You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

August 19, 2022

Decree 53 Provides Long-Awaited Guidance on Implementation of Vietnam’s Cybersecurity Law

Subscribe to Updates

Vietnam’s Cybersecurity Law was promulgated on June 12, 2018, and came into effect on January 1, 2019, with a majority of its provisions enforceable from the effective date. However, certain provisions of the law, including the very concerning data localization requirements, still awaited further guidance from implementing regulations. After more than three years of being drafted and submitted back and forth to the government for consideration and approval, Decree No. 53/2022/ND-CP to implement certain articles of the Cybersecurity Law (Decree 53) was finally promulgated on August 15, 2022, with an effective date of October 1, 2022. Key provisions of Decree 53 include the following.

1. Data localization requirements (Articles 26 & 27)

Decree 53 retains most of the data localization requirements of the last accessible version of the draft decree dated August 21, 2019 (Draft Decree), clearly extends the scope of requirements to cover both domestic and foreign enterprises, adds regulations on force majeure events, and amends the timeline to implement data localization requirements for business facilitation.

(i) Data subject to data localization:

Data (information in the form of symbols, writing, numbers, images, sounds, or similar forms) which must be stored in Vietnam (“regulated data”) includes:

  • Data on personal information of service users in Vietnam: Data used to identify an individual.
  • Data generated by service users in Vietnam: Data reflecting the process of participating in, operating and/or using cyberspace by service users and information about network equipment and services used in order to connect with cyberspace in the territory of Vietnam. This includes the account name for use of services, duration of use of services, credit card information, email address, IP addresses for the latest login and logout, and registered telephone number attached to the account or data.
  • Data on the relationships of service users in Vietnam: Data reflecting and determining the relationship between a service user and other people in cyberspace. This includes friends and groups with which the user connects or interacts.

(ii) Businesses/services subject to data localization

Domestic enterprises: All domestic enterprises, no matter which services they provide, must store regulated data in Vietnam.

Foreign enterprises: There are 10 businesses/services of foreign enterprises subject to storage of regulated data in Vietnam and establishment of branches or representative offices in Vietnam (“regulated services”). These include (i) telecom services; (ii) services of data storage and sharing in cyberspace (cloud storage); (iii) supply of national or international domain names to service users in Vietnam; (iv) e-commerce; (v) online payment; (vi) intermediary payment; (vii) service of transport connection via cyberspace; (viii) social networking and social media; (ix) online electronic games; (x) services of providing, managing, or operating other information in cyberspace in the form of messages, phone calls, video calls, email, or online chat.

(iii) Conditions triggering data localization requirements for foreign enterprises

While all domestic enterprises, without any exemptions, must store regulated data in Vietnam, a foreign enterprise is only required to store regulated data and establish a branch or representative office in Vietnam when:

  • It operates in one of the 10 regulated businesses/services mentioned above;
  • It has been warned by the Department for Cybersecurity and Prevention of High-Tech Crime (A05) under the Ministry of Public Security (MPS) that the services it provides have been used to commit a breach of the law on cybersecurity and it has not taken any measures for avoiding, dealing with, fighting against, or preventing such breach, or it has resisted, obstructed, or ignored requests from the relevant authorities.

One interesting note is that compared to the Draft Decree, Decree 53 has removed a third condition that the enterprise “carries out activities of collecting, exploiting [using], analyzing, and processing regulated data.” The intention of the drafter in removing this condition is unclear. The removal could be interpreted to mean that the drafter would like to widen the application scope of Decree 53 compared to the Draft Decree, or the drafter might think that collecting, using, analyzing, and processing online data are obvious and unavoidable activities in the relationship between enterprises and their service users, so there is no need to specify this as one of the triggering conditions.

