The Government is drafting a Decree to amend some articles of Decree 72/2013 on administrating, providing and using Internet services and online information (Draft Decree). The Draft Decree proposes several major changes of Decree 72, one of which is the expansion of the governing scope of Decree 72 to cover the service of information data center (dịch vụ trung tâm dữ liệu). Previously, there is no set of regulations governing this service.
Various new provisions on information data center service are included in the Draft Decree. For instance:
1. Certain definitions relating to information data center service are introduced, e.g.:
(a) Service of information data center (kinh doanh dịch vụ trung tâm dữ liệu) which is defined as a commercial activity to provide computing and storage capacity for technical infrastructure conducted by data centers, including: server rental services (dịch vụ cho thuê máy chủ), service of renting out data center’s space (dịch vụ cho thuê chỗ tại trung tâm dữ liệu), service of renting out data storage space (dịch vụ cho thuê chỗ lưu trữ dữ liệu), and cloud computing service (dịch vụ điện toán đám mây);
(b) Server rental service (dịch vụ cho thuê máy chủ) being a service that provides users with available equipment and information infrastructure at the data center for their own use;
(c) Service of renting out data center’s space (dịch vụ cho thuê chỗ tại trung tâm dữ liệu) being the service that provides space for users to design and install servers and/or other storage devices by themselves;
(d) Service of renting out data storage space (dịch vụ cho thuê chỗ lưu trữ dữ liệu) being the service that provides storage space, which is set up by service providers, for organizations and individuals; and
(e) Cloud computing service (dịch vụ điện toán đám mây) being the service of distributing information technology resources (information infrastructure, platforms, software) in the form of services on a network environment, including: provision of server resources, storage capacity and network connectivity (Infrastructure as a service (IaaS)); providing users with the ability to create, manage and operate applications (Platform as a Service (PaaS); rent out specific applications to users (Software as a Service (SaaS)).
2. Business entity wishing to provide information data center service can register this business online through the website of the Ministry of Information and Communications (MOIC) subject to the satisfaction of the following conditions:
(a) having technical plan in accordance with standards and technical regulations on network information security and data protection of service users; complying with standards and technical regulations in the process of designing, building, operating and exploiting data centers; and
(b) having tools (software, applications, information systems) to manage, store, authenticate and protect information records of service users.
3. The Draft Decree imposes various strict obligations on the information data center service providers:
(a) agreement on provision of the service of information data centermust cover certain compulsory contents specified in the Draft Decree (which will mostly include basis contents of a service agreement, except for clauses specifying the acts prohibited by law as specified in Article 5 of Decree 72 and data protection policy);
(b) where providing cross-border information data center service, the service provider must notify the MOIC of such provision;
(c) the service provider must inform the MOIC upon discovering any activity which abuses the information data center service for conducting violations on cyber-security or intellectual properties. This is a quite broad obligation and without further clarification, query how the service provider can comply in practice;
(d) data of clients being Vietnamese organisations and individuals must be stored in Vietnam. This requirement seems not to be consistent with Article 26.3 of the Law on Cyber Security 2018 which only require entities providing services on cyberspace to store personal data of clients in Vietnam (without limiting the nationalities of such clients as specified in the Draft Decree); and
(e) the service provider must store information of clients (orginal or digital copies) at least 5 years after terminating the service. Article 26.3 of the Law on Cyber Security 2018 also includes a similar requirement though it does not specify how the information must be stored.
While the Draft Decree was introduced in the end of 2021, we have not seen any development as to this draft. Therefore, it is uncertain when the the Draft Decree is passed.
This post is written by Nguyen Thu Giang and edited by Hoang Thi Thanh Thuy.