On 15 August 2022, the Government issued long-awaited Decree No.53/2022/ND-CP (“Decree 53”), detailing a number of articles of the Law on Cybersecurity 2018. Decree 53 will take effect on 1 October 2022.
- What data must be stored in Vietnam
In brief, subject to the decision by the Minister of the Ministry of Public Security (“MoPS”) with respect to foreign enterprises, the following data must be stored in Vietnam (“Regulated Data”):
- Data on personal information of service users in Vietnam (i.e. data in the form of symbols, letters, numbers, images, sounds or the like to identify identity of an individual);
- Data generated by service users in Vietnam (i.e. data in the form of symbols, letters, numbers, images, sounds or the like reflecting the process of participation in, operation and use of cyberspace by service users and information about network equipment and services used to connect to cyberspace in the territory of Vietnam): including account name, service use time, credit card information, email address, network (IP) address of the last login and logout, registered phone number associated with the account or data; and
- Data on the relationship of service users in Vietnam (i.e. data in the form of symbols, letters, numbers, images, sounds or the like that reflect, identify the relationship of service users with others in cyberspace): including friend list, list of groups with which service users connect or interact.
Who must store data in Vietnam
Article 26.3 of the Law on Cybersecurity provided a broad interpretation of enterprises subject to data storage requirement, which raised concerns on the enforceability of the provision. In particular, domestic and foreign enterprises providing services on (i) telecommunications networks, (ii) the Internet, and/or (iii) value-added services in cyberspace in Vietnam, which conduct activities of collecting, exploiting, analyzing and processing data of “service users in Vietnam” (defined as organizations and individuals using cyberspace in the territory of Vietnam), must store the Regulated Data and establish a branch or a representative office, in Vietnam.
While there is no further guidance under Decree 53 on specific services which subject domestic enterprises to the data storage requirement in Vietnam, Decree 53 does itemize the following specific services to/ in Vietnam (“Applicable Services”), which will subject foreign service providers to the data storage requirement in Vietnam:
- Telecommunications services;
- Storing and sharing data in cyberspace;
- Providing national or international domain names to service users in Vietnam;
- Online payment;
- Intermediary payment services;
- Transport connection services through cyberspace;
- Social networks and social media;
- Online video games; and
- Services that provide, manage or operate other information in cyberspace in the form of messages, voice calls, video calls, e-mails, online chats.
However, not all foreign enterprises providing the Applicable Services must store their Regulated Data in Vietnam. In this regard, Decree 53 does provide further conditions for triggering the data storage requirement in Vietnam (“Triggering Conditions”), particularly as follows:
- the service provided by the enterprise is used to commit violations of the Law on Cybersecurity; and
- the Cybersecurity and High-Tech Crime Prevention and Control Department of the MoPS (“Cybersecurity Department”) has notified and requested coordination, prevention, investigation, and handling in writing; but
- the concerned enterprise fails to comply, fails to comply fully, or prevents, obstructs, disables, or invalidates network security protection measure(s) performed by the force specialized in network security protection.
Nonetheless, there is an exemption to the Triggering Conditions. Specifically, in case of a force majeure when the foreign enterprises cannot comply with the data storage requirement, they shall notify the Cybersecurity Department within 03 working days for verification. Within a 30-day-period, such foreign enterprises must also find a solution to such incident.
- What form data must be stored in Vietnam
Decree 53 does not provide any specific requirement, but permit applicable enterprises whether an enterprise is domestic or foreign to make their decision on the form of their data storage in Vietnam.
- How long data must be stored in Vietnam
If applicable domestic enterprises are required by Decree 53 to automatically store the Regulated Data in Vietnam, for applicable foreign enterprises, the Regulated Data will be stored for a specific period as specified in the data storage request from the Minister of the MoPS, starting from the time the enterprise receives such request. In all cases, the minimum data storage period must be at least 24 months.
It is noted that in all cases, the data storage by foreign enterprises in Vietnam, must be completed as soon as possible within 12 months from receipt by these enterprises of the data storage request from the Minister of the MoPS. Furthermore, in case of requesting for block or deletion of prohibited information by the MoPS or the Ministry of Information and Communications, system logs for investigation and dealing with violations of the laws on network security must be kept for at least 12 months. Decree 53 does not specify when the said 12-month period starts, but it would reasonably start from receipt by the enterprises of the Cybersecurity Department’s request.
- Other related data storage requirements that enterprises must be aware
In addition to the said requirement on data storage in Vietnam, domestic and foreign enterprises must be aware of the following general requirements:
- In case where the enterprises do not collect, exploit, analyze and process all of the Required Data, the enterprise must coordinate with the Cybersecurity Department to confirm such condition and proceed to store the data currently being collected, exploited, analyzed and processed.
- In case where an enterprise collects, exploits, analyzes and/or processes additional Required Data, the enterprise is responsible for coordinating with the Cybersecurity Department to supplement the list of data that must be stored in Vietnam.
- Requirements that foreign enterprises must be aware when setting up their branches or representative offices in Vietnam
Together with the obligation on data storage, a foreign enterprise that provides the Applicable Services, upon the occurrence of Triggering Conditions, will be concurrently required by the request from the Minister of the MoPS to set up a branch or representative office in Vietnam. Decree 53 is silent on the purpose of this requirement. However, it seems that having branch or representative office in Vietnam will assist the foreign enterprise in having better cooperation with local authorities, at site in Vietnam, to deal with issues relating to its Regulated Data stored in Vietnam.
It is noted that in all cases, the branch or representative office must be set up by a foreign enterprise in Vietnam, as soon as possible within 12 months from receipt by the enterprise of the request from the Minister of the MoPS for setting up its branch or representative office in Vietnam.
It is further noted that a foreign enterprise is required to maintain its branch or representative office set up in Vietnam, for a period of time which starts from its receipt by the enterprise of the request from the Minister of the MoPS for setting up its branch or representative office in Vietnam, until the termination of that enterprise’s operation or business (i.e. cessation of provision of the Applicable Services) in Vietnam.
- Possible sanctions that enterprises should be aware
Enterprises that do not comply with provisions of the Law on Cybersecurity and Decree 53, will, depending on the nature and seriousness of their violations, be dealt with by separate legal documents.