Vietnam: Cybersecurity Law Decree Issued

The Vietnamese Government has issued Decree No. 53/2022/ND-CP dated 15 August 2022 guiding the implementation of Cybersecurity Law 2018 (“Decree 53”). It takes effect on 1 October 2022 and does not provide a grace period. Given the Cybersecurity Law's extra-territorial reach, Decree 53 will impact both onshore and offshore entities.

Decree 53 provides much-awaited rules that will, among other things, enable regulators to enforce the data localization and local office (i.e., branch or representative office) requirements under Article 26 of the Cybersecurity Law. Until now, Article 26 requirements had not been applied due to a lack of needed guidance/details for implementation. Specifically, primary points of interest of both onshore and offshore entities had been the types of data subject to local storage, storage period, relevant entities, triggering conditions, and operational and procedural aspects of the local office requirement. Please see below for some details provided in Decree 53:

• Types of data subject to local storage:
  • personal data of service users in Vietnam
  • user-generated data in Vietnam (i.e., account name of service user, time of service use, credit card information, email address, network address (IP) of most recent login/log out, registered phone number associated with the account or data)
  • data on the relationship of service users in Vietnam with onshore and offshore entities doing business in Vietnam (i.e., friends and groups with which users connect or interact)
• Data storage period: The time period starts from the time an entity receives a request for local storage; the minimum period being 24 months.
• Local storage and local office requirements for offshore entities:
  • Application scope - Decree 53 specifies that these requirements will apply to foreign entities doing business in Vietnam involved in telecommunications services; storing and sharing data in cyberspace; providing national or international domain names to service users in Vietnam; e-commerce; service providers of online payments; payment intermediaries; transport connectivity services through cyberspace; social networks and social media; online video games; services providing, managing or operating other information in cyberspace in the form of messages, voice calls, video calls, email, online chat. The requirements must be fulfilled within 12 months from the date the Minister of Public Security issues a decision on the requests.
  • Triggering condition - Failure to comply/inadequately complied with written requests made by the Department of Cybersecurity and High-Tech Crime Prevention and Control under the Ministry of Public Security for Cybersecurity Law violations.

Additionally, Decree 53 also details other issues, among others, the following:

• measures for ensuring cybersecurity, which includes, among others, requests for takedown of illegal contents, the shutdown of information systems
• establishment and assessment of national security information systems
• coordination of competent authorities to implement protection measures, handling violations against cybersecurity across areas/industries