Invited by Vietnam Investment Review, our team in Vietnam authored an article on Data Localisation Regulations
The long-awaited issuance of Decree No.53/2022/ND-CP last year guided the implementation of the Law on Cybersecurity Law. Given the decree features implementing rules on the law’s data localisation and local office requirements, businesses with operations involving Vietnam were in a scurry to understand how it would impact them going forward.
Decree 53 provides specific rules that will enable regulators to enforce the aforementioned requirements, which until now had not been applied due to lack of guidance. That said, while Decree 53 took effect in October, there remain points that are unclear and in need of further guidance.
The timing of Decree 53’s issuance was fitting given the government had unveiled the National Cybersecurity and Safety Strategy the same month as a response plan to cyberspace challenges until 2025 with a vision towards 2030. The agenda of this strategy includes tasks, among others, of completing the relevant local legal framework.
Decree 53’s issuance is also correlated to the National Digital Transformation Programme’s goals and relevant efforts currently underway, such as updating laws on e-transaction, IT, and telecommunications, as promoting technologies that facilitate and accelerate digital transformation depends greatly on the security of cyberspace and handling existing, imminent, and potential risks.
The Law on Cybersecurity was passed in mid-2018 with an effective date of January 2019. It garnered international attention not only because it was the first law in Vietnam focusing on the protection of internet-connected systems and data from attacks like cyber crimes and cyber fraud, but also for featuring local data storage and presence requirements.
Given the law’s extraterritorial reach, it was obvious that such data localisation/local office provisions under Article 26 would impact both onshore and offshore entities involved in tech-related activities. This was a point of particular interest because stakeholders – while agreeing on the importance of the integrity of network security – expressed concerns over the burdens of such requirements.
Specifically, questions were raised as to whether such requirements would deliver actual benefits to service providers, the risk they could potentially have on limiting access to new services for Vietnamese users, and the potential barriers to the free flow of data across borders.
That said, Article 26 did not go into specifics on the requirements, only to provide that the government would elaborate on them at a later time. This meant that answers to questions around, among other issues, the exact application scope, triggering conditions/test, and specific compliance requirements had to wait and Article 26 remained unenforced due to such lack of guidance.
Since the fall of 2018, drafts of the decree implementing the Law on Cybersecurity (what is now known as Decree 53) were released one after another and underwent a public commenting period. Naturally, when Decree 53 was released over three years later, the fervour was palpable.
For example, the Vietnam Business Forum’s briefing on Decree 53 was attended by major business chambers in Vietnam, banks, insurance companies, and various tech companies. More recently, the dissemination conference guiding the implementation of the decree, organised by the Department of Cybersecurity and High-tech Crimes Prevention under the Ministry of Public Security (MPS) in December 2022, was attended by hundreds of representatives of organisations from both the public and private sectors.
With respect to the application scope, the data localisation requirement applies to domestic entities. The dissemination conference touched on this issue to say that the definition of domestic enterprises includes enterprises as defined in the Law on Enterprises, but excludes branches/representative offices established in Vietnam by Vietnamese/foreign companies and banks.
That said, it remains unclear as to whether foreign invested entities fall within the definition of domestic enterprises in the context of Decree 53.
As for foreign enterprises, data localisation/local office requirements would only potentially apply if they provided a service listed in Decree 53 (telecommunications services, data storage/sharing services, e-commerce, payment intermediaries, among others) and fulfilled other conditions. Overall, further written guidance appears to be needed and would be helpful to comply with its provisions.
Decree 53 also provides rules on, among others, the types of data subject to local storage (personal data of service users in Vietnam, user-generated data in Vietnam, and data on the relationship of service users in Vietnam with onshore and offshore entities doing business in Vietnam) and storage duration (minimum of 24 months). As for the form of the data to be stored in Vietnam, Decree 53 states that it is to be decided by the relevant enterprise, with the MPS confirming at the recent dissemination conference that data can be stored on servers that allow direct access to the data, or in external data storage devices to which businesses extract and store there and make periodic updates at least every seven days.
To date, details and guidance on the availability of an appeal procedure have not been provided yet.
Inviting and engaging in dialogue with stakeholders through different channels including public consultation procedures and conferences such as the Cybersecurity Administrative Sanctions Workshop and the aforementioned dissemination conference reflect the government’s ongoing efforts and pragmatic approach to developing the legal framework. That said, there remain issues over some clarifications, and further written guidance is needed for enforcement.
It should be noted that a report released in December by the IT and Innovation Foundation, a US-based think tank, suggested that cross-border data transfer restrictions can set back a country in the global digital economy. Given Vietnam’s potential to become a regional digital powerhouse, it may be worth taking a moment to weigh sought-for privacy/security goals against the potential impact on trade and the overall local investment landscape.
For further information, please contact:
Eunjung Han, Rouse