INSIGHT

Vietnam issues new guidance on data localisation requirement

By Linh Bui, Hien Nguyen, Ngan Tran, Anh Duong
Data & Privacy Vietnam

Vietnamese and foreign businesses take note 7 min read

More than three years after the Cybersecurity Law came into force, Vietnam's Government has finally issued guidance for its implementation under Decree No. 53/2022/ND-CP (Decree 53) which will come into effect on 1 October 2022. The decree provides for long-awaited clarifications on the data localisation requirement.

In this Insight we examine this requirement and its implications for Vietnamese and foreign businesses.

Key takeaways

  • Vietnamese enterprises in certain sectors must comply with the data localisation requirement on an ongoing basis.
  • Foreign enterprises providing certain services into Vietnam will need to comply with the data localisation requirement upon the written request of the Minister of Public Security if a violation of cybersecurity laws has occurred using their services but has not been remedied.
  • The scope of sectors and services that may be captured by the above requirements is quite broad and it remains to be seen how the authorities will apply it in practice.
  • Data that must be stored in Vietnam may extend beyond the traditionally classified personal data. Enterprises may decide the method for storing data in Vietnam and may concurrently store data offshore – though this is not entirely clear under the law. The retention period is set at a minimum of 24 months.
  • Agencies under the Ministry of Public Security and Ministry of National Defence are authorised to enforce cybersecurity regulations, and will be required to follow procedures set out in Decree 53 for taking enforcement actions.

Who in your organisation needs to know about this?

Legal, risk and compliance and IT teams should be aware of the detailed guidelines under Decree 53, especially where it concerns the place of storing the captured data.

Enterprises subject to the data localisation requirement

The Cybersecurity Law (please see our Insight: Vietnam issues a stringent new cybersecurity law)  provides that 'foreign and domestic enterprises when providing services on a telecommunication network, the Internet and value-added services in cyberspace in Vietnam' (captured enterprises) must store users' personal information data, data of users' relationship or data created by users (captured data) in Vietnam for a duration to be set by the Government if they collect, exploit, analyse or process such data.

Decree 53 has clarified the scope of the captured enterprises.

Treatment of Vietnamese enterprises

The data localisation requirement applies to Vietnamese enterprises that are established under Vietnamese laws and conduct any of the following services in Vietnam:

  1. telecommunication services;
  2. telecommunication-based application services (which is generally defined under the Law on Telecommunications as using telecom transmission lines or networks to provide services in any field);
  3. value-added telecommunication services (including email service, voicemail service, fax service, and internet access service);
  4. internet services; and
  5. over-the-top content services on the internet.

The above categories of services are quite broad, and it remains to be seen how Vietnamese authorities will define their scope in practice. Especially with respect to category (2), it is unclear as to whether the legislator's intention is to capture (a) services that are solely or primarily supplied via the network (eg e-commerce or internet banking services), or (b) any service that utilises the telecom network in the course of its conduct (eg any service provider that uses emails to communicate with its customers).

Decree 53 refers to 'local enterprises', which includes foreign-owned or foreign-invested companies, but would exclude branches and representative offices of foreign companies in Vietnam.

A captured local enterprise will be required to comply with the data localisation requirement as discussed below during its existence.

Treatment of foreign enterprises

Decree 53 provides that a foreign enterprise providing certain services into Vietnam on a cross-border basis will be subject to the data localisation requirement if all of the following conditions are met, which makes the scope of application of this requirement quite limited in practice:

