Law 20/2023/Vietnam on E-Transactions

Mục lục . Content

(English – Tiếng Anh)

LAW 20/2023/QH15

June 22,2023

On E-Transactions

Pursuant to the Constitution of the Socialist Republic of Vietnam;

The National Assembly promulgates the Law on E-Transactions.

CHAPTER I. GENERAL PROVISIONS

Article 1. Scope of regulation

1. This Law provides for the conduct of transactions by electronic means.

2. This Law does not stipulate the contents, conditions and forms of transactions.

3. Where other laws stipulate or do not provide for transactions conducted by electronic means, the provisions of this Law shall apply. In case other laws stipulate not to conduct transactions by electronic means, the provisions of that law shall apply.

Article 2. Subjects of application

This Law applies to agencies, organizations and individuals directly participating in e-transactions or involved in e-transactions.

Article 3. Interpretation of terms

In this Law, the terms below are construed as follows:

1. E-transaction means a transaction implemented by electronic means.

2. Electronic means is a hardware, software, information system or other means that operates based on information technology, electric, electronic, digital, magnetic, wireless, optical, electro-magnetic technologies or similar technologies.

3. Electronic environment means the environment of telecommunications networks, the Internet, computer networks, and information systems.

4. Data message means information created, transmitted, received and stored by electronic means.

5. E-certificate means a license, certificate, written certification or other written approval issued by a competent agency or organization in the form of electronic data.

6. Data mean symbol, script, numeral, image, sound or the like.

7. Electronic data mean data created, processed and stored by electronic means.

8. Digital data mean electronic data created by using digital signals.

9. Master data mean the data containing the most basic information to describe a particular object, as a basis for reference and synchronization between different databases or data sets.

10. Database means a compilation of electronic data arranged and organized for access, exploitation, sharing, management and updating of information through electronic means.

11. E-signature means a signature created in the form of electronic data attached to, or logically combined with a data message to identify the signer and confirm his/her consent to with the data message.

12. Digital signature means an e-signature using an asymmetric key algorithm, consisting of a private key and a public key, in which the private key is used to digitally sign and the public key is used to verify the signature. Digital signatures ensure authenticity, integrity and non-repudiation, but do not guarantee the confidentiality of data messages.

13. E-signature certificate means a data message to verify that the certified agency, organization or individual is the person having made the e-signature. An e-signature certificate for a digital signature is called a digital signature certificate.

14. Digital signature certification service means a service provided by a digital signature certification authority to verify the digital signer on a data message, ensuring the non-repudiation of the signer with data message and ensure the integrity of the signed data message.

15. Timestamp means an electronic data associated with a data message that allows the identification of the time that the data message existed at a particular time.

16. E-contracts mean contracts established in the form of data messages.

17. Intermediary means an agency, organization or individual, that represents another agency, organization or individual to send, receive or store a data message or to provide other services relating to such data message.

Article 4. Policies on development of e-transactions

1. To protect interests of the State and public interests, lawful rights and interests of agencies, organizations, individuals.

2. To ensure voluntary selection of e-transactions; to mutually agree on the selection of type of technology, electronic means, e-signatures and other forms of certification by electronic means to conduct e-transactions, unless otherwise provided for by law.

3. To develop a wholly comprehensive e-transaction to complete the process from the beginning to the end by electronic means, promote digital transformation; to optimize process, shorten processing time, which is more convenient than other transaction methods.

4. To synchronously apply mechanisms and measures to encourage, give incentives and facilitate the development of e-transactions; to prioritize investment in technology infrastructure development, development and application of new technologies, training of human resources in e-transactions, especially in mountainous, border, island and ethnic minority areas, areas with difficult socio-economic conditions and areas with extremely difficult socio-economic conditions.

Article 5. Assurance of cyberinformation security and cybersecurity in e-transactions

1. Agencies, organizations and individuals must comply with the law on e-transactions, the law on cyberinformation security, the law on cybersecurity and other relevant laws when conducting e-transactions.

2. Information in data messages falling within the scope of state secrets must comply with the law on protection of state secrets and the law on ciphers.

Article 6. Prohibited acts in e-transactions

1. Taking advantage of e-transactions to infringe upon national interests, national security, social order and safety, public interests, lawful rights and interests of agencies, organizations and individuals.

2. Illegally obstructing or preventing the process of creating, sending, receiving and storing data messages, or committing other acts to destroy the information system serving e-transactions.

3. Illegally collecting, providing, using, disclosing, displaying, distributing and trading data messages.

4. Counterfeiting, falsifying or illegally deleting, canceling, copying, or moving part or whole of a data massage.

5. Creating data messages in order to commit illegal acts.

6. Tricking, forging, appropriating or illegal using e-transaction accounts, e-certificates, e-signature certificates, or e-signatures.

7. Obstructing the selection of performing e-transactions.

8. Other prohibited acts as prescribed by law.

CHAPTER II. DATA MESSAGE

SECTION 1. LEGAL VALIDITY OF DATA MESSAGES

Article 7. Formats of data message

1. A data message may be shown in the form of electronic document, electronic file, e-certificate, electronic receipt, e-contract, e-mail, telegram, telegraph, facsimile or other similar forms as prescribed by law.

2. Data messages are generated during the transaction or converted from paper documents.

Article 8. Legal validity of data message

Information in data messages cannot have its legal validity disclaimed for the sole reason that it is expressed in the form of data messages.

