Want to be in the loop?
subscribe to
our notification
Business News
CYBERSECURITY LEGISLATION’S UPGRADE
The issuance of a new decree is deemed an important piece to complete the puzzle in terms of data protection in Vietnam. Dang The Duc and Thai Gia Han from Indochine Counsel point out the major highlights while also noting where some confusion or overlap may remain.
In October, Decree No.53/2022/ND-CP finally took effect. After waiting since the middle of 2018, the government of Vietnam finally issued the decree, detailing some articles of the Law on Cybersecurity following the last draft decree version released in August 2019.
In general, Decree 53 uses the same governing scope and structure as the last draft decree, including six chapters with 30 articles. A new schedule has been added, providing some templates to be used for the relevant procedures regulated in Decree 53. In comparison with the previous draft, certain revisions have been made to some defined terms under Article 2. For example, “service user” covers both organisations and individuals, but is only limited to those participating in using services in cyberspace, instead of participating in activities in cyberspace in general. Meanwhile, “Data generated by the service user in Vietnam” is limited to the prescribed data within the territory of the Socialist Republic of Vietnam.
The Department of Military Security Protection and the General Political Department are listed among the cybersecurity task forces (CTF), while definitions of “domestic enterprise” and “foreign enterprise” have been supplemented.
Article 16.1 in the 2019 version has been deleted, which stated that cybersecurity inspection is a technical method to be applied by administrators of information systems in their operation and use of such information systems. This, however, does not release the administrators of information systems from cybersecurity inspection obligations, since this obligation is still provided for under Article 17.2(a) of the Law on Cybersecurity.
Requesting deletion of unlawful or false information in cyberspace which infringes national security, social order and safety, or lawful rights and interests of agencies, organisations, and individuals, as noted in Article 19 of Decree 53, is another notable highlight.
Heads of agencies attached to the Ministry of Information and Communications have been added as competent agencies to apply this cybersecurity protection method, in addition to the director of the Department of Cybersecurity and Hi-tech Crime Prevention (DCHCP) under the Ministry of Public Security (MPS).
Furthermore, such agencies are also entitled to actively exchange and share information in respect of the implementation of this cybersecurity protection method, save for information which falls within the scope of state secrets or professional requests of the MPS.
Elsewhere, e-data has been officially defined as “information in the form of symbol, text, figure, image, sound, or similar forms”. This definition may yet yield confusion as it is the same as the definition of “data” in general provided under Article 4.20 of the draft amended Law on Electronic Transactions, which was released for public comments in May this year, if the draft amended law is adopted as-is.
Requirements on localisation
Information required to be stored in Vietnam includes three main types as previously provided in the last draft decree: data on the personal information of service users in Vietnam; data generated by service users in Vietnam; and data on the relationships of service users in Vietnam.
Wherein, the data generated by service users in Vietnam covers, among others, registered phone numbers attached to accounts used for utilising the service or attached to relevant data in general. In the previous draft, the relevant data was limited to only data about personal information.
Similar to the last draft, Decree 53 clearly requires that all domestic enterprises must store the prescribed data in Vietnam. Foreign enterprises will be subject to the requirement on data localisation and branch/representative office establishment if several conditions are all met.
First, the foreign enterprise has business operations in Vietnam which fall in the sectors as prescribed under Article 26.3(a) of Decree 53, which include telecom services; cloud storage; supply of national or international domain names to service users in Vietnam; e-commerce; online payments; intermediary payments; service of transport connection via cyberspace; social media; online electronic games; and services of providing, managing, or operating other information in cyberspace in the form of messages, phone calls, video calls, email, or online chat.
Secondly, the services provided by the foreign enterprise are used for committing a breach of the laws as to cybersecurity; and the third condition is that such a foreign enterprise has been notified and requested in writing by the DCHCP under the MPS for cooperation in handling/preventing a breach, but fails to comply, fails to fully comply, or otherwise challenges any cybersecurity protection method applied by the CTF.
The condition of “having activities of collecting, exploiting, analysing, and processing” the prescribed data is no longer mentioned. However, this inclusion may find its way back as it has been stated as a prerequisite in Article 26.3 of the Law on Cybersecurity.
