Want to be in the loop?
subscribe to
our notification
Business News
CYBERSECURITY LEGISLATION’S UPGRADE
The issuance of a new decree is deemed an important piece to complete the puzzle in terms of data protection in Vietnam. Dang The Duc and Thai Gia Han from Indochine Counsel point out the major highlights while also noting where some confusion or overlap may remain.
In October, Decree No.53/2022/ND-CP finally took effect. After waiting since the middle of 2018, the government of Vietnam finally issued the decree, detailing some articles of the Law on Cybersecurity following the last draft decree version released in August 2019.
In general, Decree 53 uses the same governing scope and structure as the last draft decree, including six chapters with 30 articles. A new schedule has been added, providing some templates to be used for the relevant procedures regulated in Decree 53. In comparison with the previous draft, certain revisions have been made to some defined terms under Article 2. For example, “service user” covers both organisations and individuals, but is only limited to those participating in using services in cyberspace, instead of participating in activities in cyberspace in general. Meanwhile, “Data generated by the service user in Vietnam” is limited to the prescribed data within the territory of the Socialist Republic of Vietnam.
The Department of Military Security Protection and the General Political Department are listed among the cybersecurity task forces (CTF), while definitions of “domestic enterprise” and “foreign enterprise” have been supplemented.
Article 16.1 in the 2019 version has been deleted, which stated that cybersecurity inspection is a technical method to be applied by administrators of information systems in their operation and use of such information systems. This, however, does not release the administrators of information systems from cybersecurity inspection obligations, since this obligation is still provided for under Article 17.2(a) of the Law on Cybersecurity.
Requesting deletion of unlawful or false information in cyberspace which infringes national security, social order and safety, or lawful rights and interests of agencies, organisations, and individuals, as noted in Article 19 of Decree 53, is another notable highlight.
Heads of agencies attached to the Ministry of Information and Communications have been added as competent agencies to apply this cybersecurity protection method, in addition to the director of the Department of Cybersecurity and Hi-tech Crime Prevention (DCHCP) under the Ministry of Public Security (MPS).
Furthermore, such agencies are also entitled to actively exchange and share information in respect of the implementation of this cybersecurity protection method, save for information which falls within the scope of state secrets or professional requests of the MPS.
Elsewhere, e-data has been officially defined as “information in the form of symbol, text, figure, image, sound, or similar forms”. This definition may yet yield confusion as it is the same as the definition of “data” in general provided under Article 4.20 of the draft amended Law on Electronic Transactions, which was released for public comments in May this year, if the draft amended law is adopted as-is.
Requirements on localisation
Information required to be stored in Vietnam includes three main types as previously provided in the last draft decree: data on the personal information of service users in Vietnam; data generated by service users in Vietnam; and data on the relationships of service users in Vietnam.
Wherein, the data generated by service users in Vietnam covers, among others, registered phone numbers attached to accounts used for utilising the service or attached to relevant data in general. In the previous draft, the relevant data was limited to only data about personal information.
Similar to the last draft, Decree 53 clearly requires that all domestic enterprises must store the prescribed data in Vietnam. Foreign enterprises will be subject to the requirement on data localisation and branch/representative office establishment if several conditions are all met.
First, the foreign enterprise has business operations in Vietnam which fall in the sectors as prescribed under Article 26.3(a) of Decree 53, which include telecom services; cloud storage; supply of national or international domain names to service users in Vietnam; e-commerce; online payments; intermediary payments; service of transport connection via cyberspace; social media; online electronic games; and services of providing, managing, or operating other information in cyberspace in the form of messages, phone calls, video calls, email, or online chat.
Secondly, the services provided by the foreign enterprise are used for committing a breach of the laws as to cybersecurity; and the third condition is that such a foreign enterprise has been notified and requested in writing by the DCHCP under the MPS for cooperation in handling/preventing a breach, but fails to comply, fails to fully comply, or otherwise challenges any cybersecurity protection method applied by the CTF.
The condition of “having activities of collecting, exploiting, analysing, and processing” the prescribed data is no longer mentioned. However, this inclusion may find its way back as it has been stated as a prerequisite in Article 26.3 of the Law on Cybersecurity.
Concessions and impacts
The requirement for data localisation and establishment of a local presence has caused a great deal of concern since it was first released with the promulgation of the Law on Cybersecurity. Acknowledging this situation, the government appears to be making some concessions in Decree 53 by providing some flexibility in compliance with these requirements.
