Despite the fact that the promulgation of Decree 53 on the implementation of the cybersecurity law is verging on old news, I wanted to share the information prepared by our firm here because it is an extremely important development in the sphere of cybersecurity in Vietnam. Dang The Duc and Thai Gia Han prepared the original brief that can be found here. I have emphasized some sections and added my thoughts as well, specifically in relation to the new scheme for data localization in Vietnam.
Long-awaited Decree Implementing the Cybersecurity Law Finalized at Last
By Dang The Duc and Thai Gia Han (annotated by Steven Jacob)
After the initial promulgation of the Law on Cybersecurity No. 24/2018/QH14 (the “Cybersecurity Law”) in the middle of 2018, which appeared to impose a strict requirement for data localization in Vietnam, the government of Vietnam has toyed with rolling back the onerous letter of the law. For a year, the Government released two different versions of an implementation decree for the Cybersecurity Law. The second of those, issued in August 2019 (the “Last Draft Decree”) left the Ministry of Public Security options as to how it wanted to treat certain provisions of the Cybersecurity Law and, specifically, the data localization requirement. Then, last month, the government finally issued an officially adopted and promulgated implementation decree. Decree No. 53/2022/ND-CP dated 15 August 2022 (“Decree 53”) details articles of the Cybersecurity Law and takes effect, with little leeway for foot dragging, on 1 October 2022. This article will review some of the important provisions of Decree 53.
Official “shape” of Decree 53
In general, Decree 53 comprises six chapters with 30 articles. A new schedule has been attached which provides templates that are required for applications legislated in the decree itself.
While Decree 53 contains a number of definitions, a handful that are most relevant include:
- “service user” used to apply to any person participating in cyberspace. Now it covers organizations and individuals who use services in cyberspace, a narrowing of the application subjects of Decree 53.
- “data generated by a service user in Vietnam” is limited to Prescribed Data (defined below) whose source lies within the territory of the Socialist Republic of Vietnam;
- “cybersecurity task force” (“CTF”) includes the Department of Military Security Protection and the General Political Department; and
- Definitions of “domestic enterprise” and “foreign enterprise” have been supplemented.
Cybersecurity inspection obligation (Article 16, Decree 53)
Decree 53 no longer states that cybersecurity inspections are technical methods to be applied by administrators of information systems in their operation and use of such information systems. Despite this exception, administrators remain liable due to the basic hierarchy of legislation which provides that where a specialized law is silent, the general law will apply. In this case, Article 17.2(a) of the Cybersecurity Law governs.
Deletion of unlawful or false information in cyberspace (Article 19, Decree 53)
Finding its roots in the Cybersecurity Law, Decree 53 requires service providers to delete data which infringes national security, social order and safety, or lawful rights and interests of agencies, organizations and individuals.
This cybersecurity protection method is instigated by the heads of competent agencies attached to the Ministry of Information and Communications (“MOIC”) are now additional competent agencies allowed to apply these cybersecurity protection methods, in addition to the Director of the Department of Cybersecurity and Hi-tech Crime Prevention (the “DCHCP”) under the Ministry of Public Security (the “MPS”). Moreover, the MOIC, DCHCP, and MPS are all entitled to actively exchange and share information in respect of its implementation, save for information which falls within the scope of State secrets or professional requests of the MPS. Finally, the CTF under the Ministry of Defense has the responsibility for application of cybersecurity protection methods in relation to military information systems.
Requirements on data localization and branch/representative office establishment
Types of information to be stored
Information required to be stored in Vietnam comprises three main types, namely: (i) personal information of service users in Vietnam; (ii) data generated by service users in Vietnam; and (iii) data regarding the relationships of service users in Vietnam (the “Prescribed Data”). Data generated by service users in Vietnam includes registered phone numbers attached to accounts used for utilizing the service or attached to relevant data [in general].
