While much attention has been paid to the data localization requirements for foreign enterprises under Vietnam’s 2018 Cybersecurity Law (“CSL”) and the recently issued Decree 53 guiding its implementation, the corresponding requirements for domestic enterprises are often overlooked, despite being potentially more troublesome.
Under Decree 53, “domestic enterprises” are defined to mean enterprises established or registered for establishment under Vietnamese law and having their head offices in Vietnam (Article 2.11), so this designation includes not only Vietnamese companies, but foreign-invested enterprises as well.
Before analyzing the stipulations in Articles 26 and 27 of Decree 53 further guiding the data localization/storage requirements, it is worth restating the very problematic Article 26.3 of the CSL, which reads:
“Domestic and foreign enterprises providing services on telecommunication networks or the internet or value-added services in cyberspace in Vietnam with activities of collecting, exploiting, analyzing, and/or* processing personal information data, data on the relationships of service users, or data generated by service users in Vietnam must store such data in Vietnam for the period prescribed by the government. Foreign enterprises mentioned in this clause must open branches or representative offices in Vietnam.”
[* Note: The Vietnamese text simply uses a comma here, without specifying whether this should be “and” or “or,” leading to additional problems in interpretation.]
Because of this very broad and ambiguous wording, Article 26.3 of the CSL required further guidance from the government and remained unenforced for more than three years after the CSL took effect on January 1, 2019. Decree 53 guiding the implementation of the CSL was finally issued on August 15, 2022, and provides additional clarity on this matter. But does Decree 53 provide sufficient guidelines for implementation with regard to domestic enterprises?
Scope of Application
With regard to foreign enterprises, although there remains some ambiguity, Decree 53 provides clearer guidelines by specifying 10 types of services (the “regulated services”) that are subject to the data localization requirements, as well as the triggering conditions that lead to foreign enterprises being required to store regulated data and establish a branch or representative office in Vietnam. Decree 53 even covers cases where a foreign enterprise is unable to comply with a decision of the Ministry of Public Security (MPS) due to force majeure reasons. Please see our previous article for a detailed discussion.
With regard to domestic enterprises, Article 26.2 of Decree 53 simply sets out that “domestic enterprises must store the [regulated data as defined in Article 26.1] in Vietnam,” raising concerns as to what exactly is the true intention of the drafter.
This intention could be interpreted in several ways:
- The drafter wishes to cover all domestic enterprises (i.e., every company incorporated in and operating in Vietnam, regardless of industry or sector);
- The drafter wishes to cover all domestic enterprises “providing services on telecommunication networks or the internet or value-added services in cyberspace in Vietnam collecting, exploiting, analyzing, and/or processing personal information data, data on the relationships of service users, or data generated by service users in Vietnam,” as provided by Article 26.3 of the CSL, without any triggering conditions; or
- The drafter additionally wants to limit the services of domestic enterprises to the 10 regulated service types for foreign enterprises, with the same triggering conditions, to afford equal treatment between domestic enterprises and foreign enterprises. (Obviously, the scope of application in the first two interpretations would lead to differential treatment.)
Interpretation (1) is the broadest coverage and would significantly widen the scope of the CSL. In theory, according to the hierarchy of law and sub-laws in Vietnam, this is not legal. In practice, we have seen the authorities enforce stricter requirements found in subordinate legislation, instead of the broad requirements under the primary law. However, in our opinion, this intention is the least likely.
Interpretation (2) is the strictly “legal” interpretation, and the most likely intention of the drafter because Decree 53 was issued to implement certain articles of the CSL – Article 26.3 in this case. However, if interpretation (2) is the true intention of the drafter, the scope of coverage remains extremely broad and unclear, and may need further clarification from the MPS.
If the intention of the drafter is to treat domestic enterprises and foreign enterprises equally – i.e., interpretation (3) – then the drafting technique is flawed, because by not specifying the 10 regulated types of services and the triggering conditions for domestic enterprises, Article 26 of Decree 53 is not drafted in a way to support this intention.
Without further clarification from the MPS, interpretation (2) is the most likely intention; however, it could be argued that this clause thus covers all types of online services for domestic enterprises that collect, use, analyze, and/or process regulated data. Why would this be so?
