THE NATIONAL ASSEMBLY | | THE SOCIALIST REPUBLIC OF VIETNAM Independence - Freedom - Happiness |
No. 20/2023/QH15 | | |
LAW ON E-TRANSACTIONS[1]
Pursuant to the Constitution of the Socialist Republic of Vietnam;
The National Assembly promulgates the Law on E-Transactions.
Chapter I
GENERAL PROVISIONS
Article 1. Scope of regulation
1. This Law provides for the implementation of transactions by electronic means.
2. This Law does not govern the contents, conditions and forms of transactions.
3. In cases where other laws stipulate or do not stipulate the implementation of transactions by electronic means, this Law applies. In cases where other laws contain provisions prohibiting the implementation of transactions by electronic means, such laws shall prevail.
Article 2. Subjects of application
This Law applies to agencies, organizations and individuals directly engaged in or related to e-transactions.
Article 3. Interpretation of terms
In this Law, the terms below are construed as follows:
1. E-transaction means a transaction implemented by electronic means.
2. Electronic means hardware, software, information system or other means that operates based on information, electrical, electronic, digital, magnetic, wireless, optical, electro-magnetic technologies or other similar technologies.
3. Electronic environment includes telecommunications network, the Internet, computer network and information system.
4. Data message means information created, sent, received and stored by electronic means.
5. E-certificate means a license, certification, certificate, confirmation, or written approval issued by a competent agency or organization in the form of electronic data.
6. Data include symbols, scripts, numerals, images, sounds and the like.
7. Electronic data means data created, processed and stored by electronic means.
8. Digital data means electronic data created using digital signals.
9. Master data means data containing core information to describe a specific object, serving as a basis for reference and synchronizing different databases or data sets.
10. Database means a compilation of electronic data arranged and organized for access, exploitation, sharing, management, and updating of information through electronic means.
11. E-signature means a signature created in the form of electronic data that is attached to or logically combined with a data message to authenticate the signatory and confirm his/her approval of the data message.
12. Digital signature means an e-signature using asymmetric key algorithms consisting of a private key and a public key, in which the private key is used to make a digital signature and the public key is used to verify the digital signature. A digital signature ensures the authenticity, integrity and undeniability but cannot ensure the confidentiality of the data message.
13. E-signature certificate means a data message certifying an authenticated agency, organization or individual is the e-signatory. An e-signature certificate for a digital signature is called a digital signature certificate.
14. Digital signature authentication service means a service provided by a digital signature authentication service-providing organization to authenticate the digital signatory in a data message, thereby ensuring the undeniability of the digital signatory to the data message as well as the integrity of the digitally signed data message.
15. Timestamp means electronic data attached to a data message enabling the identification of the existence of the data message at a specific time.
16. E-contract means a contract established in the form of data message.
17. Intermediary means an agency, organization or individual that represents another agency, organization or individual to send, receive or store data messages or to provide other services related to such data messages.
Article 4. E-transaction development policies
1. To protect the interests of the State and public interests, and lawful rights and interests of agencies, organizations and individuals.
2. To ensure the voluntary selection of implementation of e-transactions; voluntary agreement on selection of types of technology, electronic means, e-signatures, and other forms of certification by electronic means to implement e-transactions, unless otherwise provided by law.
3. To develop e-transactions comprehensively at all stages to thoroughly implement from the very first stage to the last stage of e-transactions by electronic means and promote digital transformation; to optimize procedures and shorten processing time to make e-transaction more convenient than other transaction methods.
4. To synchronously apply mechanisms and measures to encourage, incentivize and facilitate the development of e-transactions; to give priority to investment in technology infrastructure development, and development and application of new technologies, training for human resources related to e-transactions, especially in mountainous areas, border areas, on islands, in ethnic minority areas, areas with difficult socio-economic conditions and areas with extremely difficult socio-economic conditions.
Article 5. Assurance of cyberinformation security and cybersecurity in e-transactions
1. When implementing e-transactions, agencies, organizations and individuals shall comply with the law on e-transactions, law on cyberinformation security, law on cyber security and other relevant laws.
2. Information in a data message which is classified as state secret must comply with the law on protection of state secrets and the law on cipher.
Article 6. Prohibited acts in e-transactions
1. Taking advantage of e-transactions for infringing upon national interests and security, social order and safety, public interests, and lawful rights and interests of agencies, organizations and individuals.
2. Illegally obstructing or preventing the process of creating, sending, receiving and storing data messages or committing other acts to undermine the information systems serving e-transactions.
3. Illegally collecting, providing, using, disclosing, displaying, spreading or trading in data messages.
4. Counterfeiting, distorting, or illegally deleting, invalidating, copying or moving part or whole of data massages.
5. Creating data messages in order to commit illegal acts.
6. Fraudulently making, counterfeiting, appropriating or illegally using e-transaction accounts, e-certificates, e-signature certificates, and e-signatures.
7. Obstructing the choice to conduct e-transactions.
8. Other prohibited acts specified by law.
Chapter II
DATA MESSAGES
Section I
LEGAL VALIDITY OF DATA MESSAGES
Article 7. Formats of data message
1. A data message may be presented in the form of electronic document, electronic record, e-certificate, electronic file, electronic contract, e-mail, telegram, telegraph, facsimile and other forms of electronic data interchange as prescribed by law.
