Vietnam: What Are The Data Localisation Implications Of Viet Nam's Decree No. 53/2022 Relating To Cybersecurity?

What is Decree No. 53/2022/ND-CP about?

On 15 August 2022, the Government of Vietnam (GoV) issued Decree No. 53/2022/ND-CP elaborating several articles under the Law on Cybersecurity. The long-awaited decree was first released for public opinion on 31 October 2018, shortly following the signing of the Law on Cybersecurity 2018. The Decree comprises 30 articles under six chapters covering, among others, cybersecurity protection measures; critical information infrastructure (CII) for national security; storage of data and establishment of branch offices or representative offices in Vietnam; and procedures for establishing, monitoring, and violation handling related to cybersecurity measures. The Decree will take effect from 01 October 2022.

What does the Decree say about data localisation?

Requirements related to the storage of data in Vietnam (data localization) are stipulated in Article 26.3 of the Law on Cybersecurity 2018 and further elaborated in Articles 26 and 27, Chapter V of Decree 53/2022.

The Decree sets out requirements for data localisation based on the ground of protecting data sovereignty and creating a level playing field for foreign and domestic firms, as well as fighting against the violations of cybersecurity laws and regulations (Article 8, Law on Cybersecurity).¹ While there is no stated objective in the Decree, the storage of data in Vietnam is supposed to facilitate the investigation and handling by the authority related to infringements of national security, social order and safety, and legitimate rights and benefits of agencies, organisations, and individuals in cyberspace. Based on this language, the requirement may cover a wide range of infringements at different levels of seriousness.

Specifically, Article 26.1 of Decree 53/2022 identifies three types of data to be stored in Vietnam ("Regulated Data"):

• Data on personal information of service users in Vietnam;
• Data generated by service users in Vietnam, including account names, service use time, information on credit cards, emails, IP addresses of the last login or logout session, and registered phone number associated with the account or data ("user-generated data");
• Data on relationships of service users in Vietnam, including with friends and groups such users have connected or interacted with.

Who will be impacted by the data localisation requirements under Decree 53/2022?

Both domestic and foreign enterprises² are subject to data localisation requirements ("Regulated Entities") with different conditions. While all domestic enterprises are identified as Regulated Entities (Article 26.2), only a subset of foreign enterprises has been identified as Regulated Entities under Article 26.3 of the Decree if they meet all three criteria below:

• Foreign enterprises having business operation in Vietnam in one of the prescribed fields ("Regulated Services"), namely: telecommunications services; storage and sharing of data in cyberspace; provision of national or international domain names for service users in Vietnam; e-commerce; online payment; payment intermediaries; services of connection and transportation in cyberspace; social media and social communication; online games; other services related to the provision, management, or operation of information in cyberspace in the form of messages, calls, video calls, emails, online chat;
• Services provided by such foreign enterprises are used by others which are in violation of laws on cybersecurity which has been notified and requested for cooperation, prevention, investigation, and handling in writing by the Department of Cybersecurity and Hi-tech Crime Prevention ("Department A05") of the Ministry of Public Security of Vietnam; for example, online chat services that are used by malicious actors for online frauds; and
• Foreign enterprises that fail to comply or fail to adequately comply with the request of Department A05, or have actions so as to prevent, obstruct, disable, or nullify the effect of cybersecurity protection measures performed by cybersecurity protection forces.

What are the measures in place for Regulated Entities?

Domestic enterprises shall store the Regulated Data prescribed in Article 26.1 of the Decree in Vietnam. Foreign Regulated Entities are required to (i) store the Regulated Data in Vietnam in the form of their discretion, and (ii) establish branch offices or representative offices in Vietnam.

The time for data storage shall be stipulated in the request by the MPS, with a minimum timeframe of 24 months starting from receipt of the data storage request. The time for the establishment of branches or representative offices in Vietnam shall start when Foreign Regulated Entities receive the request for the establishment of branches or representative offices in Vietnam until such enterprises (i) terminate their operation in Vietnam or (ii) terminate the provision of Regulated Services in Vietnam.