Article 9. Data messages being as valid as documents

1. Where the law requires information to be in writing, a data message shall be considered having met this condition if the information contained therein is accessible and usable for reference.

2. Where a writing is required by law to be notarized or certified, a data message shall be considered having met the requirements if it is notarized in accordance with the law on notarization; and certified in accordance with this Law and the law on certification.

Article 10. Data message being as valid as original copy

A data message shall be used as valid as an original copy when fully satisfying the following requirements:

1. Information contained in the data message is kept intact since its first origination in the form of a complete data message.

Information in a data message is considered intact when it remains unchanged, except for changes in its appearance, which arise in the process of sending, storage or display of the data message.

2. Information in the data message is accessible and usable in its integrity.

Article 11. Data message being as valid as evidence

1. Data messages shall be used as evidences in accordance with this Law and the procedural law.

2. The validity used as evidence of a data message shall be determined based on the reliability of the manner in which the data message was generated, sent, received or stored; the manner to ensure and maintain the integrity of the data message; the manner in which its originator, sender or recipient was identified, and on other relevant factors.

Article 12. Format conversion between paper documents and data messages

1. A data message in paper form shall be converted when fully satisfying the following requirements:

a) Information in the data message must be kept intact as that in the paper document;

b) Information in the data message is accessible and usable for reference;

c) Having a separate symbol certifying that it has been converted from a paper document to a data message and information of the agency, organization or individual performing the conversion;

d) In case the paper document is a license, certificate, written certification or other written approval issued by a competent agency or organization, the conversion must satisfy the requirements specified at Points a, b and c of this Clause and must have the digital signature of the agency or organization performing the conversion, unless otherwise provided for by law. The information system serving the conversion must be capable of converting paper documents to data messages.

2. A paper document converted from a data message must fully satisfy the following requirements:

a) Information in the paper document must be kept intact as that in the data message;

b) Having information to identify the information system and the manager of the information system to create, send, receive and store original data messages for retrieval;

c) Having a separate symbol certifying that it has been converted from a data message to a paper document and information of the agency, organization or individual performing the conversion;

d) In case the data message is an e-certificate, the conversion must satisfy the requirements specified at Points a, b and c of this Clause and must have the digital signature and seal (if any) of the agency or organization performing the conversion as prescribed by law. The information system serving the conversion must be capable of converting data messages to paper documents.

3. Legal validity of the converted documents shall comply with relevant laws.

4. The Government shall detail this Article.

Article 13. Methods of storing data messages

1. In cases where the law requires writing, documents, records, files or information to be stored, such writing, documents, records, files or information can be stored in the form of data messages when the following requirements are fully satisfied:

a) Information in such data message is accessible and usable for reference;

b) Information in such data message are stored in the very format in which it was originated, sent or received, or in a format which can be demonstrated to represent accurately that information;

c) Such data message is stored in a manner to enable the identification of its origin, sender, recipient, and the time when it was sent and received.

2. Unless otherwise provided for by law, agencies, organizations and individuals may choose to store documents, receipts, records, files or information in the paper form or data message if the data message meets the requirements specified in Clause 1 of this Article.

3. Contents and time limit for storage of data message shall comply with the provisions of the law on storage and relevant laws. The storage of data messages is as valid as archiving paper documents.

SECTION 2. SENDING AND RECEIPT OF DATA MESSAGES

Article 14. Originator of a data message

1. The originator of a data message shall be an agency, organization or individual that creates or sends the data message before such message is stored, excluding any intermediary transmitting the data message.

2. Where parties to a transaction do not agree otherwise, the identification of the originator of a data message shall be as follows:

a) A data message is considered as that of the originator if it is sent by the originator or his/her/its representative, or by an information system established and designated by the originator to operate automatically;

b) The recipient may consider a data message as being that of the originator if the recipient has applied the verification methods approved by the originator and such methods give the result that such data message is of the originator;

c) As from the time the recipient becomes aware of technical errors or receives notification from the originator of the fact that a data message was sent due to technical errors and has applied error-detecting methods approved by the originator, the provisions of Points a and b of this Clause shall not apply.

3. Where a party makes a mistake in entering information through an automatic information system, but that automatic information system does not give that party the opportunity to correct the error, the party making the mistake of entering information has the right to withdraw the entered information if the following requirements are fully met:

a) The originator who made a mistake in entering information has notified the relevant parties about such error as soon as he/she/it becomes aware of the error;

b) The originator makes a mistake in entering unused information or receives any benefits (if any) from the parties.

4. The right to withdraw information with errors specified in Clause 3 of this Article does not affect the responsibility to deal with consequences arising from errors in e-transactions in accordance with other relevant laws.

5. The originator shall take responsibility before law for the contents of the data message he/she/it has originated.

Article 15. Time and place of sending a data message

Unless otherwise agreed upon by the parties to a transaction, the time and place of sending a data message is provided as follows:

1. The time of sending a data message is the point of time when such data message leaves the information system under the control of the originator or his/her/its representative. Where the information system is beyond the control of the originator or his/her/its representative, the time of sending a data message is the time when this data message is entered into the information system;

2. Wherever the data message is sent, the place of sending a data message is still considered the headquarters of the originator if the originator is an agency or organization or the permanent residence of the originator if the originator is an individual. If the originator has more than one headquarters, the place of sending the data message is the head office or the one which has the closest relationship with the transaction.