2. Data messages may be created and generated during the process of e-transaction or converted from paper documents.
Article 8. Legal validity of data messages
Information in a data message cannot have its legal validity denied for the sole reason that it is expressed in the form of data message.
Article 9. Data messages valid as documents
1. In case the law requires information to be in writing, a data message shall be considered having met this condition if the information contained therein is accessible and usable for reference.
2. In case the law requires a document be notarized or authenticated, a data message shall be considered having met this condition if it is notarized in accordance with the law on notarization and authenticated in accordance with this Law and the law on authentication.
Article 10. Data messages valid as original documents
A data message may be used and valid as an original document when fully satisfying the following requirements:
1. The integrity of information in the data message is ensured since its origination in the form of a complete data message.
Information in a data message is considered retaining its integrity when it remains unaltered, except for changes in its form, which arise in the process of sending, storage or display of the data message.
2. Information in a data message is accessible and usable in its complete form.
Article 11. Data messages valid as evidence
1. A data message can be used as evidence in accordance with this Law and the law on procedures.
2. The validity for use as evidence of a data message shall be determined based on the reliability of the manner in which the data message was originated, sent, received or stored; the manner to ensure and maintain the integrity of the data message; and the manner in which its originator, sender or recipient was identified, and on other relevant factors.
Article 12. Conversion between paper documents and data messages
1. A data message converted from a paper document must fully satisfy the following requirements:
a/ Information in the data message ensures the same integrity as the paper document;
b/ Information in the data message is accessible and usable for reference;
c/ There is a distinct symbol certifying the conversion from the paper document into the data message and information of the converting agency, organization or individual;
d/ In case the paper document is a license, certification, certificate, confirmation or another written approval issued by a competent agency or organization, the conversion must comply with Points a, b and c of this Clause, and the converted one must bear the digital signature of the converting agency or organization, unless otherwise provided by law. The information system used for the conversion must have the function of converting paper documents into data messages.
2. A paper document converted from a data message must fully satisfy the following requirements:
a/ Information in the paper document ensures the same integrity as the data message;
b/ There is information available for identifying the information system and its administrator who created, sent, received and stored the original data message for searching;
c/ There is a distinct symbol for certifying the conversion from the data message into the paper document and information of the converting agency, organization or individual;
d/ In case a data message is an e-certificate, the conversion must satisfy the requirements specified at Points a, b and c of this Clause, and bear the signature and seal (if any) of the converting agency or organization in accordance with law. The information system used for the conversion must have the function of converting data messages into paper documents.
3. Converted documents have the legal validity as provided by relevant laws.
4. The Government shall detail this Article.
Article 13. Forms of storage of data messages
1. In case documents, records, dossiers, files or information are required by law to be stored, such documents, records, dossiers, files or information may be stored in the form of data messages when the following requirements are fully satisfied:
a/ The information in the data message is accessible and usable for reference;
b/ The information in the data message is stored in the very format in which it was originated, sent or received, or in a format that can correctly display the information;
c/ Such data message is stored in a certain manner permitting the identification of its origin, sender, recipient, and the date and time when it was sent and received.
2. Unless otherwise provided by law, agencies, organizations and individuals may store documents, records, dossiers, files or information either in the form of paper document or in the form of data message if such data messages satisfy the requirements specified in Clause 1 of this Article.
3. Contents and time limits for storage of data messages must comply with the law on archive and other relevant laws. The storage of data messages is as valid as the storage of paper documents.
Section 2
SENDING AND RECEIPT OF DATA MESSAGES
Article 14. Originators of data messages
1. The originator of a data message is an agency, organization or individual that creates or sends the data message before it is stored, but does not include an intermediary transmitting such data message.
2. Unless otherwise agreed upon by the parties to the transaction, the identification of the originator of a data message is provided as follows:
a/ A data message is considered as that of the originator if it is sent by the originator, its/his/her representative or an established automatic information system designated by the originator;
b/ The recipient may consider a data message belonging to the originator if the recipient has applied the verification methods consented by the originator and such methods produce the result that such data message belongs the originator;
c/ As from the time the recipient becomes aware of or is notified by the originator that a data message is sent due to a technical error, and has applied error-verifying methods consented by the originator, Points a and b of this Clause will not apply.
3. In case a party makes an error in inputting information via an automatic information system which does not provide an opportunity for such party to correct it, the party has the right to retrieve the inputted information if fully satisfying the following requirements:
a/ The originator who made an error in inputting information has notified relevant parties of the error immediately after it/he/she becomes aware of the error;
b/ The originator who made an error in inputting information has not used or received any benefits (if any) from other parties.
4. The right to retrieve erroneous information specified in Clause 3 of this Article does not affect the responsibility for settling consequences arising from such error in e-transactions as provided by relevant laws.
5. An originator shall take responsibility before law for contents of its/his/her originated data message.
Article 15. Time and place of sending data messages
Unless otherwise agreed upon by the parties to a transaction, time and place of sending a data message are as follows:
1. The time of sending a data message is the time when such data message leaves an information system under the control of the originator or its/his/her representative. In case the information system is out of control of the originator or its/his/her representative, the time of sending a data message is the time when such data message enters the information system;
2. The sending place of a data message, regardless where it is sent, shall be deemed to be the headquarters of the originator, if the originator is an agency or organization, or the permanent residence of the originator, if the originator is an individual. In case the originator has more than one headquarters, the place of sending the data message shall be deemed to be the main headquarters or the headquarters which has the closest relationship with the transaction.
