On August 15, 2022 the Vietnamese government issued Decree No.53/2022/ND-CP to guide certain articles of the Law on Cybersecurity. Decree 53 provides important clarification of the government’s power to apply certain cybersecurity measures, and on ‘data localisation’ and ‘mandatory physical establishment’ requirements introduced by the law.
Article 5 of the Law on Cybersecurity establishes 12 measures and authorises the government to regulate how these measures will be applied. For the three years preceding the promulgation of Decree 53, many of these cybersecurity measures could not be implemented or enforced due to a lack of regulations.
Under Decree 53, a cybersecurity task force will be established and will have the power to enforce measures which violate the Law on Cybersecurity or which are against national security or public order. It is noteworthy that this will not be a uniform process. If a measure is selected, the owner of the targeted information system will be informed, in writing, of measures to be applied, the reason, and the scope, time, and duration of the applied measures.
The government is also drafting regulations on administrative sanctions for violations of the Law on Cybersecurity. These regulations will work along with Decree 53 to create a complete system for enforcement.
When the requirements for ‘data localisation’ and ‘mandatory physical establishment’ were first introduced in the Law on Cybersecurity, they created concerns for the business community because the community was uncertain whether there would be over-policing.
In August 2019, when the government published a draft decree (which eventually became Decree 53), the general understanding was that an enterprise would not be subject to these two requirements unless it violated the law and was requested to localize data by the government. Decree 53 confirms this general understanding and provides further conditions for the application of such measures.
According to Article 26 of Decree 53, a Vietnamese enterprise must store the following data within Vietnam: personal data of users in Vietnam; data created by Vietnam-based users, including account name, time of usage, credit card information, email address, IP address, most recent log-out, and registered phone number; and data regarding the relationship between Vietnam-based users and the users’ friends and other people with whom the users interact. This is collectively referred to as regulated data.
A foreign enterprise doing business in Vietnam will be required to store regulated data in Vietnam and to establish a branch or a representative office, should that foreign enterprise fit within the following circumstances:
- The foreign enterprise is doing business in Vietnam in one of the following fields: telecommunication services; data sharing and storage, provider of a national or international domain for Vietnamese users; e-commerce; social network and social marketing; online games; provision, management, or operations of other information on the internet in the form of messages, telephone calls, video calls, emails, or online games;
- The services provided by such an enterprise violate the Law on Cybersecurity; and
- The task force has notified the enterprise and requested the enterprise’s cooperation with the prevention, investigation, and handling of such a violation, but the enterprise has failed to cooperate, which causes the task force’s measures to fail.
A foreign enterprise will become subject to the requirement to store its regulated data and to establish a branch or representative office in Vietnam when it falls within these parameters, and if so, the minister of public security will request the enterprise to do so. The enterprise will have 12 months from the date of the request to comply.
The enterprise may choose how it stores Regulated Data, but it must store the Regulated Data in Vietnam until the request is lifted. The enterprise’s establishment must remain in Vietnam until the enterprise no longer has any business in Vietnam or no longer provides the relevant services in the country.
The government aims to have a more comprehensive system to ensure that data of people who reside in Vietnam (including foreigners) are protected under Decree 53, under the abovementioned upcoming decree on administrative sanctions for violations of the Law on Cybersecurity, under a decree on the protection of personal data which is waiting to be finalized for promulgation, and potentially even under a separate law on the protection of personal data.
In order to be prepared, three practices are advisable. First is to classify data – this means to categorise an enterprise’s collected information based on various criteria, including sensitivity, regulatory requirements, etc. It also helps maintain the integrity, accessibility, and confidentiality of data.
Secondly, data should be kept; logged data provides a record of all activities in relation to the stored data, including access time and location. This allows an enterprise promptly to identify risks and respond to a potential threat or a request from the government. Of note, Decree 53 requires that under certain circumstances, logged data must be kept for at least 12 months;
Finally, it is crucial to make clients and customers aware. An enterprise should adequately inform them of their obligations to cooperate with the government, including disclosing clients/customers’ information, if it receives a valid request to do so.