Recently we prepared a special alert concerning the current draft decree governing the cybersecurity law that has caused so much controversy in the interwebs. One clause, the requirement for offshore companies to establish onshore domain hosting along with a branch/rep office is particularly controversial.
Below I quote from our security alert on this issue, as there is now new guidance in a draft decree that will govern the law on Cybersecurity. It is interesting to note that instead of all firms, there is now a requirement for previous bad behavior before making such an insistence of in-territory presence. So take a look.
As per Article 25.1 of the 2018 Draft, any enterprise, whether local or off-shore, which sufficiently meets the conditions as prescribed therein, shall conduct data storing and branch/representative office establishment in Vietnam. This regulation on data storing and branch/representative office establishment in Vietnam (the “Regulation”) has raised a big concern in the community since it tends to set certain obstacles for enterprises, especially off-shore enterprises, on the way of technology integration and development.
This Regulation has been modified and clarified in the Latest 2019 Draft. Accordingly, as per Article 26.1 of the Latest 2019 Draft, the Regulation shall be applied as follows:
- Purpose of applying the Regulation:
The Regulation shall be applied in case of protecting the national security, social order and safety, social ethics and community health, not in all cases.
- Conditions for applying the Regulation:
The Regulation shall be applied when having legal basis to sufficiently determine the following 3 (three) elements:
- The enterprise provides one of the services as prescribed in Article 26.1(a) of the Latest 2019 Draft ;
- The enterprise conducts activities of collecting, exploiting, analyzing and processing the prescribed types of data (as further explained in section (ii) below);
- The enterprise is warned that the services provided by it are used to commit a breach of the laws of Vietnam; and such enterprise does not take any proper measure for preventing, remedying or cooperating with competent agencies in handling such breach.
In other words, an enterprise will only be subject to the Regulation when having legal basis to determine all of the aforementioned conditions.
The Regulation, when applicable, shall be conducted only upon request decision by the Minister of MPS. The Latest 2019 Draft also sets out the period for enterprises to implement the Regulation, which is 6 (six) months as from the date having the decision of the Minister of MPS according to Article 26.4(c) therein.
- Specific conduct to be taken:
Instead of generally stated: “Local and off-shore enterprises which sufficient have the following conditions shall conduct data storing and branch/representative office establishment in Vietnam” as prescribed in Article 25.1 of the 2018 Draft, the Latest 2019 Draft clarifies as follows, when all required conditions are met:
- Local enterprises are responsible for data storing; and
- Off-shore enterprises are responsible for data storing and branch/representative office establishing.