Long-Awaited Data Localisation Regulations to Enter into Force
From 1 October, new regulations will enter into force on data localisation requirements and obligations for foreign enterprises meeting certain conditions to establish a branch or representative (“rep”) office in Vietnam.
These new regulations are contained in the long-awaited Decree No. 53/2022/ND-CP (“Decree 53”) issued on 15 August. Decree 53 details the conditions of the application of various articles of the Law on Cybersecurity 2018.
The first and most important takeaway from Decree 53 is that all domestic companies established under Vietnamese law, regardless of their business line, will be subject to the data localisation requirements. In particular, Decree 53 requires that the following regulated data needs to be stored in Vietnam, with enterprises choosing the form and the means with which it is stored:
- Data on the personal information of service users in Vietnam: The information used to identify an individual.
- Data generated by service users in Vietnam: Their service account name, usage time, credit card information, email address, IP address, last log-in and log-out address, and registered phone number.
- Data on the relationships of service users in Vietnam: Their friends and groups with whom the user connects or interacts.
Foreign enterprises need to meet all of the following conditions in order to be impacted by the data localisation requirements in Decree 53 and to be obliged to establish a branch or rep office in Vietnam:
- Foreign companies need to be in one of the following specific business lines: telecommunication services; storing and sharing data online; providing national or international domain names to users in Vietnam; e-commerce; online payments; payment intermediary; online transport connection services; social networks and social media; online games, and; providing, managing, or operating other information online including messages, calls, emails, and chats.
- The service provided must have been used to violate the Cybersecurity Law.
- The foreign enterprise has been notified of the above violation by the Department of Cybersecurity and the High-Tech Crime Prevention and Control under the Ministry of Public Security (“MPS”).
- The foreign enterprise has not attempted to resolve the issue. Or, if remedial measures have been taken, these have been insufficient to prevent the illegal use of its services. This will have resulted in a failure to comply with a notice of the Public Authorities.
- The MPS has then written to the non-compliant foreign enterprise requesting it to store data within Vietnam and to set up a local branch or rep office. The enterprise will have 12 months to comply with this request. However, this can be extended by 30 days in the event of a force majeure event. In this case, it will need to be reported at least three days before the 12-month deadline expires. Data must be stored for at least 24 months, or longer if the request requires the enterprise to do so.
Decree 53 also empowers authorities to take a range of new measures:
- It enables different state actors, such as MPS or the Ministry of Defense, to take down illegal content (Article 19).
- It permits electronic data to be collected by state actors as part of an investigation into or a suspension of illegal activities online (Article 20).
- It allows MPS to stop or suspend the operation of information systems where laws on national security or cybersecurity have been violated (Article 21).
For more information about Decree 53, or about doing business in Vietnam in general, just contact our team on: contact@apflpartners.com