In October, Decree No.53/2022/ND-CP finally took effect. After waiting since the middle of 2018, the government of Vietnam finally issued the decree, detailing some articles of the Law on Cybersecurity following the last draft decree version released in August 2019.
In general, Decree 53 uses the same governing scope and structure as the last draft decree, including six chapters with 30 articles. A new schedule has been added, providing some templates to be used for the relevant procedures regulated in Decree 53. In comparison with the previous draft, certain revisions have been made to some defined terms under Article 2. For example, “service user” covers both organisations and individuals, but is only limited to those participating in using services in cyberspace, instead of participating in activities in cyberspace in general. Meanwhile, “Data generated by the service user in Vietnam” is limited to the prescribed data within the territory of the Socialist Republic of Vietnam.
|Cybersecurity legislation’s upgrade, source: Shutterstock |
The Department of Military Security Protection and the General Political Department are listed among the cybersecurity task forces (CTF), while definitions of “domestic enterprise” and “foreign enterprise” have been supplemented.
Article 16.1 in the 2019 version has been deleted, which stated that cybersecurity inspection is a technical method to be applied by administrators of information systems in their operation and use of such information systems. This, however, does not release the administrators of information systems from cybersecurity inspection obligations, since this obligation is still provided for under Article 17.2(a) of the Law on Cybersecurity.
Requesting deletion of unlawful or false information in cyberspace which infringes national security, social order and safety, or lawful rights and interests of agencies, organisations, and individuals, as noted in Article 19 of Decree 53, is another notable highlight.
Heads of agencies attached to the Ministry of Information and Communications have been added as competent agencies to apply this cybersecurity protection method, in addition to the director of the Department of Cybersecurity and Hi-tech Crime Prevention (DCHCP) under the Ministry of Public Security (MPS).
Furthermore, such agencies are also entitled to actively exchange and share information in respect of the implementation of this cybersecurity protection method, save for information which falls within the scope of state secrets or professional requests of the MPS.
Elsewhere, e-data has been officially defined as “information in the form of symbol, text, figure, image, sound, or similar forms”. This definition may yet yield confusion as it is the same as the definition of “data” in general provided under Article 4.20 of the draft amended Law on Electronic Transactions, which was released for public comments in May this year, if the draft amended law is adopted as-is.
Requirements on localisation
Information required to be stored in Vietnam includes three main types as previously provided in the last draft decree: data on the personal information of service users in Vietnam; data generated by service users in Vietnam; and data on the relationships of service users in Vietnam.
Wherein, the data generated by service users in Vietnam covers, among others, registered phone numbers attached to accounts used for utilising the service or attached to relevant data in general. In the previous draft, the relevant data was limited to only data about personal information.
Similar to the last draft, Decree 53 clearly requires that all domestic enterprises must store the prescribed data in Vietnam. Foreign enterprises will be subject to the requirement on data localisation and branch/representative office establishment if several conditions are all met.
First, the foreign enterprise has business operations in Vietnam which fall in the sectors as prescribed under Article 26.3(a) of Decree 53, which include telecom services; cloud storage; supply of national or international domain names to service users in Vietnam; e-commerce; online payments; intermediary payments; service of transport connection via cyberspace; social media; online electronic games; and services of providing, managing, or operating other information in cyberspace in the form of messages, phone calls, video calls, email, or online chat.
Secondly, the services provided by the foreign enterprise are used for committing a breach of the laws as to cybersecurity; and the third condition is that such a foreign enterprise has been notified and requested in writing by the DCHCP under the MPS for cooperation in handling/preventing a breach, but fails to comply, fails to fully comply, or otherwise challenges any cybersecurity protection method applied by the CTF.
The condition of “having activities of collecting, exploiting, analysing, and processing” the prescribed data is no longer mentioned. However, this inclusion may find its way back as it has been stated as a prerequisite in Article 26.3 of the Law on Cybersecurity.
Concessions and impacts
The requirement for data localisation and establishment of a local presence has caused a great deal of concern since it was first released with the promulgation of the Law on Cybersecurity. Acknowledging this situation, the government appears to be making some concessions in Decree 53 by providing some flexibility in compliance with these requirements.
In particular, if unable to comply with the requirement due to force majeure events, foreign enterprises are entitled to notify the DCHCP under the MPS in writing about the same within three working days for inspection. In this case, the concerned foreign enterprise will be granted a period of 30 working days to seek remedial measures.
Enterprises are entitled to decide on the form of data storage within Vietnam. The time for compliance with requirement by foreign enterprises has been extended to 12 months instead of six only upon the date of a decision by the MPS minister on data storage and/or branch/representative office establishment.
Non-compliance will be subject to sanctions. However, as yet no specific regulation on applicable sanctions has been provided.
For data storage, instead of regulating specific storage periods for each type of the prescribed data, Decree 53 generally sets out a storage period which commences when the enterprise receives the MPS decision, and lasts until the request is terminated, with a minimum cap of two years.
For branch/representative office establishment, the applicable period commences when the enterprise receives the MPS decision and lasts until the enterprise no longer operates in Vietnam or the prescribed service is no longer provided in Vietnam.
After a long wait, administrators of information systems as well as domestic and offshore enterprises can finally understand the compliance requirements with certainty, which should ease the difficulty of adherence to the Law on Cybersecurity.
Most importantly, the subjects for which data localisation and branch/representative office establishment will be required have finally reached a relatively specific explanation. Accordingly, foreign enterprises with a high risk of being subject to this requirement can have some peace of mind, that is, until an MPS decision is submitted, there is no need to comply with the same requirements.
On the contrary, domestic enterprises have been further burdened as they all have to ensure compliance, but Decree 53 neither provides a specific deadline nor offers a specific grace period for them to finalise compliance efforts. It is recommended that such enterprises establish planning to respond appropriately should they receive a notice from the MPS, since the 12-month delay can be seen as a short time period for behemoth entities operating globally.
| ||VIR talk show discusses cybersecurity issues surrounding NFT Games |
On the morning of May 19, Vietnam Investment Review will host the talk show Cybersecurity Issues with NFT Games, during which the guests will not only discuss some of the most daunting questions regarding the security of blockchain games but also give advice on how to successfully establish a project, as well as what kind of legal framework would be necessary to guide companies and end-users.
| ||Bolstering cybersecurity along with the rise of NFT games |
Last Thursday, Vietnam Investment Review hosted the talk show ‘Cybersecurity Issues with NFT Games’, during which the guests not only discussed some of the most daunting questions regarding the security of blockchain games but also gave advice on how to successfully establish a project, as well as what kind of legal framework would be necessary to guide companies and end-users.
| ||Fortinet aims to narrow cybersecurity skill gap |
Fortinet has pledged to train one million professionals by 2026 to contribute to narrowing the current cybersecurity skills shortfall.
| ||How cybersecurity clarity can be provided through fresh decree |
On August 15, the Vietnamese government issued Decree No.53/2022/ND-CP to guide certain articles of the Law on Cybersecurity. Among other things, Decree 53 provides important guidance and clarification on the government’s power to apply certain cybersecurity measures, and on the ‘data localisation’ and ‘mandatory physical establishment’ requirements introduced by the law.