Article 16. Receipt of data messages
1. The recipient of a data message is an agency, organization or individual or its/his/her representative who is assigned to receive the data message from its originator, excluding any intermediary transmitting such data message.
2. Unless otherwise agreed upon by the parties to the transaction, the receipt of a data message is as follows:
a/ The recipient of a data message is deemed to have received such message if the message is entered into an information system designated by him/her/it and accessible;
b/ The recipient may consider each received data message an independent one, unless such message is a copy of another and the recipient knows or ought to know that it is a copy;
c/ In case the originator has required or agreed with the recipient before or during the sending of a data message that the recipient must send a notice of receipt of such message, the recipient must comply with such request or agreement;
d/ In case the originator, before or during the sending of a data message, has stated that such data message will be valid only when he/she/it receives a notice of receipt, such data message shall be considered having not been sent till the originator receives a notice of the receipt of such message from the recipient;
dd/ In case the originator has already sent a data message without stating that the recipient must send a notice of receipt and has not yet received the notice of receipt, except the case specified at Point a of this Clause, the originator may notify the recipient that no notice of receipt has been received and set a reasonable period of time for the recipient to send the notice; if the originator still fails to receive any notice within the specified period, it/he/she has the right to treat the data message as it had never been sent.
Article 17. Time and place of receiving data messages
Unless otherwise agreed upon by the parties to the transaction, the time and place of receiving a data message are as follows:
1. In case the recipient has designated an information system for receiving a data message, the message-receiving time is the time when the data message enters the designated information system and is accessible; if the recipient has not designated a specific information system for receiving the data message, the message-receiving time is the time when the data message enters any information system of the recipient and is accessible.
2. The receiving place of a data message, regardless where it is received, shall be deemed to be the headquarters of the recipient, if the recipient is an agency or organization, or the permanent residence of the recipient, if the recipient is an individual. In case the recipient has more than one headquarters, the place of receiving the data message shall be deemed to be the headquarters or office that has the closest relationship with the transaction.
Article 18. Automatic sending and receipt of data messages
In case the originator or the recipient has designated one or more than one information system for the purpose of automatic sending or receipt of data messages, the sending and receipt of data messages must comply with Articles 14,15,16 and 17 of this Law.
Section 3
E-CERTIFICATES
Article 19. Legal validity of e-certificates
1. Information in an e-certificate shall be legally valid if fully satisfying the following requirements:
a/ The e-certificate is signed with an e-signature of the issuing agency or organization in accordance with law;
b/ Information in the e-certificate is accessible and usable in its complete form;
c/ In case the law requires the determination of timelines related to the e-certificate, the e-certificate must contain a timestamp.
2. To be recognized and used in Vietnam, an e-certificate granted by a competent foreign agency or organization must be consularly legalized, unless it is exempted in accordance with Vietnam’s law.
Article 20. Transfer of e-certificates
1. In case the law permits the transfer of the ownership of an e-certificate, such transfer must fully satisfy the following requirements:
a/ The e-certificate clearly indicates its owner and states that only its owner is currently in control of it;
b/ The e-certificate satisfies the requirements specified in Article 10 of this Law;
c/ The information system serving the transfer of the e-certificate must ensure cyberinformation security of grade 3 or higher grade in accordance with the law on cyberinformation security;
d/ Other requirements specified by relevant laws.
2. In case the law requires or permits the conversion from paper documents to e-certificates for papers permitted by law to have their ownership transferred and exist in one form only, the paper documents shall cease to be legally valid right after the conversion is completed and satisfies the requirement specified at Point d, Clause 1, Article 12 of this Law.
3. In case the law requires or permits the conversion from e-certificates to paper documents for e-certificates permitted by law to have their ownership transferred and exist in one form only, the e-certificates shall cease to be legally valid as soon as the conversion is completed and satisfies the requirement specified at Point d, Clause 1, Article 12 of this Law.
Article 21. Requirements on storage and processing of e-certificates
1. The storage of e-certificates must comply with regulations on storage of data messages specified in Article 13 of this Law.
2. Information systems serving the storage and processing of data messages must meet the requirements on assurance of cyberinformation security of grade 3 or higher grade in accordance with the law on cyberinformation security.
Chapter III
E-SIGNATURES AND TRUST SERVICES
Section 1
E-SIGNATURES
Article 22. E-signatures
1. An e-signature shall be classified by scope of use as follows:
a/ A specialized e-signature is an e-signature created by an agency or organization, and exclusively used for its activities in conformity with its functions and tasks;
b/ A public digital signature is a digital signature used in public activities and secured by a public digital signature certificate;
c/ A public duty-specialized digital signature is a digital signature used in public-duty activities and secured by a certificate of public duty-specialized digital signature.
2. A specialized e-signature must fully satisfy the following requirements:
a/ It is able to certify the signatory and confirm his/her approval of the data message;
b/ Data to create a specialized e-signature is solely associated with the content of the approved data message;
c/ Data to create a specialized e-signature is only under the control of the signatory at the time of signing;
d/ The validity of the specialized e-signature can be checked according to the conditions agreed upon by the parties to the agreement.