Article 16. Receipt of a data message

1. The recipient of a data message is the organization, agency, individual or his/her/its representative who is designated to receive the data message from the data message originator, excluding any intermediary transmitting such data message.

2. Unless otherwise agreed upon by the parties to the transaction, the receipt of a data message is provided as follows:

a) The recipient of a data message is deemed in receipt of such message if the message is entered into an information system designated by him/her/it and accessible;

b) The recipient may consider each data message an independent one unless such message is a copy of another data message and the recipient knows or ought to know that it is a copy;

c) Where the originator has required or agreed with the recipient before or during the sending of a data message that the recipient must send an acknowledgment of the receipt of such message, the recipient must comply with such request or agreement;

d) Where the originator, before or during the sending of a data message, has stated that such message will be valid only when he/she/it receives an acknowledgment, such data message shall be considered having not been sent till the originator receives a written acknowledgment of the receipt of such message from the recipient;

dd) Where the originator has already sent a data message without stating that the recipient must send an acknowledgment and has not yet received the acknowledgment, except for the cases specified at Point a of this Clause, the originator may notify the recipient that no acknowledgment has been received and set a reasonable duration for the recipient to send the acknowledgment. If the originator still fails to receive any acknowledgment within the specified duration, he/she/it may treat the data message as though it had never been sent.

Article 17. Time and place of receiving a data message

Unless otherwise agreed upon by the parties to the transaction, the time and place of receiving a data message are provided as follows:

1. If the recipient has designated an information system for receiving a data message, the message-receiving time shall be the time when the data message enters the designated information system and is accessible. If the recipient has not designated a specific information system for receiving the data message, the message-receiving time shall be the time when the data message enters any information system of the recipient and is accessible;

2. Wherever the data message is received, the place of receiving a data message is still considered the headquarter of the recipient if the recipient is an agency or organization or the place of residence of the recipient if the recipient is an individual. If the recipient has more than one headquarters, the place of receiving the data message is the head office or the one which has the closest relationship with the transaction.

Article 18. Automatic sending and receipt of data messages

If the originator or the recipient has designated one or several information systems for the purpose of automatic sending or receipt of data messages, the provisions of Articles 14, 15, 16 and 17 of this Law shall apply.

SECTION 3. E-CERTIFICATES

Article 19. Legal validity of e-certificates

1. Information in an e-certificate is legally valid when it fully meets the following requirements:

a) The e-certificate is signed by the digital signature of the issuing agency or organization in accordance with this Law;

b) Information in the e-certificate is accessible and usable in its integrity;

c) Where it is required by law to indicate the time related to an e-certificate, the e-certificate must have a timestamp.

2. E-certificates issued by competent foreign agencies and organizations that are recognized and used in Vietnam must be consularly legalized, except for exemption cases under Vietnamese law.

Article 20. Transfer of e-certificates

1. Where the law allows the transfer of ownership rights to an e-certificate, the transfer must fully satisfy the following requirements:

a) There is a ground to determine the owner of an e-certificate and only this owner is controlling that e-certificate;

b) The requirements specified in Article 10 of this Law;

c) The information system serving the transfer of an e-certificate must meet the requirements of ensuring cyberinformation security at level 3 at least, in accordance with the law on cyberinformation security;

d) Other requirements as prescribed by relevant laws.

2. In case where the law requires or permits the conversion from paper documents to e-certificates for the types of documents that are permitted by law to transfer ownership and exist only in only one form, the paper documents shall no longer have validity immediately after the conversion is completed and satisfies the requirements specified at Point d, Clause 1, Article 12 of this Law.

3. In case where the law requires or permits the conversion from e-certificates to paper documents for the types of e-certificates that are permitted by law to transfer ownership and exist only in only one form, the e-certificates shall no longer have validity immediately after the conversion is completed and satisfies the requirements specified at Point d, Clause 2, Article 12 of this Law.

Article 21. Requirements for storing and processing e-certificates

1. The storage of e-certificates must comply with the regulations on storing data messages specified in Article 13 of this Law.

2. The information system serving the storage and processing of an e-certificate must meet the requirements of ensuring cyberinformation security at level 3 at least, in accordance with the law on cyberinformation security.

CHAPTER III. E-SIGNATURES AND TRUSTED SERVICES

SECTION 1. E-SIGNATURES

Article 22. E-signatures

1. E-signatures are classified according to the scope of use, including:

a) Specialized e-signature means an e-signature created and used exclusively by an agency or organization for its operations in accordance with its functions and tasks;

b) Public digital signature means a digital signature used in public activities and secured by a public digital signature certificate;

c) Digital signature for official use means a digital signature used in official service activities and is secured by a digital signature certificate specifically for official service.

2. A specialized e-signature must fully satisfy the following requirements:

a) Certifying the signatory and as well as the approval of such signatory to the content of the signed data message;

b) Specialized e-signature creation data are attached only to the content of the approved data message;

c) Specialized e-signature creation data are under the control of only the signatory at the time of signing;

d) The validity of specialized e-signatures can be checked according to the conditions agreed upon by the parties.