These requirements on data storage and establishment must be completed within 12 months from the date of issuance of the decision by the Minister of Public Security of Vietnam ("MPS"). In case of inability to comply with regulations of laws on cybersecurity due to force majeure, Foreign Regulated Entities must notify A05 within 3 working days for verification of such force majeure. In such cases, enterprises will have 30 days to adopt remedial methods.

In case the data collected, utilised, analysed, and handled by Regulated Entities has either smaller or broader in scope than that stipulated in Article 26.1 of Decree 53/2022, such entities shall cooperate with Department A05 to update their list of data storage in Vietnam (Article 26.4 of Decree 53/2022).

What is its connection with other regulations on data governance in Vietnam?

Decree No. 53/2022/ND-CP is the first to be issued among the three much-expected guiding regulations in the cybersecurity and data protection area. The other two legislative documents are the Draft Decree on Personal Data Protection (first draft introduced on February 9, 2021) and the Draft Decree on Sanctions against Administrative Violations in Cybersecurity (first draft released on 20 September 2021). It is expected that the Draft Decree on Sanctions against Administrative Violations in Cybersecurity will also soon be adopted to further guide the implementation of the Law on Cybersecurity and Decree 53/2022/ND-CP.

What should e-commerce businesses be mindful of?

There have been some concerns about the scope of application of the Decree. For example, there have been some questions raised about covered entities under Article 26 of the Decree. While the coverage of Regulated is broad, via a long list of virtually all possible providers of telecommunications services, internet services and value-added services on cyberspace, it is unclear whether Article 26.3 of the Decree covers the category of data processors (i.e., service providers that process Regulated Data on behalf of another entity but whose services do not fall under the Regulated Services). Unlike the laws in other countries, like the European Union's General Data Protection Regulation (GDPR), the current Vietnamese legislation related to data protection does not differentiate between data controllers and data processors. The language of Article 26.3 of Law on Cybersecurity seems to suggest a broad interpretation to cover services by all entities that "collect, analyse or process data", i.e., both data controllers and data processors.³ Meanwhile, the Draft Decree on Personal Data Protection only has reference to "data processors" whose responsibilities seem to cover those of typical data controllers (i.e., the adoption of appropriate technical and organisational measures for personal data protection). In this context, more clarity will still be needed, either via a Circular by the Ministry of Public Security or through actual interpretation and application of the regulation by the authority.

Furthermore, Decree No. 53/2022 might imply significant compliance costs for foreign businesses with business operations in the Regulated Services and have a risk to fall into the Regulated Entities, especially with small and medium enterprises who would lack the resources to comply with the requirements of the Decree. It is also unclear how the authority (Department A05) would contact the Foreign Regulated Entities (without a physical presence in Vietnam). In the meantime, services providers should embrace a cautious approach when working with Regulated Data to ensure that their data are not used for violations of laws on cybersecurity.

Footnotes

1. Ministry of Public Security (2018). Draft Decree detailing certain provisions of the Law on Cybersecurity. Online Portal of the Ministry of Public Security [Accessed 29 August 2022].

2. According to Articles 2.11 and 2.12 of Decree 53/2022, Domestic enterprises are enterprises established or registered for establishment according to Vietnamese laws and having their headquarters located in Vietnam; Foreign enterprises are enterprises established or registered for establishment according to laws of foreign countries.

3. Specifically, Article 26.3 of Law on Cyber Security 2018 stipulates that: "Domestic and foreign providers of telecommunications services, internet services and value-added services in Vietnam's cyberspace that collect, analyse or process personal information or data about relationships of their service users or data created by their service users in Vietnam shall retain such data for a specific period of time defined by the Government. Foreign enterprises mentioned in this Article shall open branches or representative offices in Vietnam."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.