3. A digital signature is an e-signature fully satisfying the following requirements:
a/ It is able to certify the signatory and confirm his/her approval of the data message;
b/ Data to create the digital signature is solely associated with the content of the approved data message;
c/ Data to create the digital signature is only under the control of the signatory at the time of signing;
d/ All changes in a data message after it is electronically signed are detectable;
dd/ A digital signature must be secured by a digital signature certificate. Public duty- specialized digital signatures must be secured by digital signature certificates granted by organizations providing the authentication service for public duty-specialized digital signatures. Public digital signatures must be secured by digital signature certificates granted by public digital signature authentication service-providing organizations.
e/ Means to create digital signatures must ensure data to create digital signatures is not disclosed, collected, or used for the purpose of counterfeiting signatures; ensure data to create digital signatures can be used only once; and ensure to-be-digitally-signed data is not changed.
4. The use of other certification methods by electronic means for indicating the signatory’s approval of the data message other than e-signatures must comply with other relevant laws.
Article 23. Legal validity of e-signatures
1. The legal validity of an e-signature cannot be denied for the sole reason that it is displayed in the form of e-signature.
2. A secured specialized e-signature or digital signature of an individual is as legally valid as his/her signature on a paper document.
3. In case the law requires a document to be certified by an agency or organization, a data message is deemed to meet such requirement if it is signed by a secured specialized e-signature or digital signature of such agency or organization.
Article 24. Authentication service for public duty-specialized digital signatures
1. Authentication service for public duty-specialized digital signatures means authentication service for digital signatures in public-duty activities.
2. Certificates of public duty-specialized digital signature shall be managed and provided by the organizations providing the authentication service for public duty-specialized digital signatures in accordance with the law on e-transactions and law on cipher.
3. Organizations providing the authentication service for public duty-specialized digital signatures shall implement the following activities:
a/ To issue certificates of public duty-specialized digital signature for certifying and maintaining the validity status of the certificates of signatories of data messages;
b/ To withdraw certificates of public duty-specialized digital signature;
c/ To check the validity of public duty-specialized digital signatures and maintain the validity status of the certificates of public duty-specialized digital signatures; to refrain from using technical barriers and technologies to restrict the checking of the validity of public duty-specialized digital signatures;
d/ To provide necessary information for authentication of public duty-specialized digital signatures;
dd/ To inter-connect with the National Electronic Authentication Center to ensure the checking of the validity of public duty-specialized digital signatures;
e/ To provide timestamps in public-duty activities.
4. Certificates of public duty-specialized digital signatures, public duty-specialized digital signatures must satisfy technical regulations and requirements for digital signatures and digital signature authentication service in accordance with law.
5. The Government shall detail this Article.
Article 25. Use of specialized e-signatures and secured specialized e-signatures
1. Agencies and organizations creating specialized e-signatures are not allowed to provide specialized e-signature services.
2. A secured specialized e-signature is a specialized e-signature for which the Ministry of Information and Communications grants secured specialized e-signature certificates.
3. In case agencies and organizations use specialized e-signatures for conducting transactions with other organizations and individuals, or wish to have their specialized e-signatures recognized as secured, they shall register with the Ministry of Information and Communications for grant of secured specialized e-signature certificates.
4. The Government shall detail this Article.
Article 26. Recognition of foreign e-signature authentication service providers; recognition of foreign e-signatures and e-signature certificates
1. Conditions for recognition of a foreign e-signature authentication service provider in Vietnam:
a/ It is lawfully established and operates in the country where it registers for operation; there is a technical audit report of the system providing the e-signature authentication service from a lawfully operating audit organization in the country where it registers for operation;
b/ A foreign e-signature and e-signature certificate provided by the foreign e-signature authentication service provider conforms to technical standards and regulations on e-signatures and e-signature certificates as provided by Vietnam’ law or recognized international standards or treaties to which the Socialist Republic of Vietnam is a contracting party;
c/ Foreign e-signature certificates granted by the foreign e-signature authentication service provider are created on the basis of complete authenticated identification information of foreign organizations and individuals;
d/ The foreign e-signature authentication service provider must update the status of foreign e-signature certificates to the trust service authentication system of a competent Vietnamese agency;
dd/ The foreign e-signature authentication service provider has a representative office in Vietnam.
2. Conditions for recognition of foreign e-signature and e-signature certificate in Vietnam:
a/ A foreign e-signature and e-signature certificate conform to technical standards and regulations on e-signatures and e-signature certificates as provided by Vietnam’s law or recognized international standards or treaties to which the Socialist Republic of Vietnam is a contracting party;
b/ Foreign e-signature certificates are created on the basis of complete authenticated identification information of foreign organizations and individuals.
3. Entities that use recognized foreign e-signatures and e-signature certificates under Clause 2 of this Article are foreign organizations and individuals; and Vietnamese organizations and individuals wishing to conduct e-transactions with organizations and individuals of the countries where e-signatures and e-signature certificates issued by domestic service providers are not recognized.
4. The Minister of Information and Communications shall provide in detail the recognition of foreign e-signature authentication service providers in Vietnam; and recognition of foreign e-signatures and e-signature certificates in Vietnam.
Article 27. Foreign e-signatures and e-signature certificates accepted in international transactions
1. Foreign e-signatures and e-signature certificates accepted in international transactions are foreign e-signatures and e-signature certificates of foreign organizations and individuals that are not present in Vietnam, which are valid in the data messages sent to Vietnamese organizations and individuals.
2. Organizations and individuals shall select and be held responsible for accepting foreign e-signatures and e-signature certificates in data messages in international transactions.
Article 28. Trust services
1. Trust services include:
a/ Timestamping service;
b/ Data message authentication service;
c/ Public digital signature authentication service.
