On 15 August 2022, Vietnam issued Decree 53/2022/ND-CP (“Decree 53”) clarifying the Law on Cybersecurity 2018 (“Law”), particularly its requirements to store certain types of data collected in Vietnam locally. Decree 53 came into effect on 1 October 2022.
This article sets out the key highlights of Decree 53.
Requirement to store data locally
Decree 53 clarifies Article 26(3) of the Law, which provides that “foreign and domestic enterprises when providing services on a telecommunication network, the Internet and value-added services in cyberspace in Vietnam” must store users’ personal information data, data of users’ relationship or data created by users in Vietnam for a duration to be set by the Government if they collect, exploit, analyse or process such data (“data localisation requirement”).
The data subject to storage in Vietnam (“subject data”) is specified in Decree 53 as:
- Personal data of users in Vietnam
- Data generated by users in Vietnam, including account names, times of usage of the service, credit card information, email address, network address of the most recent log in/out, and registered phone number associated with the account or with the data
- Data on the relationships of service users in Vietnam, for example, groups with which users connect or interact
All local service providers established under the laws of Vietnam who carry out activities of collecting, exploiting, analysing, or processing the above types of data on telecommunication networks, the Internet, and through value-added services in Vietnam’s cyberspace must store such data in Vietnam.
Decree 53 provides foreign companies without any business presence in Vietnam that hold the subject data and provide the following services in Vietnam may be required to store data and establish a presence in Vietnam (“affected companies”):
· Online payments
· Providing national or international domain names to service users in Vietnam
· Intermediary payments
· Services providing, managing, or operating other information in cyberspace in the form of messages, voice calls, video calls, online chat, or email
· Social networks, social media
· Storing and sharing data in cyberspace
· Online video games
· Transport connectivity services through cyberspace
Decree 53 stipulates that affected companies must comply with data localisation requirements once a written request by the Department of Cybersecurity and Prevention of High-Tech Crime under Vietnam’s Ministry of Public Security (“Department”) has been issued. A written request is issued where a violation of the Law has transpired and the affected company running the service used for the violation fails to adequately comply with the Department’s request for cooperation, prevention, investigation, and handling. Decree 53 does not set out what types of violation will result in such requests being made. A request is also issued where the affected company resists, obstructs, or disables cybersecurity measures applied by the Department’s cybersecurity protection task force.
Once a request has been issued, the affected company must comply with the data localisation requirements set out above and establish a branch or representative office within 12 months of the request.
The affected company must store the subject data for a minimum of 24 months commencing on its receipt of the data storage request up to the data storage completion and the system logs that track investigations and violations of cybersecurity rules for a minimum of 12 months. Decree 53 does not specify how the subject data should be stored, noting instead that the decision lies with the company.
Removal of illegal information from cyberspace
Decree 53 provides that information in cyberspace that is determined by the relevant authority to have the following effect must be removed (“illegal information”):
- Infringes upon national security, social order and safety, and legitimate rights and benefits of agencies, organisations, and individuals
- Has “humiliating and slanderous” content
- Infringes upon the order of economic management
- Fabricates and falsifies information, causing confusion among the people and severe damage to socio-economic activities to the extent that such information must be removed
- Distorts history, denies revolutionary achievements, destroys the national solidarity block, conducts offences against religion, gender discrimination or racist acts
- Uses cyberspace for activities such as prostitution, social evils, or human trafficking
- Publishes information which is lewd, depraved or criminal
- Destroys the fine traditions and customs of the people, social ethics, or health of the community
- Incites, entices, or activates other people to commit crime
The Department will send a written request to the affected companies seeking the removal of the illegal information. The Department is also empowered to collect electronic data related to acts of infringing upon national security, social order and safety, and legitimate rights and benefits of agencies, organisations, and individuals. Decree 53 requires the Department in retrieving this data to maintain the status of digital devices and data, to copy and record the data in a manner that is verifiable and to protect its integrity, and to record the process of restoring or searching for the data.
Other clarifications set out in Decree 53
Decree 53 also includes provisions relating to the following:
- Cybersecurity requirements for information systems critical to national security
- Procedures and protocols for assessing, inspecting, and monitoring information systems critical to national security
- Procedures and protocols for responding to a cybersecurity incident
- Procedures and protocols for implementing cryptography to protect network information
- Guidance for cybersecurity protection plans within State agencies and political institutions at local and central level