Enterprises and services subject to the requirements
Decree 53 clearly requires that all domestic enterprises, which includes joint ventures and wholly Vietnamese owned enterprises, must store the Prescribed Data within the territory of Vietnam.
Foreign enterprises who provide services that collect data will be subject to the requirement on data localization and the establishment of a branch / representative office (the “Requirement”) if the following conditions are all met:
- The foreign enterprise has business operations in Vietnam which fall in the sectors as prescribed under Article 26.3(a) of Decree 53, which include: (i) telecom services; (ii) services of data storage and sharing in cyberspace (cloud storage); (iii) supply of national or international domain names to service users in Vietnam; (iv) e-commerce; (v) online payment; (vi) intermediary payment; (vii) service of transport connection via cyberspace; (viii) social networking and social media; (ix) online electronic games; and (x) services of providing, managing, or operating other information in cyberspace in the form of messages, phone calls, video calls, email, or online chat;
- The services provided by the foreign enterprise are used for committing a breach of the laws as to cybersecurity; and
- Such foreign enterprise has been informed and requested in writing by the DCHCP under the MPS for cooperation in handling / preventing such breach, but fails to comply, fails to fully comply, or otherwise challenges any cybersecurity protection method applied by the CTF.
One additional condition which remains applicable as a provision of the Cybersecurity law is that of “having activities of collecting, exploiting, analyzing and processing” the Prescribed Data, which expands the reach of the Requirement to include information from third parties that may be used by foreign enterprises.
Concessions by the Government
The requirement for data localization and establishment of a local presence has caused a great deal of concern since it was first released with the promulgation of the Cybersecurity Law. Acknowledging this situation, the Government appears to be making some concessions in Decree 53 by providing some flexibility in compliance with these requirements. In particular:
- If unable to comply with the Requirement due to force majeure events, foreign enterprises are entitled to notify the DCHCP under the MPS in writing within three working days for inspection. In this case, the concerned foreign enterprise will be granted a period of 30 working days to enact remedial measures;
- Enterprises are entitled to decide on the form of data storage within Vietnam; and
- Time for compliance with the Requirement by foreign enterprises has been extended to 12 months from the date of a decision by the MPS Minister on data storage and/or branch/representative office establishment (the “MPS Decision”) for that enterprise.
Non-compliance will be subject to sanctions. However, no specific regulation on applicable sanctions has been provided.
Required period of storing data and maintaining a branch/representative office
For data storage, instead of regulating specific storage periods for each type of Prescribed Data, Decree 53 generally sets out a storage period which commences when the enterprise receives the MPS Decision, and lasts until the request is terminated, with a minimum floor of twenty-four (24) months.
For branch/representative office establishment, the applicable period commences when the enterprise receives the MPS Decision and lasts until the enterprise no longer operates in Vietnam or the prescribed service is no longer provided in Vietnam.
For four years foreign enterprises have consistently inquired as to the data localization requirements under the Cybersecurity Law. Interpretations have varied considerably, from a requirement that all foreign enterprises must store all data within the territory of Vietnam to lesser interpretations which considered types of data and requirements from the MPS. The two draft decrees that saw the light of day in the interstices, did little to relieve concerns.
Only with Decree 53 has the government finally provided clarity on what requirements will be imposed on foreign enterprises. No longer is the law as open ended and broad as assumed under the Cybersecurity Law. Rather, it applies only to foreign enterprises who are uncooperative with specific government agencies. Even then, they will have 12 months to relocate their data and open a branch or representative office.
Despite the solidifying of the requirements, Decree 53 stings. It in effect creates a long arm which can reach foreign enterprises trying to provide services or access the Vietnam market. While it is uncertain whether the authorities will have the power to deny nationwide access to delinquent foreign enterprises, the specter of such a penalty does exist. No Great Wall, this may prove to be the next best thing as it will allow the authorities to take action against foreign enterprises publishing or posting information that is “undesirable” to the government. But hey, at least they’ll get 12 months.