The act of collecting, using, analyzing, and processing regulated data of enterprises is regulated in a separate clause (Article 26.4) in Decree 53. The wording in this clause is very obscurely drafted. However, it could be understood as follows:

  • If the data an enterprise collects, uses, analyzes, or processes is not completely stored in Vietnam as required for regulated data, the enterprise must cooperate with A05 to verify and store the data which they are collecting, using, analyzing and processing.
  • If an enterprise collects, uses, analyzes, or processes additional data which falls under regulated data, the enterprise must cooperate with A05 to supplement this data to the list of data which needs to be stored in Vietnam.

Thus, it could be interpreted that, with regard to foreign enterprises, this separate clause of collecting, using, analyzing, and processing regulated data must be read together with the triggering conditions mentioned above. In other words, not every foreign enterprise operating in the 10 regulated businesses and not every foreign enterprise collecting, using, analyzing, and processing regulated data is automatically required to store regulated data and establish a branch or representative office in Vietnam; a foreign enterprise is only required to do so when both triggering conditions are fulfilled.

In addition, if an enterprise is required to store regulated data in Vietnam when the two triggering conditions are fulfilled, but it has not stored all the regulated data in Vietnam as required (for example, if a portion of this regulated data is stored overseas without any backup/mirror copy stored in Vietnam), A05 can then request the enterprise to cooperate to verify the data and ensure all regulated data is locally stored.

 If a foreign enterprise is required to store regulated data and establish a branch or representative office in Vietnam, it would receive a decision of the Minister of Public Security requiring it to do so. Within 12 months from the date of the decision, the enterprise must complete the storage of data and establishment of a branch or representative office in Vietnam in compliance with relevant laws. Enterprises which do not comply with data localization requirements, depending on the nature and degree of violation, will be dealt with according to the law.

(iv) Force majeure

In cases of force majeure where a foreign enterprise’s compliance with the MPS’s decision to locally store regulated data in Vietnam is not possible, the enterprise must notify A05 within three working days for verification of the authenticity of force majeure. In this case, the enterprise has 30 working days to find a corrective solution.

(v) Form and duration of data storage and having a branch or representative office in Vietnam

The form of data storage in Vietnam is to be decided by the enterprises. The duration starts from the time the enterprise receives a request for storing data and lasts until the request ends, with a minimum storage time of 24 months.

System logs to serve investigation and handling of violations of the law on cybersecurity are stored for at least 12 months.

The period for having a branch or representative office in Vietnam will start from the date on which the enterprise receives a request to set up a branch or representative office and continues until the enterprise is no longer operating in Vietnam or no longer provides the regulated services in Vietnam.

2. Take-down of illegal online content (Article 19)

Illegal online content which is subject to be taken down is specified in Article 19.1 of Decree 53, and includes, among other content, content that infringes national security, propagandizes against the state; incites violence; disrupts security or public order; is humiliating or slanderous; infringes upon economic management order; or fabricates or distorts the truth, causing confusion among the people or causing serious damage to socio-economic activities.

This illegal content is subject to a decision on take-down by the Director General of A05, the heads of competent agencies of the MIC, or the specialized force for cybersecurity protection under the Ministry of Defense depending on the matter. Under Article 22.5 of Decree 53, the MPS is the focal point for matters of national security, social order and safety, cybersecurity protection, and prevention and fighting of cybercrime, cyber-terrorism, and cyber-espionage; the Ministry of Defense is the focal point for national defense activities in cyberspace; and the MIC is the focal point for civil activities outside the activities under the authority of the MPS and Ministry of Defense.

3. Collection of electronic data (e-data) relating to illegal activities in cyberspace (Article 20)

Illegal activities in cyberspace are those that infringe upon national security, social order and safety, or the lawful rights and interests of agencies, organizations, and individuals. The Director General of A05 will decide on measures to collect e-data to serve the purposes of investigation and handling of such activities. This collection must be carried out in accordance with the law and stipulated conditions and procedures specified in Article 20 of Decree 53.

