Issue October 2022
Nguyen Trong Nghia
Le Anh Kien
On 12 June 2018, the National Assembly passed the Law on Cybersecurity and took effect from 01 January 2019, however, some provisions were not clearly specified and there were many obstacles in practical implementation. Therefore, recently on 15 August 2022, the Government issued the Decree No. 53/2022/ND-CP (“Decree 53”) in order to detail a number of articles of the Law on Cybersecurity.
Decree 53 takes effect from 01 October 2022 and has a number of noted key points as follows:
1. Data localization
Data localization is considered as the most remarkable point of Decree 53. Accordingly, the subjects of data localization are foreign enterprises that conduct business in Vietnam in one of the following fields: Telecommunications services; services of data storage and sharing in cyberspace; supply of national or international domain names to service users in Vietnam; ecommerce; online payment services; payment intermediary; services of transport connectivity via cyberspace; social networks and social media; online video games; and services of provision, management, or operation of other information in cyberspace in the forms of messages, phone calls, video calls, emails or online chat, are obliged to comply with the data localization requirements and set up a branch or a representative office in Vietnam in case the service(s) provided by foreign enterprises used to commit a violation of the Law on Cybersecurity, which had been notified and requested to coordinate, prevent, investigate and handle in writing by the Department of Cybersecurity and High-tech Crime Prevention under the Ministry of Public Security but the foreign enterprises fail to comply, incompletely comply with, or prevent, obstruct, disable, or invalidate cybersecurity protection measures implemented by the cybersecurity protection specialized force. The time to set up a branch or representative office in Vietnam starts from the foreign enterprise receives the request to set up a branch or representative office in Vietnam until the foreign enterprise no longer operates in Vietnam or regulated services are no longer available in Vietnam.
With regard to the domestic enterprises, Clause 2 Article 26 of Decree 53 stipulates: “Domestic enterprises store data specified in Clause 1 of this Article in Vietnam”. This provision can be understood that all domestic enterprises are obliged to localize all types of data according to the law. However, there may be another viewpoint that only domestic enterprises “provide services on telecommunications networks and the Internet, value-added services in cyberspace in Vietnam have activities on collecting, exploiting, analyzing and processing data about personal information, data on the relationship of service users, data created by service users in Vietnam” is required to localize data in Vietnam (quoted from Clause 3, Article 26 of the Law on Cybersecurity 2018).
2. Data subject to data localization
According to Decree 53, the types of data that enterprises must localize in Vietnam include (i) Data regarding personal information of service users in Vietnam; (ii) Data generated by service users in Vietnam: user service account name, time of service use, credit card information, email address, network address (IP) of most recent login, logout, registered phone number for the account or data and (iii) Data about the relationship of service users in Vietnam: friends and groups with which the user connects or interacts.
3. Form and time period of data localization
The form of data localization in Vietnam is decided by the enterprises.
About the time period of data localization, Decree 53 stipulates: “The data localization period specified in Article 26 of this Decree starts from the time the enterprise receives the data localization request until the end of the request. Minimum localization period is 24 months.”
This regulation does not specify whether it is applicable to the domestic enterprises or foreign enterprises, however, it can be understood that this regulation only applies to foreign enterprises because such enterprises are obliged to localize data at the request of a competent state authority. For domestic enterprises, data localization can be understood that it must be carried out throughout the operation of such enterprises, from the date Decree 53 takes effect.
4. Other provisions
Other than the regulations of data localization, Decree 53 also contains other critical provisions related to the establishment of cybersecurity criteria for important information system for national security; cybersecurity conditions for important information systems for national security; order and procedures for applying cybersecurity protection measures; cybersecurity protection activities in State authorities, central and local political organizations./.