3. Digital signature is an e-signature that fully meets the following requirements:

a) Certifying the signatory and as well as the approval of such signatory to the content of the signed data message;

b) Digital signature creation data are attached only to the content of the approved data message;

c) Digital signature creation data are under the control of only the signatory at the time of signing;

d) All changes to the data message after the time of signing are detectable;

dd) Being secured by a digital signature certificate. For a digital signature for official use, it must be secured by a digital signature certificate of an authority providing service for certification of digital signatures for official use. For a public digital signature, it must be secured by a digital signature certificate of a public digital signature certification authority;

e) Means of creating digital signatures must ensure that data to create digital signatures are not disclosed, collected or used for the purpose of forging signatures; ensure that the data used to create digital signatures can be used only once; must not change the data to be signed.

4. The use of other forms of certification by electronic means to express the signatory’s consent to a data message which is not an e-signature shall comply with other relevant laws.

Article 23. Legal validity of e-signatures

1. An e-signature cannot have its legal validity disclaimed for the sole reason that it is expressed in the form of an e-signature.

2. A specialized e-signature for security purpose or a digital signature shall have the same legal validity as that individual’s signature in a paper document.

3. Where the law stipulates that a document must be certified by an agency or organization, such requirement shall be considered having been met for a data message if such data message has a specialized e-signature for security purpose or a digital signature of that agency or organization.

Article 24. Services for certification of digital signatures for official use

1. Services for certification of digital signatures for official use means a digital signature certification service in official service activities.

2. Digital signatures for official use shall be managed and provided by an authority providing service for certification of digital signatures for official use in accordance with the law on e-transactions and the law on cipher.

3. An authority providing service for certification of digital signatures for official use shall perform the following tasks:

a) Issuing digital signatures for official use to confirm and maintain the validity status of digital signature certificates for official use of the subject signing the data messages;

b) Revoking digital signature certificates for official use;

c) Checking the validity of the digital signatures for official use and maintaining the validity status of the digital signature certificate for official use; without using technical and technological barriers to limit the validity of digital signatures for official use;

d) Providing necessary information for certification of digital signatures for official use;

dd) Liaising with national e-certification service providers for the checking of the validity of digital signatures for official use;

e) Issuing timestamps in official activities.

4. Digital signature certificates for official use, digital signatures for official use must meet technical regulations and technical requirements for digital signatures and digital signature certification services as prescribed by law.

5. The Government shall detail this Article.

Article 25. Use of specialized e-signatures and specialized e-signatures for security purpose

1. Agencies and organizations that create specialized e-signatures are not allowed to provide specialized e-signature services.

2. Specialized e-signature for security purpose means a specialized e-signature that has been certified by the Ministry of Information and Communications as a specialized e-signature to ensure safety.

3. In case an agency or organization uses a specialized e-signature to conduct transactions with other organizations or individuals or wishes to recognize a specialized e-signature for security purpose, it shall register it with the Ministry of Information and Communication to be granted a certificate of specialized e-signature for security purpose.

4. The Government shall detail this Article.

Article 26. Recognition of foreign e-signature certification authorities; recognition of e-signatures, foreign e-signature certificates

1. Conditions for recognition of a foreign e-signature certification authority in Vietnam include:

a) Being legally established and operating in the country of registration; having a technical audit report of the system providing e-signature certification services from an auditing firm lawfully operating in the country of registration;

b) Foreign e-signatures, foreign e-signature certificates provided by foreign e-signature certification authorities must conform to standards and technical regulations on e-signatures, e-signature certificates under Vietnamese law or recognized international standards or treaties to which the Socialist Republic of Vietnam is a contracting party;

c) The foreign e-signature certificate provided by a foreign e-signature certification authority is formed based on fully authenticated identification information of the foreign organization or individual;

d) The foreign e-signature certification authority must update the status of the foreign e-signature certificate into the trusted service certification system of the Vietnamese competent agency;

dd) Having a representative office in Vietnam.

2. Conditions for recognition of a foreign e-signature or foreign e-signature certificate in Vietnam include:

a) Foreign e-signatures, foreign e-signature certificates must conform to standards and technical regulations on e-signatures, e-signature certificates under Vietnamese law or recognized international standards or treaties to which the Socialist Republic of Vietnam is a contracting party;

b) Foreign e-signature certificates are formed based on fully authenticated identification information of the foreign organizations or individuals.

3. The users of foreign e-signatures or foreign e-signature certificates recognized under Clause 2 of this Article are foreign organizations and individuals; Vietnamese organizations and individuals wishing to conduct e-transactions with foreign organizations and individuals of which the e-signatures and e-signature certificates issued by domestic service providers have not been recognized in that country.

4. The Minister of Information and Communications shall detail the recognition of foreign e-signature certification authorities in Vietnam; recognition of foreign e-signatures and foreign e-signature certificates in Vietnam.

Article 27. Foreign e-signatures, foreign e-signature certificates accepted in international transactions

1. Foreign e-signatures, foreign e-signature certificates accepted in international transactions are those of foreign organizations and individuals not present in Vietnam, effective on data messages sent to Vietnamese organizations and individuals.

2. Organizations and individuals shall select and take responsibility for the acceptance of foreign e-signatures and foreign e-signature certificates on data messages in international transactions.

SECTION 2. TRUSTED SERVICES

Article 28. Trusted services

1. Trusted services include:

a) Timestamp service;

b) Data message certification service;

c) Public digital signature certification service.

2. Trusted services are sectors and trades subject to conditional business investment.

3. A trusted service provider must have a service business license issued by the Ministry of Information and Communications, except for e-contract certification services in commerce. The provider is entitled to register for one or the services specified in Clause 1 of this Article. The term of the trusted service business license is 10 years.