2. Trust services are conditional business lines.
3. A trust service provider must possess a license for provision of trust services granted by the Ministry of Information and Communications, except the e-contract authentication service in commercial transactions. A trust service provider may register one or more than one service specified in Clause 1 of this Article. The validity period of a license for provision of trust services is 10 years.
Organizations providing the e-contract authentication service in commercial transactions must meet the conditions for providing such service as provided in the law on e-commerce and the conditions for providing trust services as specified in Article 29 of this Law.
The Government shall detail operations of trust service providers; the order, procedures, dossiers for grant, renewal, modification, re-grant, suspension, and revocation of license for provision of trust services; and other issues provided in this Article.
Article 29. Conditions for providing trust services
1. Conditions for providing a trust service include:
a/ Being an enterprise lawfully established and operating in the territory of Vietnam;
b/ Meeting the requirements on finance, managerial personnel, and techniques for each type of trust service specified in Clause 1, Article 28 of this Law;
c/ Having an information system for providing trust services, which meets the requirements on assurance of cyberinformation security of grade 3 or higher grade in accordance with the law on cyberinformation security;
d/ Having a technical plan for provision of services as suitable for each type of trust service specified in Clause 1, Article 28 of this Law;
dd/ Having a plan to assure technical connection for the monitoring, inspection, and reporting of data by electronic means which meets the requirements of state management of trust services.
2. The Government shall detail Clause 1 of this Article.
Article 30. Responsibilities of trust service providers
1. To publicly display the registration process for use of services, forms, and related costs.
2. To ensure the around-the-clock operation of the information receipt and service provision channel.
3. To implement a system for storing dossiers and documents, and connecting, providing information and data by electronic means in accordance with law.
4. To ensure that information systems’ equipment is granted management codes and is ready for technical connection to serve state management of trust services.
5. To implement operational measures of suspending or terminating service provision or other operational measures as required by competent agencies in accordance with law.
6. To perform responsibilities of administrators of information systems serving the provision of trust services meeting the requirements on assurance of cyberinformation security of grade 3 or higher grade in accordance with the law on cyberinformation security.
7. To make annual reports on provision of trust services under regulations of competent agencies.
8. To pay the service charge for operating the system of inspection of digital signature certificate status in accordance with the law on charges and fees.
Article 31. Timestamping service
1. Timestamping service means a service of attaching time information to data messages.
2. Timestamps are made in the form of digital signature.
3. Time attached to a data message is the time when a timestamping service provider receives such data message, and is authenticated by timestamping service provider.
4. Timing sources of timestamping service providers must comply with the law on national standard timing sources.
Article 32. Data message authentication service
Data message authentication service include:
1. Storage and certification of the integrity of data messages;
2. Secured sending and receipt of data messages.
Article 33. Public digital signature authentication service
1. Public digital signature authentication service is the service of authenticating digital signatures for use in public activities.
2. Public digital signature certificates shall be provided by public digital signature authentication service providers in accordance with this Law.
3. A public digital signature authentication service provider may:
a/ Issue public digital signature certificates to certify and maintain the validity status of public digital signature certificates of subjects signing data messages;
b/ Revoke public digital signature certificates;
c/ Check the validity of public digital signatures and maintain the validity status of public digital signature certificates; not use technical or technological barriers to limit the checking of the validity of public digital signatures;
d/ Provide necessary information to authenticate public digital signatures;
dd/ Be connected to the National Digital Authentication Center to ensure the checking of the validity of public digital signatures.
4. Public digital signature certificates and public digital signatures must satisfy technical regulations and technical requirements for digital signatures and digital signature authentication services in accordance with law.
5. The Government shall detail this Article.
Chapter IV
ENTRY INTO AND PERFORMANCE OF E-CONTRACTS
Article 34. E-contracts
1. E-contracts shall be concluded or performed from the interaction between an automatic information system and a person or among automatic information systems. The legal validity of an e-contract cannot be denied for the sole reason that there is no human checking of or intervention in each specific action automatically performed by information systems or in e-contracts.
2. Ministers and heads of ministerial-level agencies shall promulgate according to their competence or propose competent authorities for promulgation regulations on entry into and performance of e-contracts in the fields within the ambit of their assigned tasks and powers and in conformity with practical conditions.
Article 35. Entry into e-contracts
1. Entry into e-contracts means the use of data messages to perform part or the whole of transactions in the process of entering into e-contracts.
2. Making and accepting an offer to enter into an e-contract may be carried out through data messages, unless otherwise agreed upon by concerned parties.
Article 36. Principles of entry into and performance of e-contracts
1. Parties have the right to reach agreement on the partial or whole use of data messages and electronic means in the entry into and performance of e-contracts.
2. Upon entry into and performance of e-contracts, the parties have the right to reach agreement on technical requirements and conditions for ensuring the integrity and confidentiality related to such e-contracts.
3. The entry into and performance of e-contracts must comply with this Law, the law on contracts and other relevant laws.
Article 37. Receipt, sending, time and place of receiving and sending data messages in the process of entry into and performance of e-contracts
The receipt, sending, time, place of receiving or sending data messages in the process of entry into and performance of e-contracts must comply with Articles 15, 16, 17 and 18 of this Law.
Article 38. Legal validity of notices in the entry into and performance of e-contracts
In the process of entry into and performance of an e-contract, notices in the form of data message are as legally valid as notices in paper form.
