Article 5 of the Law on Cybersecurity establishes 12 measures and authorises the government to regulate how such measures shall be applied. For the three years preceding the promulgation of Decree 53, many of these cybersecurity measures cannot be implemented or enforced due to a lack of regulations.
|Le Ton Viet - Senior associate Russin & Vecchi |
Under Decree 53, a cybersecurity task force shall be established with the power to enforce these cybersecurity measures against violations of the Law on Cybersecurity or any acts against national security or public order. It is noteworthy that this would not be an uninformed process.
If a measure is selected, the owner of the targeted information system shall be informed, in writing, of the measure to be applied, the reason for it, and the scope, time, and duration of the application of the selected measure. Additionally, the government is drafting regulations on administrative sanctions for violations of the Law on Cybersecurity. These regulations, once effective, will work with Decree 53 to create a complete system for enforcement of the law.
When the requirements for ‘data localisation’ and ‘mandatory physical establishment’ were first introduced in the Law on Cybersecurity, it created concerns for the business community because it was uncertain as to whether there would be over-policing with these requirements being intended to capture any business with Vietnamese customers.
In August 2019, when the government published a draft decree (which eventually materialised into Decree 53 now), the general understanding was that an enterprise would not be subject to these two requirements unless it violated the law and was requested to do so by the government. Decree 53 confirms the above understanding and provides further conditions for the application of such requirements.
According to Article 26 of Decree 53, a Vietnamese enterprise must store the following data in this country: personal data of users in Vietnam; data created by Vietnam-based users, including account name, time of usage, credit card information, email address, IP address, most recent log-out, and registered phone number; and data in relation to the relationship of Vietnam-based users to users’ friends or other people with whom the users interact. This is collectively referred to as regulated data.
A foreign enterprise doing business here would be required to store the regulated data in Vietnam and to establish a branch or a representative office, should it fall under the following circumstance:
- The foreign enterprise is doing business in Vietnam in one of the following fields: telecommunication services; data sharing and storage, provider of a national or international domain for Vietnamese users; e-commerce; social network and social marketing; online games; provision, management, or operations of other information on the internet in the forms of messages, telephone calls, video calls, email, or online games;
- The services provided by such an enterprise are used to violate the Law on Cybersecurity; and l The task force has notified the enterprise and requested the enterprise’s cooperation with the prevention, investigation, and handling of such a violation but the enterprise has failed to cooperate, which causes the task force’s measures to fail.
A foreign enterprise shall become subject to the requirement to store its regulated data and to establish a branch or representative office in Vietnam when it falls under the above situation, and if so, the minister of public security shall send the enterprise a request to do so. The enterprise shall be given 12 months from the date of the request to comply.
The enterprise may choose how it stores regulated data in Vietnam and must store the regulated data here until the request is lifted. The enterprise’s establishment must remain in Vietnam until the enterprise no longer has any business in Vietnam or no longer provides the relevant services in the country.
The government is aiming to have a more comprehensive system to ensure that data of people residing in Vietnam (including foreigners) are protected with Decree 53, the aforementioned upcoming decree on administrative sanctions for violations of the Law on Cybersecurity, a decree on the protection of personal data which is waiting for the final signal from the government for promulgation, and potentially even a separate law on the protection of personal data. In order to be prepared, three practices are advisable. First is classifying data – this is a plan to categorise an enterprise’s collected information based on various criteria, including sensitivity, regulatory requirements, etc. It also helps maintain integrity, accessibility, and confidentiality of data.
Secondly, data should be kept as logged data holds a record of all activities in relation to the stored data, including access time and location, allowing an enterprise promptly to identify risks and respond to a potential threat or a request from the government. Of note, Decree 53 requires that under certain circumstances, log data must be kept for at least 12 months.
Finally, it is crucial to making clients/customers aware. An enterprise should adequately inform them of its obligations to cooperate with the government, including disclosing clients/customers’ information, if it receives a valid request to do so.