Organizations providing e-contract certification services in commerce must satisfy the conditions for providing e-contract certification services in accordance with the law on e-commerce and trusted service business conditions as prescribed in Article 29 of this Law.

4. The Government shall detail the operation of trusted service providers; processes, procedures, dossiers for grant, extension, change, re-grant, temporary suspension and revocation of trusted service business licenses and other contents specified in this Article.

Article 29. Conditions for trusted service business

1. Conditions for trusted service business include:

a) Being an enterprise legally established and operating in the Vietnamese territory;

b) Satisfying financial, managerial and technical requirements for each type of trusted service specified in Clause 1, Article 28 of this Law;

c) The information system for trusted service provision must meet the requirements of ensuring cyberinformation security at level 3 at least, in accordance with the law on cyberinformation security;

d) Having a technical plan for service provision suitable to each type of trusted service specified in Clause 1, Article 28 of this Law;

dd) Having a plan to be ready for technical connection in service of monitoring, checking and reporting data by electronic means to meet the requirements of state management of trusted services.

2. The Government shall detail Clause 1 of this Article.

Article 30. Responsibility of trusted service providers

1. To publicly announce the service registration process, forms and related costs.

2. To ensure the 24/07 operation channel for receiving information and providing services.

3. To maintain dossiers and documents and connect, provide information and report data by electronic means in accordance with law.

4. To ensure that equipment in the information system is issued with management codes and ready for technical connection to serve the state management of trusted services.

5. To take professional measures, suspend or terminate service provision or other professional measures at the request of competent authorities in accordance with law.

6. To fulfill responsibilities of the manager of the information system serving the trusted service provision to meet the requirements of ensuring cyberinformation security at level 3 at least, in accordance with the law on cyberinformation security.

7. To make annual reports on trusted service provision according to regulations of competent agencies.

8. To pay the service fee to maintain the system to check the status of digital signature certificates in accordance with the law on fees and charges.

Article 31. Timestamp service

1. Timestamp service means a service used to attach information on date and time to a data message.

2. The timestamp is generated as a digital signature.

3. Time attached to a data message is the time when the timestamp service provider receives such data message, and is certified by such provider.

4. Timing sources of timestamp service providers must comply with regulations on national standard timing sources.

Article 32. Data message certification service

Data message certification service includes:

1. Service of storing and certifying the integrity of data messages;

2. Service of sending and receiving secured data messages.

Article 33. Public digital signature certification service

1. Public digital signature certification service means a digital signature certification service in public activities.

2. Public digital signature certification service provided by a public digital signature certification authority in accordance with this Law.

3. A public digital signature certification authority shall perform the following tasks:

a) Issuing public digital signature certificates to confirm and maintain the validity status of public digital signature certificates of the subjects signing the data messages;

b) Revoking public digital signature certificate;

c) Checking the validity of the public digital signatures and maintaining the validity status of the public digital signature certificates; without using technical and technological barriers to limit the validity of public digital signatures;

d) Providing necessary information for certification of public digital signatures;

dd) Liaising with national e-certification service providers for the checking of the validity of public digital signatures.

4. Public digital signature certificates and public digital signatures must meet technical regulations and technical requirements for digital signatures and digital signature certification services as prescribed by law.

5. The Government shall detail this Article.

CHAPTER IV. ENTRY INTO AND EXECUTION OF E-CONTRACTS

Article 34. E-contracts

1. An e-contract entered into or performed from the interaction between an automatic information system and a person or between automatic information systems cannot have its legal validity disclaimed for the sole reason that there is no human control or intervention in each specific action performed by automated information systems or in the contract.

2. Ministers and heads of ministerial-level agencies shall promulgate according to their competence or submit to competent authorities for promulgation regulations on the conclusion and performance of e-contracts in the domains within the scope of their assigned tasks and powers, suitable for practical conditions.

Article 35. Entry into e-contracts

1. Entry into e-contracts means the use of data messages to execute part or whole of transactions in the process of entering into e-contracts.

2. An offer to enter into an e-contract and acceptance of the offer to enter into the e-contract may be carried out through data messages, unless otherwise agreed upon by concerned parties.

Article 36. Principles of entry into and execution of e-contracts

1. Participating parties shall have the right to reach agreement on the partial or wholly use of data messages, electronic means in the entry into and execution of contracts.

2. When entering into and executing e-contracts, the parties shall have the right to reach agreement on technical requirements, conditions to ensure integrity and confidentiality related to such e-contracts.

3. The entry into and execution of an e-contract shall comply with the provisions of this Law, the law on contracts and relevant laws.

Article 37. Receipt, sending, time, location of sending or receiving data messages in entering into and execution of e-contracts

The receipt, sending, time, location of sending or receiving data messages in entering into and execution of e-contracts shall be comply with Articles 15, 16, 17 and 18 of this Law.

Article 38. Legal validity of a notice in entry into and execution of e-contracts

In the process of entering into and execution of an e-contract, a notice in the form of a data message shall be legally valid as a notice in paper form.

CHAPTER V. E-TRANSACTIONS OF STATE AGENCIES

Article 39. Types of e-transactions of state agencies

1. E-transactions within a state agency.

2. E-transactions among different state agencies.

3. E-transactions between state agencies and other agencies, organizations and individuals.

Article 40. Management of shared database and data

1. Data in state agencies shall be uniformly organized and decentralized for management according to state agencies’ management responsibilities in order to promote e-transactions. Data may be shared to serve the activities of state agencies, people and businesses in accordance with law.