Chapter V
E-TRANSACTIONS OF STATE AGENCIES
Article 39. Types of e-transactions of state agencies
1. E-transactions within a state agency;
2. E-transactions among different state agencies;
3. E-transactions between state agencies and other agencies, organizations and individuals.
Article 40. Management of data and shared databases
1. Data in state agencies shall be uniformly organized and managed in a decentralized manner according to the management responsibilities of state agencies so as to promote e-transactions; and be shared to serve the operation of state agencies, people, and businesses in accordance with law.
2. Shared databases in state agencies include national databases, databases of ministries, sectors and localities.
3. Management of national databases is as follows:
a/ A national database contains master data as the basis for reference and data synchronization among databases of ministries, sectors and localities;
b/ Master data in a national database has the official validity equivalent to paper documents issued by competent agencies, unless otherwise provided by law;
c/ Data on a national database shall be shared with ministries, sectors and localities for carrying out administrative procedures, administrative reform, and simplifying administrative procedures for people, businesses and socio-economic development objectives;
d/ The Prime Minister shall approve the list of national databases. The list of national databases must include the following basic details: names of national databases; objectives of establishing national databases; range of data in national databases; information about master data of national databases permitted to be stored and shared; subjects and purposes of using and exploiting national databases; information sources built and updated into national databases; methods of sharing data from national databases;
dd/ The Government shall provide the establishment, updating, maintenance, exploitation and use of national databases; and the sharing of national databases with databases of other state agencies.
4. Management of databases of ministries, sectors and localities is as follows:
a/ Databases of ministries, sectors and localities are collections of information shared by ministries, sectors and localities;
b/ Master data on databases of ministries, sectors and localities has the official validity equivalent to that of paper documents issued by ministries, sectors and localities, unless otherwise provided by law;
c/ Ministries, ministerial-level agencies, government-attached agencies, and provincial-level People’s Committees shall provide the list of their databases; and regulations on establishment, updating, maintaining, exploiting and using databases of ministries, sectors and localities. A list of databases of ministries, sectors and localities must include the following basic details: name of national databases; description of purposes, scopes and contents of each database; mechanism of collection, updating and information sources collected from databases; listing of database items including open database and shared database.
5. The State shall partially or wholly ensure funds for establishing and maintaining national databases, and databases of ministries, sectors, localities and other state agencies.
Article 41. Data creation and collection
1. The creation and collection of data, and development of digital data shall be given the highest priority in the development of digital government and digital transformation in state agencies.
2. The creation of data in a state agency’s database must uniformly use a shared code list issued by competent state agencies, which must be consistent with master data in national databases.
3. State agencies may not collect and re-collect data or ask organizations or individuals to re-provide data that is currently managed by such agencies or data that is readily connected and shared by other state agencies, except cases in which data is required for the purpose of updating or verification or when such data does not meet quality requirements according to standards and technical regulations, or unless otherwise provided by law.
4. The Ministry of Information and Communications shall summarize and publicize a list of data providers, a list of data permitted to provide, and a shared code list so that agencies, organizations, and individuals may search and use.
Article 42. Data connection and sharing
1. State agencies shall ensure the capacity of readiness to connect and share data with agencies, organizations, and individuals to serve e-transactions, including:
a/ Human resources in charge of connecting and sharing data must include on-site human resources that are currently managing and operating information systems or other related human resources in state agencies; in case on-site human resources cannot meet requirements, experts may be hired;
b/ Investment projects applying information technology and using state budget to establish information systems and databases in state agencies must have facilities to serve data connection and sharing. In case such facilities are not available, it is required to have a justification that there is no data connection and sharing in the process of operation and exploitation;
c/ To promulgate and publicly announce regulations on data exploitation and use for databases under their management;
d/ To apply measures to ensure cyberinformation security, cyber security, and data confidentiality in the process of connecting and sharing data in accordance with law.
2. Unless otherwise provided by law, state agencies shall connect and share data with other agencies and organizations; and shall not provide information through paper documents when such information can be exploited through connection and sharing among information systems; and may not collect charges for data sharing among state agencies.
3. State agencies shall apply online connection and sharing of data between information systems of data providers and data users, except for information related to state secrets or requirements of national defense and security assurance. In case of refusing to apply online connection and sharing of data, reason(s) shall be clearly stated in writing.
4. State agencies shall apply data connection and sharing in the following order of priority:
a/ To connect and share via intermediary systems including the National Data Exchange Platform; ministerial- and provincial-level data exchange infrastructure according to the National Digital Architecture Framework;
b/ To directly connect among information systems and databases when intermediary systems are not ready for connection or the administrator of an intermediary system determines that the intermediary system fails to meet requirements on data connection and sharing.
5. The National Digital Architecture Framework referred to at Point a, Clause 4 of this Article includes the E-Government Architecture Framework, digital Government; digital architecture framework of agencies and organizations.
6. The Government shall provide in detail data connection and sharing; and the National Digital Architecture Framework.
Article 43. Open data of state agencies
1. Open data of state agencies is data widely publicized by competent state agencies for agencies, organizations, and individuals to freely use, reuse, and share. State agencies shall publicize open data for agencies, organizations, and individuals to freely use, reuse, and share in order to promote e-transactions, digital transformation, and develop digital economy and digital society.
2. Open data must be complete and fully reflect information provided by state agencies. Open data shall be updated with latest information, accessible and usable on the Internet, ensuring capacity of digital devices in sending, receiving, storing and processing, and following a free and open format.
