Vietnam: Cybersecurity regulations for data storage and setting up a branch office
The Government of Vietnam has issued long-awaited Decree No.53/2022/ND-CP (Decree 53) detailing several articles of the Law on Cybersecurity 2018.
Decree 53 was issued on August 15 and took effect on October 1, 2022.
- Which data must be stored in Vietnam?
In brief, subject to a decision issued by the Minister of the Ministry of Public Security (MoPS) with respect to foreign enterprises, the following data must be stored in Vietnam (Regulated Data):
- Data on personal information of service users in Vietnam (ie, data in the form of symbols, letters, numbers, images, sounds or the like which may be used to identify an individual)
- Data generated by service users in Vietnam (ie, data in the form of symbols, letters, numbers, images, sounds or the like describing the process of participation in, operation and use of cyberspace by service users and information about network equipment and services used to connect to cyberspace in the territory of Vietnam), including account name, service use time, credit card information, email address, network (IP) address of the last login and logout, registered phone number associated with the account or data and
- Data on the relationship of service users in Vietnam (ie, data in the form of symbols, letters, numbers, images, sounds or the like describing, identifying the relationship of service users with others in cyberspace), including friend lists and lists of groups with which service users connect or interact.
- Who must store data in Vietnam?
Article 26.3 of the Law on Cybersecurity provides a broad interpretation of enterprises subject to the data storage requirement, which raised concerns on its enforceability.
In particular, domestic and foreign enterprises providing services on (i) telecommunications networks; (ii) the Internet; and/or (iii) value-added services in cyberspace in Vietnam, which conduct activities of collecting, exploiting, analyzing and processing data of "service users in Vietnam" (defined as organizations and individuals using cyberspace in the territory of Vietnam) must store the Regulated Data in Vietnam.
In all cases, data storage by foreign enterprises in Vietnam must be completed as soon as possible within 12 months from the date of the MOPS request.
While there is no further guidance on specific services requiring data storage in Vietnam by domestic enterprises, Decree 53 does itemize the following specific services to/in Vietnam (Applicable Services), requiring data storage by foreign service providers in Vietnam:
- Telecommunications services
- Storing and sharing data in cyberspace
- Providing national or international domain names to service users in Vietnam
- Online payment
- Intermediary payment services
- Transport connection services through cyberspace
- Social networks and social media
- Online video games and
- Services that provide, manage, or operate other information on cyberspace in the form of messages, voice calls, video calls, e-mails, online chats.
However, not all foreign enterprises providing the Applicable Services must store their Regulated Data in Vietnam. In this regard, Decree 53 does provide further conditions for triggering the data storage requirement in Vietnam (Triggering Conditions), particularly as follows:
- the service provided by the enterprise is used to commit violations of the Law on Cybersecurity and
- the Cybersecurity and High-Tech Crime Prevention and Control Department of the MoPS (Cybersecurity Department) has notified and requested coordination, prevention, investigation, and handling in writing - but
- the concerned enterprise fails to comply, fails to comply fully, or prevents, obstructs, disables, or cancel network security protection measure(s) performed by the force specialized in network security protection.
Nonetheless, there is an exemption to the Triggering Conditions. Specifically, in case of a force majeure event when a foreign enterprise cannot comply with the data storage requirement, it shall notify the Cybersecurity Department within three working days for verification. Within a 30-day-period, such foreign enterprise must also resolve the problem.
- In which form must data be stored in Vietnam?
Decree 53 does not provide any specific requirement, but allows applicable enterprises, whether domestic or foreign, to decide on the form of their data storage in Vietnam.
- How long must data be stored in Vietnam?
If applicable domestic enterprises are required by Decree 53 to automatically store Regulated Data in Vietnam, for applicable foreign enterprises, the Regulated Data will be stored for a specific period as stated in the data storage request from the Minister of the MoPS, starting from the time the enterprise receives such request. In any case, the minimum data storage period must be at least 24 months.
It is noted that in all cases, data storage by foreign enterprises in Vietnam must be completed as soon as possible within 12 months from the issuance date of the Minister of the MoPS’s decision requesting it. Furthermore, in case the MoPS or the Ministry of Information and Communications requests blocking or deletion of prohibited information, system logs for investigation and dealing with violations of the laws on network security must be kept for at least 12 months. Decree 53 does not specify when the said 12-month period starts, but it would reasonably be assumed to start from the date of receipt of the Cybersecurity Department’s request by the enterprise.
- Other related data storage requirements of which enterprises must be aware
In addition to the said requirement on data storage in Vietnam, domestic and foreign enterprises must be aware of the following general requirements:
- In cases where an enterprise does not collect, exploit, analyze and process all of the Required Data, the enterprise must coordinate with the Cybersecurity Department to confirm and proceed to store the data currently being collected, exploited, analyzed and processed.
- In cases where an enterprise collects, exploits, analyzes and/or processes additional Required Data, the enterprise is responsible for coordinating with the Cybersecurity Department to add to the list of data that must be stored in Vietnam.
- Requirements that foreign enterprises must be aware of when setting up their branches or representative offices in Vietnam
A foreign enterprise providing the Applicable Services in Vietnam may also be asked by the Minister of the MoPS to set up a branch or representative office in Vietnam. Decree 53 is silent on the purpose of this requirement. However, it seems that having a branch or representative office in Vietnam will assist the foreign enterprise in better cooperating with local authorities in Vietnam and addressing issues relating to its Regulated Data stored in Vietnam.
It is noted that in all cases, a branch or representative office must be set up by a foreign enterprise in Vietnam, as soon as possible and within 12 months from the date of the Minister of the MoPS’s decision requesting the enterprise to set up its branch or representative office in Vietnam.
It is further noted that a foreign enterprise is required to maintain its branch or representative office set up in Vietnam, for a period of time starting from the date of receipt of the request from the Minister of the MoPS until the termination of that enterprise’s operation or business (ie, cessation of provision of the Applicable Services) in Vietnam.
- Possible sanctions
Enterprises that do not comply with the provisions of the Law on Cybersecurity and Decree 53, will, depending on the nature and severity of their violations, may face an array of sanctions, which we will cover in a subsequent article.
Welcome to Crossroads – ICR Insights
Crossroads – ICR Insights is our series of short-read articles designed to assist organizations considering an international corporate reorganization (ICR). Each country-specific, solutions-based brief will answer a key consideration during a global transaction such as carveouts, spinoffs, acquisitions and dispositions, pre- and post-acquisition integration, or legal entity rationalization. Visit Crossroads – ICR Insights to view the entire collection or sign up to be notified of new postings. Have an idea of a topic or interested in discussing further? Email ICRCrossroads@dlapiper.com.