2. Databases shared in state agencies include national databases, databases of ministries, sectors and localities.

3. The management of the national database is regulated as follows:

a) The national database contains master data as a basis for reference and data synchronization between databases of ministries, sectors and localities;

b) Master data in the national database is valid for official use, equivalent to a paper document provided by a competent agency, unless otherwise provided for by law;

c) Data in the national database is shared with ministries, sectors and localities in service of administrative procedures, administrative reform, and administrative simplification for people, businesses and other agencies and for socio-economic development objectives;

d) The Prime Minister shall approve the list of national databases. The list of national databases must contain the following basic information: name of the national database; the goal of building a national database; scope of data in national databases; information about the master data of national databases stored and shared; objects and purposes of using and exploiting the national database; information sources built and updated in the national database; methods of sharing data from national databases;

dd) The Government shall prescribe the development, updating, maintenance, exploitation and use of the national database; regulate the sharing of national database with databases of other state agencies.

4. The management of databases of ministries, sectors and localities is prescribed as follows:

a) Database of ministries, sectors and localities is a collection of information shared by ministries, sectors and localities;

b) Master data in the databases of ministries, sectors and localities have official use value, equivalent to paper documents provided by ministries, sectors or localities, unless otherwise provided for by law;

c) Ministries, ministerial-level agencies, government-attached agencies, and provincial-level People’s Committees shall prescribe the list of databases; developing, updating, maintaining, exploiting and using the databases of their respective ministries, sectors and localities. The list of databases of ministries, sectors and localities must contain the following basic information: database name; descriptions of the purpose, scope and content of each database; mechanism for collecting, updating and collecting data of each database; lists data categories, including open data and shared data.

5. The State shall cover part or all of the funding for the development and maintenance of national databases, databases of ministries, sectors, localities and other state agencies.

Article 41. Data creation and collection

1. The creation, collection of data, and development of digital data are given the highest priority for the development of digital government and digital transformation in the operations of state agencies.

2. The creation of data in the database of the state agency must use the uniform code table of the shared list promulgated by the competent state agency, consistent with the master data in the national database.

3. State agencies are not allowed to collect or re-collect data or request organizations and individuals to re-provide data that agencies are managing, or data available for connecting and sharing by other state agencies, except for the case of requesting to provide data for updating or using for the purpose of verifying and certifying data, or data failing to meet the quality requirements according to standards and technical regulations or other provisions of law.

4. The Ministry of Information and Communications shall synthesize and publicize the list of data-providing agencies, the list of provided data, the code table of the shared list for agencies, organizations and individuals to search and use.

Article 42. Data connection and sharing

1. State agencies shall be responsible for ensuring the readiness to connect and share data for agencies, organizations and individuals, serving e-transactions, including:

a) Human resources to connect and share data, including on-site human resources who are managing and operating information systems or other relevant human resources in state agencies; if the on-site human resources cannot meet the requirements, they may hire experts;

b) Investment projects on information technology application using the state budget to build information systems and databases in state agencies must have items for data connection and sharing. In case these items are unavailable, there must be a proof that there is no connection and data sharing during the operation and exploitation;

c) Promulgating and publicly announcing regulations on data exploitation and use for databases under their management;

d) Applying measures to ensure cyberinformation security and cybersecurity, data security in the process of data connection and sharing in accordance with law.

2. Unless otherwise provided for by law, state agencies shall be responsible for connecting and sharing data with other agencies and organizations. It is not allowed to provide information in the form of paper documents for information that has been exploited through the form of connection and sharing between information systems; nor collect fee for sharing data between state agencies.

3. State agencies must apply the method of connecting and sharing data online in the network environment between the information systems of the data-providing agencies and data-exploiting agencies and organizations, except for collect information related to state secrets or requirements to ensure national defense and security. In case of not applying the method of connecting and sharing data online, the reason must be clearly stated in writing.

4. State agencies shall apply the data connection and sharing model in the following order of priority:

a) Connecting and sharing through intermediary systems, including: National data sharing and integration platform; infrastructure for connection and data sharing at ministerial and provincial levels according to the Digital National Architecture Framework;

b) Directly connecting between information systems and databases when the intermediary systems are not ready or the agency in charge of the intermediary system determines that the intermediate system fails to meet the data connection and sharing requirements.

5. The Digital National Architecture Framework specified at Point a, Clause 4 of this Article includes the e-Government and Digital Government architectural framework; digital architecture frameworks of agencies and organizations.

6. The Government shall detail the connection and sharing of data; the Digital National Architecture Framework.

Article 43. Open data of state agencies

1. Open data of a state agency mean data that are widely publicized by a competent state agency for agencies, organizations and individuals to freely use, reuse and share. State agencies shall publish open data for agencies, organizations and individuals to freely use, reuse and share in order to promote e-transactions, digital transformation, development of the digital economy and digital society.

2. Open data must be complete and fully reflect information provided by state agencies, be updated with the latest updates, be accessible and useable on the Internet, and ensure the ability of digital devices to send, receive, store and process, comply with the free and open format.

3. Agencies, organizations and individuals are free to access and use open data, without requiring identification when exploiting and using open data.

4. Agencies, organizations and individuals are allowed to freely copy, share, exchange, use open data or combine open data with other data; use open data in their commercial or non-commercial products or services, unless otherwise provided by law.

