CYBERSECURITY LEGISLATION’S UPGRADE

The issuance of a new decree is deemed an important piece to complete the puzzle in terms of data protection in Vietnam. Dang The Duc and Thai Gia Han from Indochine Counsel point out the major highlights while also noting where some confusion or overlap may remain.

In October, Decree No.53/2022/ND-CP finally took effect. After waiting since the middle of 2018, the government of Vietnam finally issued the decree, detailing some articles of the Law on Cybersecurity following the last draft decree version released in August 2019.

In general, Decree 53 uses the same governing scope and structure as the last draft decree, including six chapters with 30 articles. A new schedule has been added, providing some templates to be used for the relevant procedures regulated in Decree 53. In comparison with the previous draft, certain revisions have been made to some defined terms under Article 2. For example, “service user” covers both organisations and individuals, but is only limited to those participating in using services in cyberspace, instead of participating in activities in cyberspace in general. Meanwhile, “Data generated by the service user in Vietnam” is limited to the prescribed data within the territory of the Socialist Republic of Vietnam.

The Department of Military Security Protection and the General Political Department are listed among the cybersecurity task forces (CTF), while definitions of “domestic enterprise” and “foreign enterprise” have been supplemented.

Article 16.1 in the 2019 version has been deleted, which stated that cybersecurity inspection is a technical method to be applied by administrators of information systems in their operation and use of such information systems. This, however, does not release the administrators of information systems from cybersecurity inspection obligations, since this obligation is still provided for under Article 17.2(a) of the Law on Cybersecurity.

Requesting deletion of unlawful or false information in cyberspace which infringes national security, social order and safety, or lawful rights and interests of agencies, organisations, and individuals, as noted in Article 19 of Decree 53, is another notable highlight.

Heads of agencies attached to the Ministry of Information and Communications have been added as competent agencies to apply this cybersecurity protection method, in addition to the director of the Department of Cybersecurity and Hi-tech Crime Prevention (DCHCP) under the Ministry of Public Security (MPS).

Furthermore, such agencies are also entitled to actively exchange and share information in respect of the implementation of this cybersecurity protection method, save for information which falls within the scope of state secrets or professional requests of the MPS.

Elsewhere, e-data has been officially defined as “information in the form of symbol, text, figure, image, sound, or similar forms”. This definition may yet yield confusion as it is the same as the definition of “data” in general provided under Article 4.20 of the draft amended Law on Electronic Transactions, which was released for public comments in May this year, if the draft amended law is adopted as-is.

Requirements on localisation

Information required to be stored in Vietnam includes three main types as previously provided in the last draft decree: data on the personal information of service users in Vietnam; data generated by service users in Vietnam; and data on the relationships of service users in Vietnam.

Wherein, the data generated by service users in Vietnam covers, among others, registered phone numbers attached to accounts used for utilising the service or attached to relevant data in general. In the previous draft, the relevant data was limited to only data about personal information.

Similar to the last draft, Decree 53 clearly requires that all domestic enterprises must store the prescribed data in Vietnam. Foreign enterprises will be subject to the requirement on data localisation and branch/representative office establishment if several conditions are all met.

First, the foreign enterprise has business operations in Vietnam which fall in the sectors as prescribed under Article 26.3(a) of Decree 53, which include telecom services; cloud storage; supply of national or international domain names to service users in Vietnam; e-commerce; online payments; intermediary payments; service of transport connection via cyberspace; social media; online electronic games; and services of providing, managing, or operating other information in cyberspace in the form of messages, phone calls, video calls, email, or online chat.

Secondly, the services provided by the foreign enterprise are used for committing a breach of the laws as to cybersecurity; and the third condition is that such a foreign enterprise has been notified and requested in writing by the DCHCP under the MPS for cooperation in handling/preventing a breach, but fails to comply, fails to fully comply, or otherwise challenges any cybersecurity protection method applied by the CTF.

The condition of “having activities of collecting, exploiting, analysing, and processing” the prescribed data is no longer mentioned. However, this inclusion may find its way back as it has been stated as a prerequisite in Article 26.3 of the Law on Cybersecurity.

Concessions and impacts

The requirement for data localisation and establishment of a local presence has caused a great deal of concern since it was first released with the promulgation of the Law on Cybersecurity. Acknowledging this situation, the government appears to be making some concessions in Decree 53 by providing some flexibility in compliance with these requirements.

In particular, if unable to comply with the requirement due to force majeure events, foreign enterprises are entitled to notify the DCHCP under the MPS in writing about the same within three working days for inspection. In this case, the concerned foreign enterprise will be granted a period of 30 working days to seek remedial measures.

Enterprises are entitled to decide on the form of data storage within Vietnam. The time for compliance with requirement by foreign enterprises has been extended to 12 months instead of six only upon the date of a decision by the MPS minister on data storage and/or branch/representative office establishment.

Non-compliance will be subject to sanctions. However, as yet no specific regulation on applicable sanctions has been provided.

For data storage, instead of regulating specific storage periods for each type of the prescribed data, Decree 53 generally sets out a storage period which commences when the enterprise receives the MPS decision, and lasts until the request is terminated, with a minimum cap of two years.

For branch/representative office establishment, the applicable period commences when the enterprise receives the MPS decision and lasts until the enterprise no longer operates in Vietnam or the prescribed service is no longer provided in Vietnam.

After a long wait, administrators of information systems as well as domestic and offshore enterprises can finally understand the compliance requirements with certainty, which should ease the difficulty of adherence to the Law on Cybersecurity.

Most importantly, the subjects for which data localisation and branch/representative office establishment will be required have finally reached a relatively specific explanation. Accordingly, foreign enterprises with a high risk of being subject to this requirement can have some peace of mind, that is, until an MPS decision is submitted, there is no need to comply with the same requirements.

On the contrary, domestic enterprises have been further burdened as they all have to ensure compliance, but Decree 53 neither provides a specific deadline nor offers a specific grace period for them to finalise compliance efforts. It is recommended that such enterprises establish planning to respond appropriately should they receive a notice from the MPS, since the 12-month delay can be seen as a short time period for behemoth entities operating globally.

Source: VIR