The Government of Vietnam issued Decree 53/2022/ND-CP dated 15 August 2022 (“Decree 53”) detailing a number of articles in Vietnam’s Law on Cybersecurity (2018) which took effect as from 1 January 2019 (“Law on Cybersecurity”). As with most laws in Vietnam, decrees and circulars and other subordinate legislation, provide more detailed information, forms, and other guidelines to help implement the law in an efficient manner. Decree 53 will take effect as from 1 October 2022.
Decree 53 is part of a set of guiding legislation announced in the Law on Cybersecurity that was intended to address provisions in the Law on Cybersecurity that required more detail. Draft decrees intended to guide other provisions in the Law on Cybersecurity are also expected to be issued; such as the draft decree on personal data protection (“PDP Decree”) and the draft decree on sanctions against administrative violations in cybersecurity.
In this case, Decree 53 details provisions with respect to Article 26 of the Law on Cybersecurity, which covers: (i) the localization of certain data in Vietnam; and (ii) the type of information that should not be uploaded to cyberspace and therefore must be taken down.
Data Localization
Prior to the issuance of Decree 53 it was not clear who would be subject to this data localization requirement, what data was intended to be captured, how it was to be stored, who could store the data and for what duration. By way of example, Article 26. 3 of the Law on Cybersecurity provides that “Foreign Enterprises (defined below) referred to in this clause must have branches or representative offices in Vietnam”. Did that mean the law would only apply to those Foreign Enterprises that already had branches or representative offices in Vietnam? That would align with Foreign Enterprises that had subsidiaries established in Vietnam – or would it require Foreign Enterprises to establish a branch or representative office only if and when it was subject to the Law on Cybersecurity?
Illegal Information Takedown
Information in cyberspace that was deemed to be in violation of the Law on Cybersecurity was already detailed in Article 16 of the Law on Cybersecurity. However, Article 26 of the Law on Cybersecurity lacked the necessary enforcement criteria and procedures that Decree 53 was intended to supply. While Article 26 of the Law on Cybersecurity did provide a window of 24 hours for offenders to delete the violating information, it left open the question as to what form of notice would be provided, how long would data system logs need to be saved with respect to such violation, what consequences would be applied to the violating entity, who could inform authorities of violating content, and what redress would be available if the authorities made an incorrect assessment and caused loss to the entity. Decree 53 does address some of these questions and concerns but not fully, still leaving uncertainty and more questions that need to be answered.
Unfortunately, it seems that Decree 53, while addressing some uncertainties in the Law on Cybersecurity, also generated additional questions and issues.
Below, we brief the highlights and the issues pertaining to both data localization requirements and illegal information takedown procedures as set out in Decree 53.
1. DATA LOCALISATION
WHO IS SUBJECT TO THIS REQUIREMENT (“CAPTURED SUBJECTS”)?
- Vietnam enterprises (“Vietnam Enterprises”) which include both domestic established companies and foreign invested enterprises (“FIE”s) established in Vietnam which provide services on a telecommunications network, the internet and value-added services in cyberspace in Vietnam.
- Foreign Enterprises, meaning those companies that are established under foreign laws outside Vietnam and provide certain services (see below) into Vietnam on a cross-border basis (“Foreign Enterprises”). Existing representative offices and branches of Foreign Enterprises are not subject to this localization requirement
Note: The exclusion of existing representative offices and branches of Foreign Enterprises has caused some confusion for investors as this issue was already vague under the Law on Cybersecurity, as mentioned above. For example, a Foreign Enterprise which operates a bank or insurance business in Vietnam via a wholly owned subsidiary would be subject to this requirement if the conditions are satisfied, but a Foreign Enterprise that operates its banking or insurance business via a branch office in Vietnam would not be subject to this requirement. This uneven application of the law still needs to be addressed
WHAT DATA IS COVERED?
Decree 53 pertains only to certain data that must be localized (“Regulated Data”), being:
- Personal Data of service users in Vietnam;
- User-generated data in Vietnam (i.e., service user account names, time of service use, credit card information, email address, network address (IP) of most recent login/logout, registered phone number for the account or data); and
- Relationship data of service users in Vietnam with foreign and domestic entities doing business in Vietnam (i.e., friends and groups with whom service users connect and/or interact).
