Data localisation regulations in need of further guidance

January 19, 2023 | 09:00
(0) user say
The long-awaited issuance of Decree No.53/2022/ND-CP last year guided the implementation of the Law on Cybersecurity. Given the decree features implementing rules on the law’s data localisation and local office requirements, businesses with operations involving Vietnam were in a scurry to understand how it would impact them going forward. Decree 53 provides specific rules that will enable regulators to enforce the aforementioned requirements, which until now had not been applied due to lack of guidance. That said, while Decree 53 took effect in October, there remain points that are unclear and in need of further guidance.
Data localisation regulations in need of further guidance
Eunjung Han - Consultant, Rouse Legal Vietnam; Digital Sector Committee vice chairwoman, European Chamber of Commerce in Vietnam

The timing of Decree 53’s issuance was fitting given the government had unveiled the National Cybersecurity and Safety Strategy the same month as a response plan to cyberspace challenges until 2025 with vision towards 2030. The agenda of this strategy includes tasks, among others, of completing the relevant local legal framework.

Decree 53’s issuance is also correlated to the National Digital Transformation Programme’s goals and relevant efforts currently underway, such as updating laws on e-transaction, IT, and telecommunications, as promoting technologies that facilitate and accelerate digital transformation depends greatly on the security of cyberspace and handling existing, imminent, and potential risks.

The Law on Cybersecurity was passed in mid-2018 with an effective date of January 2019. It garnered international attention not only because it was the first law in Vietnam focusing on the protection of internet-connected systems and data from attack like cybercrime and cyber fraud, but also for featuring local data storage and presence requirements.

Given the law’s extraterritorial reach, it was obvious that such data localisation/local office provisions under Article 26 would impact both onshore and offshore entities involved in tech-related activities. This was a point of particular interest because stakeholders – while agreeing on the importance of the integrity of network security – expressed concerns over the burdens of such requirements.

Specifically, questions were raised as to whether such requirements would deliver actual benefits to service providers, the risk they could potentially have on limiting access to new services for Vietnamese users, and the potential barriers to free flow of data across borders.

That said, Article 26 did not go into specifics on the requirements, only to provide that the government would elaborate on them at a later time. This meant that answers to questions around, among other issues, the exact application scope, triggering conditions/test, and specific compliance requirements had to wait and Article 26 remained unenforced due to such lack of guidance.

Since fall of 2018, drafts of the decree implementing the Law on Cybersecurity (what is now known as Decree 53) were released one after another and underwent a public commenting period. Naturally, when Decree 53 was released over three years later, the fervour was palpable.

Data localisation regulations in need of further guidance
Data localisation regulations in need of further guidance, Photo: Shutterstock

For example, the Vietnam Business Forum’s briefing on Decree 53 was attended by major business chambers in Vietnam, banks, insurance companies, and various tech companies. More recently, the dissemination conference guiding implementation of the decree, organised by the Department of Cybersecurity and High-tech Crimes Prevention under the Ministry of Public Security (MoPS) in December 2022, was attended by hundreds of representatives of organisations from both the public and private sector.

With respect to the application scope, the data localisation requirement applies to domestic entities. The dissemination conference touched on this issue to say that the definition of domestic enterprises includes enterprises as defined in the Law on Enterprises, but excludes branches/representative offices established in Vietnam by Vietnamese/foreign companies and banks.

That said, it remains unclear as to whether foreign invested entities fall within the definition of domestic enterprises in the context of Decree 53.

As for foreign enterprises, data localisation/local office requirements would only potentially apply if they provided a service listed in Decree 53 (telecommunications services, data storage/sharing services, e-commerce, payment intermediaries, among others) and fulfill other conditions. Overall, further written guidance appears to be needed and would be helpful to comply with its provisions.

Decree 53 also provides rules on, among others, the types of data subject to local storage (personal data of service users in Vietnam, user-generated data in Vietnam, and data on the relationship of service users in Vietnam with onshore and offshore entities doing business in Vietnam) and storage duration (minimum of 24 months). As for the form of the data to be stored in Vietnam, Decree 53 states that it is to be decided by the relevant enterprise, with the MoPS confirming at the recent dissemination conference that data can be stored on servers that allow direct access to the data, or in external data storage devices to which businesses extract and store there and make periodic updates at least every seven days.

To date, details and guidance on the availability of an appeal procedure have not been provided yet.

Inviting and engaging in dialogue with stakeholders through different channels including public consultation procedures and conferences such as the cybersecurity administrative sanctions workshop and the aforementioned dissemination conference reflect the government’s ongoing efforts and pragmatic approach to develop the legal framework. That said, there remains issues over some clarifications, and further written guidance is needed for enforcement.

It should be noted that a report released in December by the Information Technology and Innovation Foundation, a US-based think tank, suggested that cross-border data transfer restrictions can set back a country in the global digital economy. Given Vietnam’s potential to become a regional digital powerhouse, it may be worth taking a moment to weigh sought-for privacy/security goals against potential impact on trade and the overall local investment landscape.

Data deemed safer in law alteration Data deemed safer in law alteration

Foreign enterprises doing business in Vietnam must store key internet data on servers located within the country, according to a new government decree.

Data centres in Vietnam: an investment goldmine Data centres in Vietnam: an investment goldmine

In 2016, Vietnam was already described as Southeast Asia’s Silicon Valley. Its emerging sectors and fast-growing industries included fintech, telecommunications, electronics and computer manufacturing, and information and telecommunications services. Now, the country is one of the fastest-growing digital economies in Southeast Asia and on track to reach an internet economy worth $57 billion by 2025.

New data centres popping up in Vietnam’s major cities New data centres popping up in Vietnam’s major cities

The unveiling of new data centre plans in Vietnam is increasing rapidly, with the entry of a series of international and domestic corporations claiming to be building the biggest and best in-demand facilities.

Data flow advances head wish list for year of the database Data flow advances head wish list for year of the database

Domestic and international businesses in Vietnam are expected to enjoy more favourable data sharing and integration in 2023, as the country plans to make new moves to promote data flows and facilitate business.

By Eunjung Han

What the stars mean:

★ Poor ★ ★ Promising ★★★ Good ★★★★ Very good ★★★★★ Exceptional