5. Agencies, organizations and individuals must cite and record information using open data in related products, services and documents using open data.

6. State agencies shall not be responsible for any damage caused by agencies, organizations and individuals, arising from the use of open data.

7. The Government shall detail open data and conditions to ensure the implementation of the provisions of this Article.

Article 44. Activities of state agencies in the electronic environment

1. State agencies must ensure that all results of administrative procedures or other official performance results not classified as state secrets have e-documents with the same legal validity as paper documents which are accessible and usable in the complete form. State agencies must receive and handle requests of organizations and individuals in the electronic environment, unless otherwise provided for by law.

2. The operational fields of state agencies that prioritize the wholly implementation in the electronic environment include: provision of public services; internal administration; direction and operation; supervision, examination and inspection.

3. State agencies must have plans ready in case of emergency situations, in case of disruption of operations in the online network environment, and plans for rescue, troubleshooting, and maintenance of normal transactions.

4. State agencies may hire experts from the annual state budget in accordance with law to advise on database construction; carry out professional and technical activities on management, operation and assurance of cyberinformation security for the information system serving state agencies’ e-transactions.

5. The Government shall detail this Article.

CHAPTER VI. INFORMATION SYSTEMS SERVING E-TRANSACTIONS

Article 45. Information systems serving e-transactions

1. An information system in service of e-transactions is a collection of hardware, software and a database set up with key functions and features to serve e-transactions, ensure authenticity, trust in e-transactions.

Information systems serving e-transactions shall be classified according to information system managers; functions and features of the information system in service of e-transactions; size, number of users in Vietnam or number of monthly visitors from Vietnam.

2. Digital platform for e-transactions is the information system specified in Clause 1 of this Article that creates an electronic environment allowing parties to conduct transactions or provide or use products or services, or used to develop products and services.

3. An intermediary digital platform serving e-transactions is a digital platform specified in Clause 2 of this Article of which the manager is independent from the parties performing the transaction.

4. The Government shall detail this Article.

Article 46. E-transaction accounts

1. An e-transaction account shall be granted by the manager of the information system serving e-transactions, and shall be managed and used in accordance with this Law.

2. An e-transaction account shall be used to conduct e-transactions, in order to store transaction history and ensure the exact order of the account holder’s transaction, to prove the transaction history of the parties as prescribed in Clause 4 of this Article.

3. Agencies, organizations and individuals have the right to choose to use e-transaction accounts in accordance with their needs, unless otherwise provided for by law.

4. The transaction history of an e-transaction account is legally valid to prove the transaction when it fully meets the following requirements:

a) The information system serving e-transactions must ensure safety in accordance with the law on cyberinformation security;

b) Only associated with an agency, organization or individual who is the holder of the e-transaction account;

c) Ensuring accurate transaction time from time source as prescribed by the law on national standard timing sources.

Article 47. Responsibilities of the manager of an information system serving e-transactions

1. The manager of an information system serving e-transactions shall have the following responsibilities:

a) Complying with the provisions of this Law and the law on cyberinformation security, cybersecurity, personal information protection, personal data protection and other relevant laws;

b) Providing information by electronic means as prescribed by law in order to serve the work of measurement, statistics, supervision, inspection, examination and reporting at the request of state management agencies in charge of e-transactions; sharing data in service of state management of e-transactions;

c) Monitoring the safety of the information system serving its e-transactions in accordance with the law on cyberinformation security.

2. The manager of a large-scale intermediary digital platform serving e-transactions shall have the following responsibilities:

a) Complying with provisions of Clause 1 of this Article;

b) Publicly announcing and disseminating the mechanism for reporting problems and handling problems arising in e-transactions;

c) Publicly publicizing and disseminating the mechanism for reporting and handling content violating Vietnamese law on an intermediary digital platform from a reporting source that is assessed as reliable;

d) On an annual basis, reporting according to the Ministry of Information and Communications’ guidance on the incident that has occurred or the case with signs or risks of taking advantage of the information system to commit violations of Vietnamese law.

3. The manager of a very large-scale intermediary digital platform serving e-transactions shall have the following responsibilities:

a) Complying with provisions of Clause 2 of this Article;

b) Publicizing the general principles, parameters or criteria used to make recommendations for displaying content, displaying advertisements to users and allowing users to choose the option of not using recommend displaying content, displaying advertisements based on data analysis about users;

c) Allowing the user to uninstall any pre-installed applications without affecting the basic technical features of the system for normal operation;

d) Publicly publishing and disseminating the code of conduct applicable to parties involved in using the system.

4. The Government shall detail the responsibilities of the manager of an intermediary digital platform in Clauses 2 and 3 of this Article in accordance with the scale and number of users in Vietnam or the number of visitors from Vietnam.

Article 48. Reporting, summarizing and sharing data in service of state management of e-transactions

1. State agencies shall manage the reporting, summarization and sharing of data in service of state management of e-transactions in accordance with law, and their assigned functions, tasks and powers.

2. The Ministry of Information and Communications shall establish and operate a system of receiving and synthesizing data serving the state management of e-transactions by state agencies specified in Clause 1 of this Article in accordance with the Government’s regulations. It shall assume the prime responsibility for formulating, promulgating or requesting competent state agencies to promulgate technical regulations on connection reference models for sharing data by electronic means, device identifiers, network credibility criteria of information systems serving e-transactions.