Note: Although Decree 53 does attempt to define certain terms such as “Personal Data” (information in the form of symbols, letters, digits, visuals, audio, or similar forms that can be sued to identify an individual) and “Service Users” (organizations and individuals participating in the use of cyberspace services), the definitions provided are still very broad. For example, “Personal Data” may include sensitive data that will be required to be registered with the Personal Data Protection Committee (“PDPC”) once the PDP Decree is issued. It is unclear how such information can be registered with the PDPC for storage while also being required to be stored in a data storage facility in Vietnam under Decree 53. Once the PDP Decree is issued some of these defined terms may become clearer as the PDP Decree is also expected to define “data processor” and “data user” as well.
WHEN MUST A CAPTURED SUBJECT COMPLY?
Vietnam Enterprises (including FIEs), which are Captured Subjects, must begin to store all Regulated Data in Vietnam as from 1 October 2022.
Foreign Enterprises that provide cross border services into Vietnam in any one or more of the below 10 sectors (the “Regulated Services”):
1. Telecom services;
2. Store and share data in cyberspace;
3. Provide national or international domain names to service users in Vietnam;
4. E-Commerce;
5. Online Payment services;
6. Payment intermediaries;
7. Cyberspace transport connectivity service;
8. Social networks and social media;
9. Online video games; and
10. Providing, managing or operating other cyberspace information in form of emails,
messages, phone calls, video calls, or online chat.
A Foreign Enterprise, which is then a Captured Subject, must comply with the data localization requirements applicable to a Foreign Enterprise once it has been issued a written warning by the Department of Cybersecurity and Prevention of High-Tech Crime under Vietnam’s Ministry of Public Security (“DCPHTC”) stipulating that the Foreign Enterprise’s Regulated Services were used to commit a violation of the Cybersecurity Law; and such Foreign Enterprise (i) failed to comply or inadequately complied with the DCPHTC warning; or (ii) resisted, obstructed, or disabled cybersecurity measures applied by DCPHTC’s specialized task force for cybersecurity protection must then follow the required data localization procedures (see below).
WHAT ARE THE PROCEDURES FOR A FOREIGN ENTERPRISE REQUIRED TO LOCALISE ITS DATA IN VIETNAM?
- In the event the Foreign Enterprise has been determined to be in breach of the Law on Cybersecurity as per the above mentioned criteria, Vietnam’s Ministry of Public Security (“MPS”) will issue a written decision to the Foreign Enterprise directing it to locally store its Regulated Data in Vietnam and establish either a branch or representative office in Vietnam (if the Foreign Enterprise does not already operate a branch or representative office in Vietnam).
- The Foreign Enterprise will then have 12 months from the date of the MPS decision to both establish its branch or representative office (if it does not have one) and localize its Regulated Data in Vietnam.
Note: The Regulated Services contain sector descriptions that are extremely broad and could potentially cover the activities of almost every entity doing business in Vietnam. For example, the term “E-commerce” could arguably extend to the use of email by any business. However, other commentators point out that Decree 53 should be interpreted in the context of the Law on Cybersecurity, which it was intended to implement. Under Article 26 of the Law on Cybersecurity, the provision not only mentions the provision of the Regulated Services but also provides that the Foreign Enterprise must “engage in the collection, exploitation, analysis, [or] processing of data related to service users in Vietnam”. This qualification seems to imply that the Regulated Service must be a primary or core business of the Foreign Enterprise rather than just an ancillary practice or means of operation. Such interpretation would then limit the scope of Foreign Enterprises that might be subject to this requirement, but further guidance or application in practice will determine if this is correct.
HOW LONG MUST THE REGULATED DATA BE STORED IN VIETNAM?
Vietnam Enterprises (including FIEs), which are Captured Subjects, have a continuing obligation to store their Regulated Data in Vietnam.
Foreign Enterprises that become Captured Subjects must then store their Regulated Data locally in Vietnam for a minimum of 24 months and provide system logs to the MPS investigation team for a minimum of 12 months. The Foreign Enterprise may terminate its branch or representative office in Vietnam if it no longer operates in Vietnam or no longer provides the Regulated Services in Vietnam.
WHO WILL STORE THE REGULATED DATA IN VIETNAM?