  1. provision of captured services - the foreign enterprise provides into Vietnam any of the following services: (1) telecommunications services; (2) data storage and data sharing services in cyberspace; (3) supply of national or international domain names for service users in Vietnam; (4) e-commerce; (5) online payment; (6) payment intermediary; (7) transport connection service via cyberspace; (8) social network and social media; (9) online video games; and (10) services of providing, managing or operating other information in cyberspace in the form of messaging, voice call, video call, e-mail or online chat. Although the list may appear limited, its generic wording (such as the broad reference to 'e-commerce') means it could capture a wide range of businesses and it also remains to be seen how Vietnamese authorities will define the scope of these services in practice;
  2. cybersecurity law violation - the foreign enterprise's services were used to commit a violation of cybersecurity laws;
  3. authority notice - the Department of Cybersecurity and High-Tech Crime Prevention and Control under the Ministry of Public Security has notified the foreign enterprise of the cybersecurity law violation and requested such enterprise to cooperate, prevent, investigate and resolve such violation in writing;
  4. failure to comply - the foreign enterprise has failed to comply, or complied in an inadequate manner, with the request or prevented, obstructed, neutralised or deactivated cybersecurity protective measures applied by the authority; and
  5. Minister order - the foreign enterprise receives a written order issued by the Minister of Public Security, which requires the enterprise to store data locally and set up its branch or representative office in Vietnam.

A captured foreign enterprise would need to complete the data storage in Vietnam and the establishment of a branch or representative office in Vietnam within 12 months from the date the Minister of Public Security issues a written order. This period can be extended for an additional 30-working-day period with prior approval from the authority in a force majeure event. The local branch or representative office will need to be maintained until the enterprise no longer conducts business in Vietnam or ceases to offer the relevant captured service in Vietnam.

Captured data

Decree 53 specifies the scope of data that must be stored in Vietnam as follows:

  1. personally identifiable information data - data to identify an individual;
  2. data created by user in Vietnam - account name to use service, time of service use, credit card information, email address, IP address of latest login or logout, registered phone number associated with the account or data; and
  3. data of user's relationship in Vietnam - friends and groups that the user connects or interacts with.

The 'data' referred to above could be in the form of symbols, letters, numbers, images, sounds or similar. Furthermore, 'user' may include an individual or an organisation, so the scope of limbs (b) and (c) above may extend beyond the traditionally classified personal data.

In addition to local retention of the above captured data, information system logs must be retained for at least 12 months to support investigations into cybersecurity violations of local law enforcement.

Retention method and duration

  1. Retention method: enterprises may decide the method for storing data in Vietnam. Practically, then, it may be possible to use data storage services of foreign-invested Vietnamese companies or foreign service providers so long as such foreign service providers have local infrastructure (such as a leased server) in Vietnam to facilitate the required local storage. As Decree 53 only requires local storage but does not prohibit concurrent offshore storage of the captured data, arguably enterprises may have mirrored copies of the data offshore, although it is still unclear how Vietnamese authorities will interpret and enforce this in practice.
  2. Retention duration: data must be retained from the time the enterprise receives a storage request until the request ends, and this period shall be for at least 24 months. While this provision seems to apply in the case of captured foreign enterprises, it is unclear how local enterprises are expected to comply since their retention obligation is ongoing and not triggered by a request from the authority.

Local law enforcement

It is set out in Decree 53 that the State power of cybersecurity task force charged with cybersecurity regulation enforcement is assigned to:

  1. the Department of Cybersecurity and High-Tech Crime Prevention and Control under the Ministry of Public Security for any matter concerning social security and public order; and
  2. the Military Security Protection Department, the General Department of Politics and the Cyber Command of the Ministry of National Defence for any matter concerning national security and the military.

The local law enforcement must abide with the procedures set out in Decree 53 when taking any enforcement action, including conducting cybersecurity inspection, requesting removal of violating information or requesting an information system shutdown or suspension and withdrawal of a domain name. Note that the procedures are one-way and decisions are made by the relevant authority without specific consultation or an appeal process for the affected persons.

Actions you can take now

If you are a Vietnamese company, you may wish to review if you will be affected by the data localisation requirement of Decree 53. Such review should include the services you provide, the type of data you process and whether you are already storing the captured data in Vietnam or not.  

If you are a foreign company, you may not be immediately affected by the data localisation requirement of Decree 53. However, you may wish to take note of the trigger for such a requirement and have internal policies and processes in place to deal with a potential violation of Vietnamese cybersecurity laws in order to prevent being subject to the data localisation requirement in Vietnam.