This Article seeks to fill in this academic gap. From a comparative regulatory perspective, this Article seeks to understand the convergences and divergences between these two cybersecurity regimes in China and Vietnam.

Like China, Vietnam is a highly regulatory state. This characteristic is particularly prominent in the country's regulation of the internet. Therefore, it is appropriate to situate the legal framework for cybersecurity within regulatory scholarship. (19) In a recent study, Chritel Koop and Martin Lodge defined regulation as "intentional intervention in the activities of a target population, where the intervention is typically direct-involving binding standard-setting, monitoring, and sanctioning-and exercised by public-sector actors on the economic activities of private-sector actors." (20) Based on this pattern-based definition of regulation, this Article defines the regulation of cybersecurity as the state's intervention into the activities of target agencies, organizations, and individuals for the purpose of protecting cybersecurity.

Regulatory scholars have proposed several theories explaining the factors behind regulation: public interest theories, private interest theories, and institutional theories. (21) The interest-based theories (whether public or private) may be more relevant to explaining the regulation of economic activities. The institutional theories are more general, however, which can be useful in explaining the regulation of both economic and non-economic activities. (22) This Article therefore situates the cybersecurity regulation in China and Vietnam within the broader institutional context and argues about both convergences and divergences in the two countries' cybersecurity legal regimes. The convergence of the two laws is due in part to the immediate diffusion of China's Cybersecurity Law in Vietnam, but it is more deeply shaped by structural factors; namely, the ideational and institutional similarities between China and Vietnam. These structural factors include the socialist state, the principle of socialist legality, and the statist approach to human rights generally and digital rights particularly.

Despite these convergent features, there is a foundational divergence in the socialist cybersecurity regulatory regime between the Chinese notion of cybersecurity sovereignty and Vietnamese view of national cyberspace. The reasons for this divergence are both technological and political.

First, compared to China's counterpart, the cybersecurity regulatory regime in Vietnam tolerates greater citizen internet freedom for technological reasons. Without a Great Firewall or internet filtering, Vietnamese citizens can enjoy Google, Facebook, Twitter, and YouTube freely. In contrast, China has developed Chinese alternatives to these platforms (Baidu, WeChat, Weibo, and Youku, respectively). (23) The Vietnamese government does not have technological alternatives to control activities in cyberspace, so the Vietnamese cybersecurity regulatory framework must tolerate citizens' internet freedom to a certain extent.

Second, Chinese exceptionalism generates the concept of cybersecurity sovereignty as the basis of China's distinctive form of technological innovation and broader development according to socialism with Chinese characteristics. Conversely, Vietnamese universalism enables it to reference the global experience of cybersecurity law and regulate cyberspace while treating the internet as a global network beyond national sovereignty.

This Article contributes to the scholarship on comparative law. While both China and Vietnam are socialist countries with similar cybersecurity laws, the social reactions to and the actual implementations of the laws in the two countries differ significantly. Therefore, a careful examination of influencing factors, such as legal culture, political economy, and technological infrastructure, will provide a valuable lens for comparative law studies.

This Article is structured as follows. Part II descriptively explores the regulatory framework of cybersecurity in Vietnam compared to China, demonstrating how the two laws have institutionalized the two socialist states' longstanding assertions of internet sovereignty under the pretense of protecting cybersecurity and how the cybersecurity laws are designed to strengthen national security. This Part then explores major legal issues in the substance of the cybersecurity laws, which include the obligations of network operators, defense of critical infrastructure, data localization, security review, and protection of personal information. Part III comparatively analyzes the divergences and convergences in cybersecurity regulation in China and Vietnam, explaining the diffusion of China's Cybersecurity Law in Vietnam and the laws' convergent ideational and institutional factors, including the unique socialist approaches to cybersecurity, market intervention, legal ambiguity, and statist digital human rights. The underlying socialist value and ideology shared between China and Vietnam are significantly different from those in the Western world. This Part also explains divergences in cybersecurity regulation in the two countries. Finally, Part IV concludes.

2. SOCIALIST REGULATION OF CYBERSECURITY

   Despite different approaches to the notion of cyberspace sovereignty...