Captured Subjects may choose the form of data storage in Vietnam. Decree 53 does not specify the criteria for a data storage provider which implies that the data storage provider may be a domestic company or an FIE;
Neither the Law on Cybersecurity nor Decree 53 contain any express prohibition restricting a Foreign Enterprise that has become a Captured Subject from simultaneously keeping a “mirror” copy of its Regulated Data stored offshore as well.
Note: Captured Subjects must cooperate with DHPHTC regarding on-going verification and confirmation of locally stored Regulated Data to ensure compliance and completeness.
2. ILLEGAL INFORMATION TAKEDOWN
WHAT IS ILLEGAL CYBERSPACE CONTENT?
Article 19.1 of Decree 53 provides that illegal content is as follows:
- Content that infringes on the national security, involves insults or slander, violates economic management order;
- Content that fabricates, distorts facts and causes fear among the public and inflicts serious damage to socio-economic activities;
- Content that distorts Vietnam’s history, denies revolutionary achievements, destroys national solidarity, discriminates against religion, gender or race;
- Content related to prostitution, social evils, human trafficking, depraved, lewd or criminal publications;
- Content that destroys Vietnam traditions and customs, social ethics and public health; and
- Content that incites, entices or activates others to commit crimes.
WHAT IS THE ILLEGAL CONTENT TAKEDOWN PROCESS?
- Any of the cybersecurity task forces, comprised of: (a) the DCPHTC (social welfare and order violations); and (b) the Military Security Protection Department, the General Political Department, and the Cyber Command all under the Ministry of National Defense (national security violations) may (i) issue a takedown request to the Captured Subject providing telecom services, internet services, cyberspace content services, telecom value-added services, and owners of the relevant information system; (ii) check to determine if such entities have complied with said request; and (iii) share such information on the outcome of takedown action with other relevant authorities.
Note: There is no guidance in Decree 53 as to how to report violating content to the cybersecurity task forces
HOW TO COMPLY WITH A TAKEDOWN REQUEST?
- The MPS may suspend or terminate information systems that are used for illegal purposes on national security and cybersecurity grounds pursuant to a written decision issued by the MPS.
- In emergency situations, the MPS may issue an email or fax request to the concerned entities to terminate or suspend operation of the information system. However, if that request is not followed-up with a written decision of MPS (noted above) within 24 hours, the information systems may resume operation.
- If the termination or suspension of the information system does not have valid grounds, the relevant authority must take responsibility and compensate for damage/losses suffered by the information system.
Note: Nothing in Decree 53 mentions how to file to claim for damages against the relevant authority, what is required to prove loss of damages, how compensation will be made, and what process is available to dispute the compensation amount
3. OTHER ISSUES DETAILED UNDER DECREE 53
- Information systems critical to the national security;
- Cybersecurity requirements for information systems critical to national security;
- Procedures and protocol for assessing, inspecting and monitoring information systems critical to national security;
- Procedures and protocol for responding to a cybersecurity incident;
- Procedures and protocol for implementing cryptography to protect network information;
- Collection of electronic data relating to illegal activities in cyberspace; and
- Guidance for cybersecurity protection plans within state agencies and political institutions at local and central level.
4. WHAT ARE THE KEY ACTIONS THAT SHOULD BE CONSIDERED NOW?
- Vietnam Enterprises, including FIEs, which are Captured Subjects, should identify their Regulated Data and plan for localizing their Regulated Data by 1 October 2022;
- Foreign Enterprises which may be Captured Subjects are not required to do anything immediately but should review their internal policies and procedures related to data collection and storage and formulate a plan to establish a branch or representative office if and when required by MPS under this Decree 53 (see above), noting that 12 months is generally more than sufficient time to establish a branch or representative office in Vietnam;
- Participate in conferences and webinars sponsored by various business chambers and forums in Vietnam to stay informed of the most recent developments with respect to Decree 53 and other Law on Cybersecurity implementing decrees that are likely to be issued in the near future.
Should you require any specific advice or have any questions in relation to this Decree 53, the Law on Cybersecurity, or any other issue, please contact one of the partners listed below for further assistance
The information provided in this email is for information purposes only and is not intended to constitute legal advice. Legal advice should be obtained from qualified legal counsel for all specific situations.