In particular, if unable to comply with the requirement due to force majeure events, foreign enterprises are entitled to notify the DCHCP under the MPS in writing about the same within three working days for inspection. In this case, the concerned foreign enterprise will be granted a period of 30 working days to seek remedial measures.
Enterprises are entitled to decide on the form of data storage within Vietnam. The time for compliance with requirement by foreign enterprises has been extended to 12 months instead of six only upon the date of a decision by the MPS minister on data storage and/or branch/representative office establishment.
Non-compliance will be subject to sanctions. However, as yet no specific regulation on applicable sanctions has been provided.
For data storage, instead of regulating specific storage periods for each type of the prescribed data, Decree 53 generally sets out a storage period which commences when the enterprise receives the MPS decision, and lasts until the request is terminated, with a minimum cap of two years.
For branch/representative office establishment, the applicable period commences when the enterprise receives the MPS decision and lasts until the enterprise no longer operates in Vietnam or the prescribed service is no longer provided in Vietnam.
After a long wait, administrators of information systems as well as domestic and offshore enterprises can finally understand the compliance requirements with certainty, which should ease the difficulty of adherence to the Law on Cybersecurity.
Most importantly, the subjects for which data localisation and branch/representative office establishment will be required have finally reached a relatively specific explanation. Accordingly, foreign enterprises with a high risk of being subject to this requirement can have some peace of mind, that is, until an MPS decision is submitted, there is no need to comply with the same requirements.
On the contrary, domestic enterprises have been further burdened as they all have to ensure compliance, but Decree 53 neither provides a specific deadline nor offers a specific grace period for them to finalise compliance efforts. It is recommended that such enterprises establish planning to respond appropriately should they receive a notice from the MPS, since the 12-month delay can be seen as a short time period for behemoth entities operating globally.
Source: VIR
Related News
![Card image cap](/uploads/Logo/Cathay%20%281%29.jpg)
ONE-TIME OFFER: COMPLEMENTARY CATHAY PACIFIC LOUNGE PASS
Begin your trip on the right note in Cathay Pacific’s first-ever ferry lounge, located at Shenzhen’s Shekou Cruise home port. Situated at the end of the pier, the ferry lounge offers a breathtaking 270-degree view of the sea. You can immerse yourself in sheer luxury and revel in the panoramic beauty. Catch a glimpse of Hong Kong in the distance.
![Card image cap](/uploads/news/Industrial%20Zone.jpg)
VIỆT NAM TARGETS FULL MOBILE BROADBAND COVERAGE ON HIGHWAYS, INDUSTRIAL ZONES BY 2025
By 2025, Việt Nam aims to achieve one hundred per cent mobile broadband coverage on all national highways, expressways and railways under a plan to enhance the quality of Việt Nam’s mobile telecommunications network by 2025, which has been approved by the Ministry of Information and Communications (MIC).
![Card image cap](/uploads/news/Investment6.jpg)
VIETNAM ONE OF FASTEST-GROWING E-COMMERCE MARKETS IN SOUTHEAST ASIA
The report released on July 16 highlighted that the total GMV of Southeast Asia’s eight leading e-commerce platforms rose to $114.6 billion in 2023, up 15 per cent from 2022. The key drivers for the region's e-commerce GMV expansion in 2023 are Vietnam and Thailand, growing 52.9 per cent and 34.1 per cent on-year, respectively.
![Card image cap](/uploads/news/Security.jpg)
2025 PIVOTAL FOR STOCK MARKET UPGRADE EFFORT
The Ministry of Finance (MoF) is expected to soon publish the entire content of the draft circular amending and supplementing four circulars on transactions, registration, depository, and clearing, as well as operations of securities companies and information disclosure. This move, along with feedback and explanations, aims to meet the criteria for upgrading Vietnam’s stock market.
![Card image cap](/uploads/news/bn-01.jpg)
VIETNAM INTENSIFIES E-COMMERCE TAX SCRUTINY
The department plans to offer guidance for and hold direct dialogues with e-commerce taxpayers to ensure compliance. Efforts will also include updating the e-commerce database, conducting risk analysis, and leveraging artificial intelligence (AI) to manage data and issue alerts.
![Card image cap](/uploads/news/eco2.jpg)
FOOTWEAR EXPORTS SEEN REACHING US$27 BILLION THIS YEAR
This optimistic forecast reflects the industry’s efforts to expand and diversify its markets. Lefaso indicated that Vietnam’s footwear sector will concentrate on traditional markets like the U.S. and the European Union, alongside markets with free trade agreements to maximize opportunities.