3. Agencies, organizations and individuals may access and use open data without having to make identification declaration for exploitation and use of open data.
4. Agencies, organizations and individuals may copy, share, connect and use open data or combine open data with other data; use open data in their commercial or non-commercial products and services, unless otherwise provided by law.
5. Agencies, organizations, and individuals shall cite and record information on the use of open data in products, services, and related documents.
6. State agencies will not have to take responsibility for any damage arising from the use of open data by agencies, organizations or individuals.
7. The Government shall provide in detail regulations on open data and conditions for the implementation of this Article.
Article 44. Activities of state agencies in the electronic environment
1. State agencies shall ensure that all results of administrative procedure processing or results of other public duties not classified as state secrets are expressed in the form of e-documents that are as legally valid as paper documents and may be accessible and usable in complete format. State agencies shall receive and process requests of organizations and individuals in the electronic environment, unless otherwise provided by law.
2. State agencies’ activities prioritized for being wholly carried out in the electronic environment include provision of public-duty services; internal administration; direction; supervision, examination and inspection.
3. State agencies shall work out a response plan in case of emergency or upon occurrence of an incident that disrupts operations in the online cyber environment, and a plan to respond to incidents in and maintain normal transactions.
4. State agencies may use annual state budgets in accordance with law to hire experts to advise on database establishment; carry out professional and technical activities in management, operation, and assurance of cyberinformation security for information systems serving e-transactions of state agencies.
5. The Government shall detail this Article.
Chapter VI
INFORMATION SYSTEMS SERVING E-TRANSACTIONS
Article 45. Information systems serving e-transactions
1. Information system serving e-transactions means a set of hardware, software and database established with main functions of serving e-transactions, ensuring authenticity and reliability in e-transactions.
Information systems serving e-transactions shall be classified by administrators; functions and features; scale and number of users in Vietnam or monthly number of accessing users in Vietnam.
2. Digital platform serving e-transactions means an information system specified in Clause 1 of this Article that creates an electronic environment for parties to conduct transactions or provide and use products and services or develop products and services.
3. Intermediary digital platform serving e-transactions means a digital platform specified in Clause 2 of this Article whose administrator is independent from parties performing transactions.
4. The Government shall detail this Article.
Article 46. E-transaction accounts
1. E-transaction accounts shall be issued by information system administrators to serve e-transactions, and managed and used in accordance with this Law.
2. E-transaction accounts may be used for performing e-transactions so as to store transaction history and ensure precise sequence of account holders’ transactions, and are valid for proving the transaction history of involved parties as provided in Clause 4 of this Article.
3. Agencies, organizations and individuals are entitled to choose to use e-transaction accounts suitable to their needs, unless otherwise provided by law.
4. Transaction history of an e-transaction account is legally valid for proving transactions if meeting the following requirements:
a/ The information system serving e-transactions must ensure safety in accordance with the law on cyberinformation security;
b/ Being solely attached to an agency, organization or individual holding the e-transaction account;
c/ Accurately ensuring transaction time from time sources in accordance with regulations on national standardized time sources.
Article 47. Responsibilities of administrators of information systems serving e-transactions
1. Administrators of information systems serving e-transactions have the following responsibilities:
a/ To comply with this Law and the laws on cyberinformation security, cyber security, personal information protection, personal data protection and other
relevant laws;
b/ To provide information by electronic means in accordance with law in order to serve the measurement, statistics, supervision, inspection, examination and reporting at the request of state management agencies in the e-transaction field; to share data serving the state management of e-transactions;
c/ To supervise the security of their information systems serving e-transactions in accordance with the law on cyberinformation security.
2. Administrators of large-scale intermediary digital platforms serving e-transactions have the following responsibilities:
a/ To comply with Clause 1 of this Article;
b/ To publicly announce and disseminate the mechanism of reporting and handling problems arising in e-transactions;
c/ To publicly announce and disseminate the mechanism of reporting and handling contents violating Vietnam’s law on intermediary digital platforms from trustworthy reporting sources;
dd/ Annually, to report as guided by the Ministry of Information and Communication on incidents that have occurred or show signs, risks of taking advantage of information systems to commit acts in violation of Vietnam’s law.
3. Administrators of particularly large-scale intermediary digital platforms serving e-transactions have the following responsibilities:
a/ To comply with Clause 2 of this Article;
b/ To publicly announce the general principles, specifications, or criteria for providing recommendations on displaying contents and advertisements to users and allow users to choose options of not using recommendations based on analysis of user data.
c/ To allows users to uninstall any pre-installed applications without affecting basic technical specifications for normal operation of systems;
d/ To publicly disclose and disseminate the code of conduct applicable to parties using systems.
4. The Government shall detail the responsibilities of intermediary digital platform administrators specified in Clauses 2 and 3 of this Article in conformity with the scale and number of users in Vietnam or the number of accessing users in Vietnam.
Article 48. Reporting, summarization, and sharing of data serving state management of e-transactions
1. State agencies shall manage the reporting, summarization, and sharing of data serving state management of e-transactions in accordance with law and their assigned functions and tasks, and vested powers.
2. The Ministry of Information and Communications shall establish and operate a system to receive and summarize data serving state management of e-transactions as specified in Clause 1 of this Article under the Government’s regulations; assume the prime responsibility for formulating, promulgating or proposing competent state agencies for promulgation technical regulations on connection reference models serving data sharing by electronic means, device identification of and cyber credibility criteria for information systems serving e-transactions.