4. Suspension or stoppage of information system operation, revocation of domain names (Article 21)

Suspension or stoppage of information system operation or revocation of domain names is only applicable on two grounds: (i) when there are documents proving that the operation of the information system violates the laws on national security and cybersecurity; or (ii) when the information system is being used for the purpose of infringing upon national security or social order and safety. The Minister of Public Security will issue decisions on suspension or stoppage of information system operation or revocation of domain names while the head of A05 will implement such decisions.

In urgent cases, in order to promptly stop the operation of an information system to avoid causing harm to national security or to prevent potentially harmful consequences, A05 can request concerned agencies, organizations, and individuals, directly or via fax or email, to suspend or stop the operation of such information system, and within 24 hours from the time of the request, A05 must send a written request for suspension or stoppage. If this time limit is exceeded without a written decision being issued, the information system may resume operation.

In cases related to the suspension or revocation of a national domain name, the relevant authority will send a written request to the VNNIC (Vietnam Internet Network Information Center) for suspension or revocation in accordance with the procedures prescribed by law.

If the suspension or stoppage is done without the grounds mentioned above, the people and agencies involved are responsible before the law, and must compensate for any damage caused to related agencies, organizations, or individuals.

5. Responsibilities in implementing measures to protect cybersecurity (Article 22)

When competent authorities announce that cross-border service providers are in violation of Vietnamese law, Vietnamese organizations and enterprises must coordinate with the authorities in preventing and handling the violations of these cross-border service providers.

Agencies, organizations, and individuals must promptly coordinate with and assist the specialized cybersecurity force in implementing measures for cybersecurity protection.

Any act of taking advantage of cybersecurity protection measures to violate the law will, depending on the nature and seriousness of the violation, be handled in accordance with the law; if damage is caused to the lawful rights and interests of other entities, the violator must provide compensation in accordance with the law.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