Article 26.3 of the CSL specifies three types of services – “services on telecommunication networks”; “services on the internet”; and “value-added services in cyberspace” – without further explanation or definition, leaving it up to Decree 53 to define these services:
- “Services on telecommunication networks means telecommunication services and telecommunication application services as prescribed by law” (Article 2.6 of Decree 53). Telecom law defines telecommunication application services to mean “services using telecom transmission lines or telecom networks to provide application services in the sectors of information technology, radio, television, commerce, finance, culture, information, medical health, education, and other sectors.” The notable inclusion of “other sectors” could be interpreted as a “catch-all” term, leading to the possibility that it could cover all sectors/services provided on telecom/internet networks. (The internet network is a type of telecom network.)
- “Services on the internet means internet services and services providing content on the internet as prescribed by law” (Article 2.7 of Decree 53). The concept of “services providing content on the internet” is not defined and is very broad. Arguably, without definition, such services could be interpreted to include online news, online consulting, online advertising, video on demand, OTT television services, online games, social networks, etc., leading to an extremely broad scope of application.
- “Value-added services in cyberspace means value-added telecommunication services as prescribed by law” (Article 2.8 of Decree 53).
Therefore, with regard to domestic enterprises, it could be said that if there is no further guidance or clarification from the MPS, all online service providers which collect, use, analyze, and/or process regulated data are required to store the regulated data in Vietnam.
Form of Data Storage
Under Article 26.5 of Decree 53, the form of data storage in Vietnam is to be decided by the enterprises. However, what is sufficient to be considered as “storing data in Vietnam” is still very ambiguous.
As technology has evolved, cloud storage has become a very popular method for both domestic and foreign enterprises to store data. Is it sufficient to store data “in the cloud” if the cloud infrastructure is not located in Vietnam but is accessible via a computer in Vietnam? Or does the data need to be stored in a computer/server or cloud infrastructure that is physically located in Vietnam? Does the original regulated data have to be stored in Vietnam, or it sufficient to just store a copy? These practical concerns need further clarification from the MPS.
Duration of Data Storage
The duration for storage of regulated data of domestic enterprises is also unclear. Article 27.1 of Decree 53 stipulates that the data storage period specified in Article 26 of the decree starts from the time the enterprise receives a data storage request and lasts until the end of the request. The minimum storage period is 24 months.
It is unclear whether this data storage period is applicable to both domestic and foreign enterprises. While for foreign enterprises, Decree 53 clearly specifies the authority’s request to store data in Vietnam as a triggering condition, the decree is silent as to any conditions under which the authority will request domestic enterprises to store regulated data. As analyzed above, there might be no such condition to trigger a request for domestic enterprises. This means that, technically, Article 27.1 should only be applicable to foreign enterprises because it requires the enterprise to receive a data storage request from the authority. Therefore, it could be argued that the specified data storage duration is also only applicable to foreign enterprises, and the decree is silent regarding the data storage period for domestic enterprises. Accordingly, it is also unclear whether domestic enterprises have the obligation to continue retaining regulated data after their service users cease the use of their services.
Grace Period for Implementation
Decree 53 is silent on the grace period for domestic enterprises to store data in Vietnam. This could be interpreted to mean that unless there is further guidance from the MPS, domestic enterprises must comply with this requirement from the day Decree 53 takes effect, i.e., October 1, 2022.
Meanwhile, foreign enterprises only need to implement the data localization requirements when the triggering conditions are fulfilled and the MPS has issued a decision requesting them to do so. They also have a grace period of 12 months from the date of the decision to store data in Vietnam. Therefore, compared with foreign enterprises, domestic enterprises would need to be more proactive and act more quickly in storing regulated data in Vietnam.
How Should Domestic Enterprises Move Forward?
Although there has been a long wait for the promulgation of a decree guiding the implementation of the CSL, Decree 53 as issued still poses various ambiguities, uncertainties, and concerns that could prevent it from being implemented effectively. The question put forward is whether the MPS will issue a circular or other official clarification for further guidance of the implementation of Decree 53, especially clarification on the requirements applicable to domestic enterprises.
If there is no further clarification or guidance from the MPS, the strict legal interpretation of Decree 53 would be that all domestic enterprises “providing services on telecommunication networks or the internet or value-added services in cyberspace in Vietnam collecting, exploiting, analyzing, and/or processing personal information data, data on the relationships of service users, or data generated by service users in Vietnam” must store this regulated data in Vietnam. This means that all domestic online service providers which collect, use, analyze, or process regulated data should prepare themselves to comply with this requirement, starting from October 1, 2022.
In addition, if there is no further guidance, domestic enterprises would be well advised to store physically in Vietnam all regulated data they collect, use, analyze, or process. For example, they may store the regulated data in a file which is stored on a computer (their existing system) located in Vietnam, rather than in cloud storage that might be accessible via a computer in Vietnam, but hosted in another country.