Chapter VII
STATE MANAGEMENT OF E-TRANSACTIONS
Article 49. Contents of state management of e-transactions
1. Formulation, promulgation and organization of implementation of strategies, plans and policies for developing e-transactions; legal documents on e-transactions; standards, technical regulations, technical requirements, techno-economic norms, quality of products and services in e-transactions.
2. Management of the reporting, measurement and statistics of e-transaction activities; manage the safety supervision of information systems serving e-transactions by information system administrators.
3. Management of trust services.
4. Management and organization of the establishment, exploitation and development of national electronic authentication infrastructure; issuance and revocation of digital signature certificates.
5. Stipulation of the interoperability between systems providing public digital signature services and those providing public duty-specialized digital signatures.
6. Dissemination of policies and laws on e-transactions.
7. Management of the training and development of human resources and experts in the e-transaction field.
8. Inspection, examination, settlement of complaints and denunciations and handling of violations of laws on e-transactions.
9. International cooperation on e-transactions.
Article 50. Responsibilities to perform the state management of e-transactions
1. The Government shall exercise the uniform management of e-transaction activities.
2. The Ministry of Information and Communications shall act as the focal agency and take responsibility before the Government, assume the prime responsibility for, and coordinate with ministries and ministerial-level agencies in, performing the state management of e-transaction activities.
3. Ministries, ministerial-level agencies and provincial-level People’s Committees shall perform the state management of e-transaction activities in fields and localities within the ambit of their assigned tasks and powers.
4. The Minister of National Defense shall perform the state management of e-transaction activities in cipher, public duty-specialized digital signatures based on national technical regulations and standards on digital signatures in accordance with law.
Chapter VIII
IMPLEMENTATION PROVISIONS
Article 51. Amendment, supplementation, replacement and annulment of a number of articles of related laws:
1. To amend and supplement Item 119, Appendix IV - List of sectors and trades subject to conditional business investment to Law No. 61/2020/QH14 on Investment which had a number of articles amended and supplemented under Law No. 72/2020/QH14, Law No. 03/2022/QH15, Law No. 05/2022/QH15, Law No. 08/2022/QH15 and Law No. 09/2022/QH15, as follows:
119 | Provision of trust services |
2. To amend and supplement Item 7, Appendix VI - Charges in the field of information and communications on the List of charges and fees promulgated together with Law No. 97/2015/QH13 on Charges and Fees which had a number of articles amended and supplemented under Law No. 09/2017/QH14, Law No. 23/2018/QH14, Law No. 72/2020/QH14 and Law No. 16/2023/QH15, as follows:
7 | Service charge for maintenance of the inspection system of digital signature certificate status | The Ministry of Finance |
3. To replace the phrase “specialized digital signature authentication system” defined in Clause 3, Article 19 of Law No. 76/2015/QH13 on Organization of the Government which had a number of articles amended and supplemented under Law No. 47/2019/QH14, with the phrase “public duty-specialized digital signature authentication system”.
4. To annul Articles 58 and 59 of Law No. 67/2006/QH11 on Information and Communications which had a number of articles amended and supplemented under Law No. 21/2017/QH14.
Article 52. Effect
1. This Law takes effect on July 1, 2024.
2. Law No. 51/2005/QH11 on E-Transactions ceases to be effective from the effective date of this Law, except the case provided in Article 53 of this Law.
Article 53. Transitional provisions
1. E-transactions that are established before the effective date of this Law and have not been completed by the effective date of this Law may continue to be implemented under Law No. 51/2005/QH11 on E-Transactions and its detailing documents, unless the application to this Law agreed upon by concerned parties.
2. Digital certificates that are issued before the effective date of this Law and will remain valid by the effective date of this Law may continue to be implemented under Law No. 51/2005/QH11 on E-Transactions and its detailing legal documents until the expiry date of the digital certificates, and be valid as digital signature certificates in accordance with this Law.
3. Licenses for provision of public digital signature authentication service, licenses for use of foreign digital certificates in Vietnam, certificates of operation registration of specialized digital signature authentication service, certificates of eligibility to ensure security for specialized digital signatures that were issued before the effective date of this Law and will remain valid by the effective date of this Law may continue to be used until expiry date of the licenses or certificates.
The issuance of digital certificates according to the licenses and certificates specified in this Clause must comply with Law No. 51/2005/QH11 on E-Transactions and its detailing documents.
4. For dossiers of application for licenses for provision of public digital signature authentication service, licenses for use of foreign digital certificates in Vietnam, certificates of operation registration of specialized digital signature authentication service, certificates of eligibility to ensure security for specialized digital signatures that were submitted to competent state agencies but no licenses and certificates have been issued yet, they may continue to comply with Law No. 51/2005/QH11 on E-Transactions and its detailing documents.
5. Certifications of registration for provision of e-contract authentication service in commercial transactions that are issued before the effective date of this Law may continue to be used until June 30, 2027.
6. For dossiers of registration for provision of e-contract authentication service in commercial transaction that have been submitted to competent state agencies but the registration has not been certified by the effective date of this Law, they may continue to comply with the law on e-commerce.
7. The Government shall detail this Article.
This Law was passed on June 22, 2023, by the 15th National Assembly of the Socialist Republic of Vietnam at its XVth session.-
Chairman of the National Assembly
VUONG DINH HUE