Concessions and impacts
The requirement for data localisation and establishment of a local presence has caused a great deal of concern since it was first released with the promulgation of the Law on Cybersecurity. Acknowledging this situation, the government appears to be making some concessions in Decree 53 by providing some flexibility in compliance with these requirements.
In particular, if unable to comply with the requirement due to force majeure events, foreign enterprises are entitled to notify the DCHCP under the MPS in writing about the same within three working days for inspection. In this case, the concerned foreign enterprise will be granted a period of 30 working days to seek remedial measures.
Enterprises are entitled to decide on the form of data storage within Vietnam. The time for compliance with requirement by foreign enterprises has been extended to 12 months instead of six only upon the date of a decision by the MPS minister on data storage and/or branch/representative office establishment.
Non-compliance will be subject to sanctions. However, as yet no specific regulation on applicable sanctions has been provided.
For data storage, instead of regulating specific storage periods for each type of the prescribed data, Decree 53 generally sets out a storage period which commences when the enterprise receives the MPS decision, and lasts until the request is terminated, with a minimum cap of two years.
For branch/representative office establishment, the applicable period commences when the enterprise receives the MPS decision and lasts until the enterprise no longer operates in Vietnam or the prescribed service is no longer provided in Vietnam.
After a long wait, administrators of information systems as well as domestic and offshore enterprises can finally understand the compliance requirements with certainty, which should ease the difficulty of adherence to the Law on Cybersecurity.
Most importantly, the subjects for which data localisation and branch/representative office establishment will be required have finally reached a relatively specific explanation. Accordingly, foreign enterprises with a high risk of being subject to this requirement can have some peace of mind, that is, until an MPS decision is submitted, there is no need to comply with the same requirements.
On the contrary, domestic enterprises have been further burdened as they all have to ensure compliance, but Decree 53 neither provides a specific deadline nor offers a specific grace period for them to finalise compliance efforts. It is recommended that such enterprises establish planning to respond appropriately should they receive a notice from the MPS, since the 12-month delay can be seen as a short time period for behemoth entities operating globally.
Source: VIR
Related News
VIETNAM’S GDP TO GROW 5.5% THIS YEAR – WB
This forecast is based on the assumption of a moderate recovery in manufacturing exports in 2024, fueled by rebound growth of 8.5% year-on-year in the fourth quarter of 2023 and 17.2% year-on-year in the first quarter of 2024, reflecting strengthening global demand, said Dorsati Madani, senior country economist at the WB in Vietnam.
FARE REFUND FOR VISA REJECTION
Cathay Pacific will offer full refunds for cases of visa rejection to provide you with the confidence to explore the world with ease. If you are planning to fly to a destination that requires an entry visa, you can now book with greater peace of mind.
FOUR COMMODITIES POST Q1 EXPORT VALUE OF OVER 5 BILLION USD
The total export turnover of agricultural, forestry, and fisheries products in the first three months of 2024 is estimated to reach 13.53 billion USD, an increase of 21.8% compared to the same period of 2023.
MOIT PROPOSES SCHEME TO BOOST RENEWABLE ENERGY PROCUREMENT
The proposed Direct Power Purchase Agreement (DDPA) mechanism, outlined in the draft decree, targets organisations and individuals consuming electricity from the 22kV power grid or higher, with a monthly consumption averaging 500,000kWh. However, residential households are excluded from direct procurement.
REAL ESTATE BONDS PLACE PRESSURE ON ISSUING FIRMS
The ministry’s recent report underscores concerns within Vietnam’s corporate bond market for 2023 and 2024. It emphasizes the critical need to address hindrances to the real estate sector in line with the objectives provided in Government Resolution No. 33/NQ-CP, which aims to stabilize the industry.
DA NANG CUSTOMS FOCUSES ON DEVELOPING CUSTOMS-BUSINESS PARTNERSHIPS
Da Nang Customs Department issued an action plan for developing customs-business partnership in 2024. One of the new events this year is the workshop on “Settlement reports for enterprises engaged in outsourcing, export production and export processing” held in Da Nang Customs Department on April 16, 2024.