PERSONAL DATA OWNED OR CREATED BY SERVICE USERS IN VIETNAM MUST BE STORED IN VIETNAM

The 2018 Law on Cybersecurity has been promulgated, taking effect from January 1, 2019. However, its enforcement has not satisfied the practice. Therefore, on August 15, 2022, the Government issued Decree No. 53/2022/ND-CP (“Decree 53”) detailing a number of articles of the Law on Cybersecurity. Decree 53 consists of 06 chapters with 30 articles, stipulating mainly on determining the basis for establishment, conditions and coordination mechanism to protect major national security information systems and data localization in Vietnam.

1. Data localization in Vietnam

Data subject to data localization: Data (information in the form of symbols, records, numbers, images, sounds or similar forms), which must be stored in Vietnam (“Data”), includes the following 03 types:

1. Data on personal information of service users in Vietnam;
2. Data created by service users in Vietnam;
3. Data on relationships of service users in Vietnam: friends and groups such users have connected or interacted with.

Businesses subject to data localization:

1. Domestic enterprises: All domestic enterprises, no matter which services they provide, must store regulated data in Vietnam.
2. Foreign enterprises: Foreign enterprises that satisfy the following conditions:

(i) Having business lines in Vietnam in one of the following 10 industries: (1) Telecommunications services; (2) storage and sharing of data in cyberspace; (3) provision of national or international domain names for service users in Vietnam; (4) e-commerce; (5) online payment; (6) payment intermediaries; (7) services of connection and transportation in cyberspace; (8) social media and social communication; (9) online games; and (10) services of provision, management, or operation other information in cyberspace in forms of messages, calls, video calls, emails, online chatting.

(ii) The services provided by such foreign enterprises are used for violations of laws on cybersecurity, notified and requested for cooperation, prevention, investigation, and handling in writing by the Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam but they fail to comply or incompletely comply with such documents or prevent, obstruct, disable, or nullify the effect of cybersecurity protection measures performed by cybersecurity protection forces

In some cases, in addition to the data localization obligation, foreign enterprises may have to establish branches or representative offices in Vietnam under the request of the Minister of Public Security.

Data localization form: Decided by the enterprise.

Data localization period: Starting from the time the business receives the storage request to the end of the request. Minimum storage period is 24 months.

2. Take-down of illegal or untrue information in cyberspace

Pursuant to Article 19 of Decree 53, information required to be removed from cyberspace includes:

1. Information identified by competent agencies to have contents that infringe upon national security, disseminate information that sabotages the Socialist Republic of Vietnam, incite riots, and disrupt public security and order according to regulations of the law;
2. Information that is determined by law to have humiliating and slanderous contents; infringes upon the order of the economic management; fabricates and falsifies information, causing confusion among the people and severe damage to socio-economic activities to the extent that such information must be removed;
3. Information that distorts history, denial of revolutionary achievements, undermining national solidarity, blasphemy, discrimination by gender or race;
4. Information on prostitution, vice, human trafficking; posting pornographic or criminal information; damaging Vietnam’s good traditions, social ethics or public health;
5. Information enticing, persuading or tempting others to commits crimes.

Accordingly, on a case-by-case basis, the Director of the Department of Cybersecurity and Hi-tech Crime Prevention of the Ministry of Public Security or the Directors of competent agencies of the Ministry of Information and Communications or the Cybersecurity protection forces of the Ministry of National Defense shall decide and apply measures to request the removal of illegal information.

Decree 53 shall take effect from October 1, 2022.