Whilst the Law on Cybersecurity came into effect as from 1 January 2019 (Law on Cybersecurity), it has taken more than three years to finalise the implementing decree after numerous drafts for opinions and consideration by the relevant State authorities and stakeholders. On 15 August 2022, the long-awaited decree was finally issued by the Government with effect as from 1 October 2022 (Decree 53), which is expected to have significant impact upon the business operations of both local and foreign entities in the sectors captured under such decree. We set out below the key contents of Decree 53 with respect to the data localisation and local presence requirements.
1. What sorts of data must be stored in Vietnam?
Decree 53 broadly defines the scope of data which is subject to the localisation requirements to cover:
- personal information of users in Vietnam meaning information in the form of signals, letters, digits, images, sound or any equivalent (Information) to identify an individual;
- data created by users in Vietnam meaning the Information which reflects the process of participation, operation, and use of cyberspace by users of services or information in relation to cyber-equipment or cyber-services to connect with the cyberspace within the territory of Vietnam, including username of their accounts, time of service use, credit card information, email address, IP address of the latest login and logout, registered phone number associated with the account or data; and
- data of users' relation in Vietnam meaning the Information which identifies the relationship between the users and other persons in cyberspace including friends, groups that the users connect or interact with, (collectively, the Data).
Of note, the definition of users is extended to both individual and corporate users, which will broadly capture the Data under the scope of the localisation requirements.
2. Who will be required to store the Data in Vietnam?
Both Vietnam-domiciled entities (including both domestic-owned entities and foreigninvested entities incorporated under the laws of Vietnam) and foreign entities (i.e., companies incorporated or registered under the laws of foreign countries) are required to store the Data in Vietnam if they meet the following criteria:
(a) With respect to Vietnam-domiciled entities:
- providing services in the telecoms network, Internet, value-added services in cyberspace in Vietnam; and
- conducting the activities of collecting, exploiting, analysing, processing the Data to store data in Vietnam within a prescribed period,
(collectively, the Local Entities);
(b) With respect to foreign entities, in addition to the criteria applicable to Vietnamdomiciled entities above:
- providing one or more of the following services: telecoms services; data storing and sharing in cyberspace; provision of national or international domain names to service users in Vietnam; e-commerce; online payment services; intermediary payment services; transport connection services via cyberspace; social network and social media; online video games; providing, managing and operating other information in cyberspace in the form of messaging, voice calls, video calls, email or online chat (collectively, the Regulated Services);
- having received a written notice of the Department of Cybersecurity under the Ministry of Public Security requesting to coordinate, prevent, investigate or enforce any cybersecurity measure (Request); and
- having failed to comply with such Request or inadequately complied with such Request, or prevent, obstruct, invalidate any cybersecurity measure, (collectively, the Foreign Entities).
3. How long will data have to be stored in Vietnam?
Whilst there is no time limit provided for data localisation of Local Entities (meaning that such entities will be required to store the Data locally during their operational term), Foreign Entities which satisfy the criteria above will be required to store the Data in Vietnam for a period of at least 24 months. However, Foreign Entities will have 12 months as from the date of the Request to comply with the data localisation requirements.
4. Shall the Data be stored exclusively in Vietnam?
Foreign Entities and Local Entities may determine as to the forms of storing the Data in Vietnam. This tends to suggest that Decree 53 does not prevent such entities from having a copy of the Data outside Vietnam.
5. Who will be required to set up a local presence in Vietnam?
Foreign Entities which satisfy the criteria for data localisation requirements as referred to in paragraph 2 above shall establish a representative office or branch in Vietnam within 12 months as from the date of the Request.
6. How long are the Foreign Entities required to operate their representative offices and branches?
The representative offices or branches of the Foreign Entities shall be operated so long as the Foreign Entities have business operations or provide the Regulated Services in Vietnam.
7. What are the consequences of a failure to comply with the data localisation and local presence requirements?
The Ministry of Public Security is preparing a draft decree on administrative sanctions for violation of the Law on Cybersecurity. According to this draft decree, Local Entities and Foreign Entities may be exposed to the following financial penalties and sanctions:
(a) A fine of between VND80 million and VND100 million (equivalent to approximately USD3,400 to USD4,300);
(b) A fine of up to 5% of the revenue in the Vietnam market if having committed a breach of such requirements for the third time; and
(c) A revocation of any business license in Vietnam.