On 15th August 2022, the Vietnamese Government issued Decree 53/2022/ND-CP detailing certain articles of the Law on Cybersecurity (“Decree 53”), which will take into effect since 01st October 2022.
Apart from the regulations in relation to the national security information systems, which is mainly focused, Decree 53 also has notable regulations that enterprises which have been operating in the field of information technology need to pay attention to. Hence, for the benefit of our valued clients’ compliance with the latest applicable laws, GV Lawyers would like to hereby present critical and highly applicable points regarding Decree 53 as follows:
1. Localization of data in Vietnam
Vietnamese companies and foreign companies which conduct a number of certain businesses in Vietnam are required to localize specific data in Vietnam. The data will include:
- Personal information of service users in Vietnam;
- Data created by service users in Vietnam: Service user name, service use time, information of credit cards, email, latest IP address for login and logout, phone number registered for an account or data; and
- Data about the relationships of service users in Vietnam such as friends, group of people that a user has connection with.
2. Presence requirement of a foreign company in Vietnam
Only a foreign company conducting business activities in Vietnam, providing following services must establish its branch or representative office in Vietnam. The requirement applies to:
- Telecommunication services;
- Storing and sharing data in cyberspace;
- Providing national or international domain names to service users in Vietnam;
- Online payment;
- Payment intermediary;
- Transport connection services through cyberspace;
- Social networks and social media; online video games; and
- Services of providing, managing or operating other information in cyberspace in the form of messages, voice calls, video calls, e-mails, online chats.
3. Time limit for data storage
Decree 53 sets out the time limits for data storage as follows:
- The time limit for storage of the data in Section 1 of this Letter is at least 24 months; and
- The time limit for storage of the system log to serve the investigation and handling of violations of the law on network security is at least 12 months.
4. Dealing with law violation and false information
In case of information being determined against the State, the laws, the rights and interest of individuals/institutions, as a breach of the peace and other types of violation specified under the applicable laws by the competent State authorities, the competent State authorities have the authority to request relevant entities to take down such information by an administrative decision.
5. Collection of e-data for investigation
For the purposes of ensuring the cybersecurity and punishing illegal behaviours in cyberspace, the competent State authorities can take measures for data collection under the following conditions:
- Maintaining the status of digital devices, e-data;
- Copying and recording of e-data must be correctly carried out in accordance with the procedure by recognized and verified equipment and software, which must protect the integrity of e-data stored in such device;
- The process of data recovery, electronic data search must be recorded in minutes, photos, videos, if necessary, the process can be repeated to arrive at similar results to present in court; and
- The person who collects e-data must be a specialized officer assigned to perform the task of collecting such e-data.
6. Termination and suspension of operation of information system, domain retrieval
In case of (i) violation of the laws on national security and cyber security; and (ii) information system being used for the purpose of infringing upon national security, social order and safety, the competent State authorities can issue the decision to apply measures of termination, suspension of operation of such information systems, domain retrieval.
Given the foregoing, you are highly recommended to pay due attention to these newly-issued compliance requirements in order to mitigate risks of administrative fines and ensure that the business activities shall not be affected or delayed.
We hope the said updates have been clear and useful. If you have any queries relating to the abovementioned, please do not hesitate to contact us.