March 27, 2024
Two notifications on the cross-border transfer of personal data, issued by Thailand’s Personal Data Protection Committee (PDPC), came into effect on March 24, 2024. These notifications, which we detailed in a previous update, set out the criteria governing the cross-border transfer of personal data offshore, specifically focusing on situations where appropriate personal data protection standards are in place. Of particular importance is the role of binding corporate rules (BCRs) in enabling the cross-border transfer of personal data among affiliated businesses or within the same group of undertakings. The implementation of BCRs requires a comprehensive review and approval process by the Office of the PDPC, strictly in accordance with the criteria set out in one of the two notifications. With the notifications now fully enforceable, the Office of the PDPC has begun accepting BCRs for review. Data controllers and data processors intending to adopt BCRs as a means for transferring data to offshore affiliates or group companies must initiate the BCR submission process promptly. Failure to comply with PDPA requirements concerning the cross-border transfer of personal data could result in substantial penalties. Organizations involved in cross-border personal data transfers should be proactive in complying with the prescribed criteria to avoid these regulatory penalties and maintain the data protection standards mandated by the PDPA. For more information on these cross-border personal data transfer regulations, or on any aspect of complying with Thailand’s data protection laws, please contact Nopparat Lalitkomon at [email protected], Gvavalin Mahakunkitchareon at [email protected], or Wilin Somya at [email protected].
Read More
March 27, 2024
The Bank of Thailand (BOT) has opened a public comment period on their consultation paper titled “Criteria for Supervising Virtual Banks” from March 19, 2024, to April 17, 2024. The consultation paper reveals that the BOT intends to apply traditional commercial bank supervisory standards to virtual banks. However, the BOT also explains that the wholly digital nature of the services offered by virtual banks necessitates additional regulatory supervision. Additional Supervisory Criteria for Virtual Banks Financial business group: If a virtual bank is within the same financial business group as other financial institutions, its parent company must structure the virtual bank to be under its own sole consolidated financial business group. After the virtual bank has undergone the “restricted phase” in its initial years of operation (see below), other financial institutions within the group are prohibited from extending credit to or engaging in transactions similar to lending activities with the virtual bank. Shareholding structure: If the increase in the financial institution system capital is higher than the actual capital injection resulting from the bank’s shareholding structure, the BOT aims to issue an additional regulation to supervise the capital of the virtual bank and financial institution system to prevent double counting. Operational risk: Virtual banks must not use a trademark or logo that bears resemblance to or implies association with other financial institutions or financial institution groups. Governance: Virtual banks must have at least one director and chief technology officer (CTO) with at least three years of experience in IT or digital service. Additionally, the CTO must work full-time for the virtual bank and may not be an employee of another legal entity. Restriction on related lending and related-party transactions: Virtual banks must obtain prior unanimous approval from their boards of directors before engaging in transactions with major shareholders or businesses
Read More
March 27, 2024
Last year, the government of Vietnam issued the Personal Data Protection Decree (PDPD), which took effect on July 1, 2023. The Department of Cybersecurity and High-Tech Crime Prevention and Control (referred to as “A05”) under the Ministry of Public Security (MPS) is tasked with implementing and enforcing the requirements under the PDPD. While a decree on sanctioning provisions for noncompliance with the PDPD is still pending issuance, further movements from the MPS/A05 indicate that it aims to start conducting its first inspections into PDPD compliance. This is the first time that companies and government agencies have been officially questioned by the MPS about their compliance with the PDPD. The purposes of this inspection program are (1) to evaluate the compliance status of a group of selected companies and government agencies and to understand challenges in complying with the PDPD requirements; (2) to propose sanctions for noncompliance; and (3) to collect information and comments for the development of the upcoming Personal Data Protection Law—not to spot noncompliance with the PDPD specifically. This round of inspection includes a number of companies in 14 sectors (including e-commerce, aviation, telecom, banking and finance, intermediary payment, insurance, gaming, education, healthcare, real estate, data processing services, ride hailing, etc.). The companies targeted by this inspection program must: (1) submit a report on compliance to the MPS/A05 by May 30, 2024 (this report is different from the data protection impact assessment (DPIA)/transfer impact assessment (TIA) submission requirements); and (2) coordinate with the MPS/A05 on any further investigation actions from June to August 2024. The inspection results will be available by September 2024. Key information to be reported includes, among others: (1) a description of the activities and measures carried out to implement the PDPD (such as protecting data subjects’ rights, performing administrative procedures, preventing violations, etc.)
Read More
March 18, 2024
Vietnam’s new Telecom Law 2023 was promulgated on November 24, 2023, and will take effect on July 1, 2024, for most telecom services. For three newly introduced telecom services—OTT telecom services, internet data center services, and cloud computing services—implementation and compliance will be delayed until January 1, 2025. These new services will be explored briefly below. The Ministry of Information Communication (MIC) is currently in the process of developing a number of decrees and circulars that will detail the implementation of the Telecom Law 2023, including one main decree that guides the new law in general. This decree is scheduled for prompt promulgation to coincide with the law’s effective date of July 1, 2024. The draft version of this decree, dated February 22, 2024 (“Draft Decree”), was shared for consultation with international organizations, associations, and enterprises by the Vietnam Telecom Agency (VNTA) in early March 2024 to gather feedback. The Draft Decree is expected to undergo further revisions before being sent to relevant state agencies for input and submission to the Ministry of Justice for assessment by the end of March 2024. The MIC anticipates submitting the subsequent version to the government by April 15, 2024.   New Telecom Services: OTT Telecom Services, IDC Services, and Cloud Computing Services In comparison to the Telecom Law 2009, the Telecom Law 2023 has three new telecom services: Basic telecommunications services on the internet (OTT telecom services) are defined as services whose primary functions including the sending, transmission, and receipt of information between two persons or a group of people using telecommunications services on the internet (Article 3.8 of the Telecom Law 2023). By incorporating the term “primary functions” into the definition, the Telecom Law 2023 aims to exclude services such as ride-hailing platforms where the primary function is transportation, not telecom
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2023 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Legal Notice