Vietnam’s Cybersecurity Law was promulgated on June 12, 2018, and came into effect on January 1, 2019, with a majority of its provisions enforceable from the effective date. However, certain provisions of the law, including the very concerning data localization requirements, still awaited further guidance from implementing regulations. After more than three years of being drafted and submitted back and forth to the government for consideration and approval, Decree No. 53/2022/ND-CP to implement certain articles of the Cybersecurity Law (Decree 53) was finally promulgated on August 15, 2022, with an effective date of October 1, 2022. Key provisions of Decree 53 include the following.
1. Data localization requirements (Articles 26 & 27)
Decree 53 retains most of the data localization requirements of the last accessible version of the draft decree dated August 21, 2019 (Draft Decree), clearly extends the scope of requirements to cover both domestic and foreign enterprises, adds regulations on force majeure events, and amends the timeline to implement data localization requirements for business facilitation.
(i) Data subject to data localization:
Data (information in the form of symbols, writing, numbers, images, sounds, or similar forms) which must be stored in Vietnam (“regulated data”) includes:
- Data on personal information of service users in Vietnam: Data used to identify an individual.
- Data generated by service users in Vietnam: Data reflecting the process of participating in, operating and/or using cyberspace by service users and information about network equipment and services used in order to connect with cyberspace in the territory of Vietnam. This includes the account name for use of services, duration of use of services, credit card information, email address, IP addresses for the latest login and logout, and registered telephone number attached to the account or data.
- Data on the relationships of service users in Vietnam: Data reflecting and determining the relationship between a service user and other people in cyberspace. This includes friends and groups with which the user connects or interacts.
(ii) Businesses/services subject to data localization
Domestic enterprises: All domestic enterprises, no matter which services they provide, must store regulated data in Vietnam.
Foreign enterprises: There are 10 businesses/services of foreign enterprises subject to storage of regulated data in Vietnam and establishment of branches or representative offices in Vietnam (“regulated services”). These include (i) telecom services; (ii) services of data storage and sharing in cyberspace (cloud storage); (iii) supply of national or international domain names to service users in Vietnam; (iv) e-commerce; (v) online payment; (vi) intermediary payment; (vii) service of transport connection via cyberspace; (viii) social networking and social media; (ix) online electronic games; (x) services of providing, managing, or operating other information in cyberspace in the form of messages, phone calls, video calls, email, or online chat.
(iii) Conditions triggering data localization requirements for foreign enterprises
While all domestic enterprises, without any exemptions, must store regulated data in Vietnam, a foreign enterprise is only required to store regulated data and establish a branch or representative office in Vietnam when:
- It operates in one of the 10 regulated businesses/services mentioned above;
- It has been warned by the Department for Cybersecurity and Prevention of High-Tech Crime (A05) under the Ministry of Public Security (MPS) that the services it provides have been used to commit a breach of the law on cybersecurity and it has not taken any measures for avoiding, dealing with, fighting against, or preventing such breach, or it has resisted, obstructed, or ignored requests from the relevant authorities.
One interesting note is that compared to the Draft Decree, Decree 53 has removed a third condition that the enterprise “carries out activities of collecting, exploiting [using], analyzing, and processing regulated data.” The intention of the drafter in removing this condition is unclear. The removal could be interpreted to mean that the drafter would like to widen the application scope of Decree 53 compared to the Draft Decree, or the drafter might think that collecting, using, analyzing, and processing online data are obvious and unavoidable activities in the relationship between enterprises and their service users, so there is no need to specify this as one of the triggering conditions.
The act of collecting, using, analyzing, and processing regulated data of enterprises is regulated in a separate clause (Article 26.4) in Decree 53. The wording in this clause is very obscurely drafted. However, it could be understood as follows:
- If the data an enterprise collects, uses, analyzes, or processes is not completely stored in Vietnam as required for regulated data, the enterprise must cooperate with A05 to verify and store the data which they are collecting, using, analyzing and processing.
- If an enterprise collects, uses, analyzes, or processes additional data which falls under regulated data, the enterprise must cooperate with A05 to supplement this data to the list of data which needs to be stored in Vietnam.
Thus, it could be interpreted that, with regard to foreign enterprises, this separate clause of collecting, using, analyzing, and processing regulated data must be read together with the triggering conditions mentioned above. In other words, not every foreign enterprise operating in the 10 regulated businesses and not every foreign enterprise collecting, using, analyzing, and processing regulated data is automatically required to store regulated data and establish a branch or representative office in Vietnam; a foreign enterprise is only required to do so when both triggering conditions are fulfilled.
