Introduction
In August 2022, the Government issued Decree 53/2022 providing, among other things, further guidance on data localization requirements in Vietnam. Article 26.3 of the Law on Cyber Security 2018 (LCS 2018) provides for a general data localization requirement. However, due to the lack of implementing regulations, such provision is not enforced in practice for several years. The new guidance under Decree 53/2022 will likely make the law enforceable in practice from 1 October 2022. In this post, we discuss some salient points of the data localization requirements under Decree 53/2022. This post is written by Trinh Phuong Thao and edited by Nguyen Quang Vu.
Data localization requirements
Under the LCS 2018 and Decree 53/2022, the data localization requirements include two key measures:
· Storage Requirement: under this requirement, the relevant enterprise must store Localised Data (defined below) in Vietnam. The Storage Requirement applies to both domestic and foreign enterprises; and
· Local Presence Requirement: under this requirement, the relevant enterprise must establish a representative office or a branch in Vietnam. This requirement applies only to foreign enterprises.
Regarding Storage Requirement,
· Form of Storage: Decree 53/2022 provides that an enterprise can determine the form of storage. This provision could give an enterprise considerable flexibility to decide on how to store Localised Data in Vietnam. That said, it is not clear whether (1) the relevant enterprise must store Localised Data in a way which could be readable by the authority or (2) it could store Localised Data in encrypted form or in non-electronic form; and
· Period of Storage: Under Decree 53/2022, the data storage period is at a minimum of 24 months starting from the date the enterprise receives the request for data storage. It is not clear whether this provision applies to foreign enterprises only or both domestic and foreign enterprises. This is because only foreign enterprises will receive the request for storing data from the competent authority in certain cases (see below). If the storage period does not apply to domestic enterprises, then it is not clear how long domestic enterprises must store data.
Regarding Local Presence Requirement, there are several issues as follows:
· Under Vietnamese law, a foreign enterprise can only set up a branch if Vietnam undertakes to allow branch establishment in the relevant treaties (e.g., WTO commitments, or CPTPP). Accordingly, it is likely that setting up a Representative Office is the more likely option; and
· It is not clear if the local branch or representative office of the foreign enterprise will be held responsible for the compliance with the LCS 2018 and Decree 53/2022 by the foreign enterprise.
Data subject to local storage requirements
Article 26.1 of Decree 53/2022 requires three types of data to be stored in Vietnam as follows (Localized Data):
· data relating to personal information of service users in Vietnam which is defined to mean information in form of signs, characters, numbers, pictures, voice or similar information used to identify an individual;
· data generated by service users in Vietnam which includes account name of service users, time of using service, information of credit card, email address, IP address of most recent login/log out, the registered telephone number associated with the account or data; and
· data on the relationship of service users in Vietnam which includes friends and groups with whom users connect or interact.
Regarding the last two types of data, it is not clear whether this is an exhaustive list of data subject to local storage or any data falling within the definition of “data generated by service users in Vietnam” and “data on the relationship of service users in Vietnam” under Decree 53/2022.
Data localization requirements for domestic companies
A domestic company providing services over the telecommunication network, internet and value-added services and conducting the activities of “collecting, analyzing, processing” Localised Data must store the Localised Data in Vietnam.
This is because Decree 53/2022 simply provides that domestic enterprises must store Localised Data in Vietnam without further guidance. Accordingly, the domestic enterprises which are captured by the LCS 2018 must store Localised Data in Vietnam.
The term “domestic enterprises” (doanh nghiệp trong nước) should include all companies incorporated in Vietnam including foreign invested companies. However, it is not clear if representative offices or branches of foreign companies in Vietnam are subject to regulations applicable to domestic enterprises or foreign enterprises.
Decree 53/2022 also fails to clarify whether the data localization requirements apply to an enterprise which conducts all three activities of “collecting, analyzing, processing” Localised Data or to an enterprise which conducts any of these three activities.
Data localization requirements for foreign companies
A foreign enterprise must comply with the Storage Requirement and the Local Presence Requirement if all of the following conditions are satisfied:
· Captured Sectors: The foreign enterprise operates in the following sectors: (i) telecommunication service; (ii) storage and share of data in the cyberspace; (iii) provision of national or international domain names for service users in Vietnam; (iv) e-commerce; (v) online payment; (vi) intermediary payment; (vii) service of transport connection via cyberspace; (viii) social network and social media; (ix) online electronic games; (x) service of supply, management or operation of other information in the cyberspace under the form of message, voice call, video call, email, online chat; and
· Triggering Conditions: The Minister of Police issues a written decision requiring the foreign enterprise to comply the data localization requirement after (1) the foreign enterprise fails to comply or inadequately comply with a written notification by the Department of Cyber Security and Hi-tech Crime Prevention (A05) that (1.1) the services provided by the foreign enterprise is used for committing violations of laws on cyberspace and (1.2) the foreign enterprise must cooperate with A05 to remedy such violation; or (2) the enterprise has prevented, obstructed or nullify the effect of measures for the protection of cyberspace applied by the authority. It is not clear whether in scenario (2), a notice from A05 is still required. In case of force majeure events preventing the foreign company from complying with A05’s request, the foreign company must notify A05 of the force majeure event and remedy the situation within 30 business days.
A foreign enterprise is allowed to have 12 months from the date of being requested to comply with Storage Requirement and the Local Presence Requirement.