CHAPTER VII. STATE MANAGEMENT OF E-TRANSACTIONS

Article 49. Contents of the state management of e-transactions

1. Formulating, promulgating and organizing the implementation of strategies, plans and policies on development of e-transactions; legal documents on e-transactions; standards, technical regulations, technical requirements, economic-technical norms, product and service quality in e-transactions.

2. Managing the reporting, measurement and statistics of e-transactions; managing the safety supervision of the information system in service of e-transactions of the information system manager.

3. Trusted service management.

4. Managing and organizing the construction, exploitation and development of national electronic certification infrastructure; the issuance and revocation of digital signature certificates.

5. Providing regulations on the connection between systems providing public digital signature services and public service digital signature services.

6. Propagating and disseminating policies and laws in e-transactions.

7. Managing the training, fostering and development of the human resources and experts in e-transactions.

8. Conducing inspection, examination, settlement of complaints and denunciations and handling of violations of the e-transaction law.

9. Conducting international cooperation in e-transactions.

Article 50. Responsibilities of the state management of e-transactions

1. The Government shall exercise the uniform management over e-transactions.

2. The Ministry of Information and Communications shall act as the focal point to take responsibility before the Government, assuming the prime responsibility for, and coordinating with ministries and ministerial-level agencies in, exercising the state management of e-transactions.

3. Ministries, ministerial-level agencies and provincial-level People’s Committees shall coordinate with the Ministry of Information and Communications in performing the state management of e-transactions in the fields and geographical areas within the scope of their assigned tasks and powers.

4. The Minister of National Defense shall perform the state management of e-transactions in the cipher field and digital signatures for official use on the basis of national standards and technical regulations on digital signatures as prescribed by law.

CHAPTER VIII. IMPLEMENTATION PROVISIONS

Article 51. Amending, supplementing, replacing and repealing a number of articles of relevant laws

1. To amend and supplement Section 119 of Appendix IV – List of conditional investment business sectors and trade to the Law No. 61/2020/QH14 on Investment, which was amended and supplemented under the Law No. 72/2020/QH14, Law No. 03/2022/QH15, Law No. 05/2022/QH15, Law No. 08/2022/QH15 and the Law No. 09/2022/QH15 as follows:

119Trusted service business

2. To amend and supplement Section 7 of Part IV – Information and communications-related charges in the List of Charges and fees to the Law No. 97/2015/QH13 on Charges and Fees, which was amended and supplemented under the Law No. 09/2017/QH14, Law No. 23/2018/QH14, Law No. 72/2020/QH14 and the Law No. 16/2023/QH15 as follows:

7Service charge for maintaining the digital signature certificate status-checking systemThe Ministry of Finance

3. To replace the phrase “specialized digital signature certification system” with the phrase “system for certification of digital signatures for official use” in Clause 3, Article 19 of the Law No. 76/2015/QH13 on Organization of the Government, which was amended and supplemented under the Law No. 47/2019/QH14.

4. To repeal Articles 58 and 59 in the Law No. 67/2006/QH11 on Information Technology, which was amended and supplemented under the Law No. 21/2017/QH14.

Article 52. Effect

1. This Law takes effect from July 1, 2024.

2. The Law No. 51/2005/QH11 on E-Transactions ceases to be effective from the date this Law takes effect, except for the cases specified in Article 53 of this Law.

Article 53. Transitional provisions

1. E-transactions that are established before the effective date of this Law, but have not yet been completed at the effective date of this Law, shall continue to be carried out in accordance with the Law No. 51/2005/QH11 on E-Transactions and legal documents detailing that Law, unless otherwise the parties agree to apply this Law.

2. Digital certificates that are issued before the effective date of this Law, and still remain valid at the effective date of this Law, shall continue to be implemented in accordance with the Law No. 51/2005/QH11 on E-Transactions and legal documents detailing that Law until their expiry dates and shall have the same value as digital certificates specified in this Law.

3. For licenses to provide public digital signature certification services, licenses to use foreign digital certificates in Vietnam, operation registration certificates of specialized digital signature certification authorities, certificates of eligibility for ensuring the safety of specialized digital signatures that have been issued before the effective date of this Law and still remain valid until the date this Law takes effect, they may continue to be used until their expiry dates.

The issuance of digital certificates under licenses and certificates specified in this Clause must comply with the Law No. 51/2005/QH11 on E-transactions and legal documents detailing the Law No. 51/2005/QH11 on E-transactions.

4. For the application dossier for a license to provide public digital signature certification services, a license to use foreign digital certificates in Vietnam, an operation registration certificate of the specialized digital signature certification authority, or the certificate of eligibility for ensuring safety for specialized digital signatures that has been submitted to a competent state agency but has not yet been granted a license or certificate at the effective date of this Law, the provisions of the Law No. 51/2005/QH11 on E-transactions and legal documents detailing the Law No. 51/2005/QH11 on E-transactions shall continue to be applied.

5. The certificate of registration of the provision of e-contract certification services in commerce, which was issued before the effective date of this Law, may continue to be used until the end of June 30, 2027.

6. For registration dossiers for provision of e-contract certification services in commerce, which have been submitted to competent state agencies but have not yet been confirmed by the effective date of this Law, the provisions of the law on e-commerce shall continue to be applied.

7. The Government shall detail this Article.

This Law was passed on June 22, 2023, by the XVth National Assembly of the Socialist Republic of Vietnam at its 5th session.