In addition, if an enterprise is required to store regulated data in Vietnam when the two triggering conditions are fulfilled, but it has not stored all the regulated data in Vietnam as required (for example, if a portion of this regulated data is stored overseas without any backup/mirror copy stored in Vietnam), A05 can then request the enterprise to cooperate to verify the data and ensure all regulated data is locally stored.
If a foreign enterprise is required to store regulated data and establish a branch or representative office in Vietnam, it would receive a decision of the Minister of Public Security requiring it to do so. Within 12 months from the date of the decision, the enterprise must complete the storage of data and establishment of a branch or representative office in Vietnam in compliance with relevant laws. Enterprises which do not comply with data localization requirements, depending on the nature and degree of violation, will be dealt with according to the law.
(iv) Force majeure
In cases of force majeure where a foreign enterprise’s compliance with the MPS’s decision to locally store regulated data in Vietnam is not possible, the enterprise must notify A05 within three working days for verification of the authenticity of force majeure. In this case, the enterprise has 30 working days to find a corrective solution.
(v) Form and duration of data storage and having a branch or representative office in Vietnam
The form of data storage in Vietnam is to be decided by the enterprises. The duration starts from the time the enterprise receives a request for storing data and lasts until the request ends, with a minimum storage time of 24 months.
System logs to serve investigation and handling of violations of the law on cybersecurity are stored for at least 12 months.
The period for having a branch or representative office in Vietnam will start from the date on which the enterprise receives a request to set up a branch or representative office and continues until the enterprise is no longer operating in Vietnam or no longer provides the regulated services in Vietnam.
2. Take-down of illegal online content (Article 19)
Illegal online content which is subject to be taken down is specified in Article 19.1 of Decree 53, and includes, among other content, content that infringes national security, propagandizes against the state; incites violence; disrupts security or public order; is humiliating or slanderous; infringes upon economic management order; or fabricates or distorts the truth, causing confusion among the people or causing serious damage to socio-economic activities.
This illegal content is subject to a decision on take-down by the Director General of A05, the heads of competent agencies of the MIC, or the specialized force for cybersecurity protection under the Ministry of Defense depending on the matter. Under Article 22.5 of Decree 53, the MPS is the focal point for matters of national security, social order and safety, cybersecurity protection, and prevention and fighting of cybercrime, cyber-terrorism, and cyber-espionage; the Ministry of Defense is the focal point for national defense activities in cyberspace; and the MIC is the focal point for civil activities outside the activities under the authority of the MPS and Ministry of Defense.
3. Collection of electronic data (e-data) relating to illegal activities in cyberspace (Article 20)
Illegal activities in cyberspace are those that infringe upon national security, social order and safety, or the lawful rights and interests of agencies, organizations, and individuals. The Director General of A05 will decide on measures to collect e-data to serve the purposes of investigation and handling of such activities. This collection must be carried out in accordance with the law and stipulated conditions and procedures specified in Article 20 of Decree 53.
4. Suspension or stoppage of information system operation, revocation of domain names (Article 21)
Suspension or stoppage of information system operation or revocation of domain names is only applicable on two grounds: (i) when there are documents proving that the operation of the information system violates the laws on national security and cybersecurity; or (ii) when the information system is being used for the purpose of infringing upon national security or social order and safety. The Minister of Public Security will issue decisions on suspension or stoppage of information system operation or revocation of domain names while the head of A05 will implement such decisions.
In urgent cases, in order to promptly stop the operation of an information system to avoid causing harm to national security or to prevent potentially harmful consequences, A05 can request concerned agencies, organizations, and individuals, directly or via fax or email, to suspend or stop the operation of such information system, and within 24 hours from the time of the request, A05 must send a written request for suspension or stoppage. If this time limit is exceeded without a written decision being issued, the information system may resume operation.
In cases related to the suspension or revocation of a national domain name, the relevant authority will send a written request to the VNNIC (Vietnam Internet Network Information Center) for suspension or revocation in accordance with the procedures prescribed by law.
If the suspension or stoppage is done without the grounds mentioned above, the people and agencies involved are responsible before the law, and must compensate for any damage caused to related agencies, organizations, or individuals.
5. Responsibilities in implementing measures to protect cybersecurity (Article 22)
When competent authorities announce that cross-border service providers are in violation of Vietnamese law, Vietnamese organizations and enterprises must coordinate with the authorities in preventing and handling the violations of these cross-border service providers.
Agencies, organizations, and individuals must promptly coordinate with and assist the specialized cybersecurity force in implementing measures for cybersecurity protection.
Any act of taking advantage of cybersecurity protection measures to violate the law will, depending on the nature and seriousness of the violation, be handled in accordance with the law; if damage is caused to the lawful rights and interests of other entities, the violator must provide compensation in accordance with the law.