- News & Insights
- Asia & Beyond
On 15 August 2022, the Vietnamese Government adopted Decree No. 53/2022/ND-CP (“Decree 53“) detailing certain articles of Law No. 24/2018/QH14 on Cybersecurity (“Law on Cybersecurity“) after more than three years of drafting and consideration. Decree 53 will become fully effective on 1 October 2022. Decree 53, which contains long-awaited regulations, will allow Vietnamese authorities to enforce, among others, the requirements on data localisation and commercial presence under the current Law on Cybersecurity, that may have a major impact on operations of both onshore and offshore enterprises in the near future.
The retention period is set at a minimum of 24 months from the time an enterprise receives a storage request from the Vietnamese government until such request expires.
Domestic enterprises. It seems that domestic enterprises in various industries may generally be required to store the above data in Vietnam. Domestic enterprises are those established under Vietnamese laws and have head offices in Vietnam (including foreign-invested enterprises).
Offshore enterprises. Such requirement may only be triggered to an offshore enterprise in case:
Moreover, an offshore enterprise may be required to set up and maintain a branch or representative office until it ceases to conduct business in Vietnam or provide the regulated services in Vietnam.
An offshore enterprise would have 12 months from the date the competent authority issues a written requirement to fulfil data storage in Vietnam and establish a branch or representative office in Vietnam. In the event of a force majeure, this term can be extended for an extra 30-working-day period with prior consent from the authority.
Decree 53 provides for various measures that the Vietnamese authorities may implement to deal with illegal activities in cyberspace in Vietnam, such as inspecting and assessing illegal activities, requesting disclosure of data, requesting removal of information, and suspending or terminating information system operations or withdrawing domain names.
In summary, in the internet-focused world today, data is widely considered one of the most valuable resources. In the last decade, it seems that data localisation has become a major policy concern in various nations, including Vietnam. The issuance of this new Decree 53 may help to protect information of citizens and residents in Vietnam and give local governments and regulators the jurisdiction to call for the data when required.
Vi Dang is a Partner at RHTLaw Vietnam. Her areas of expertise include capital market, IPO, corporate and commercial transactions in M&A and corporate compliance/governance in relation to a wide range of industries from manufacturing, commercial services to healthcare and trading.
* Including (i) telecom services; (ii) services of data storage and sharing in cyberspace (cloud storage); (iii) supply of national or international domain names to service users in Vietnam; (iv) e-commerce; (v) online payment; (vi) intermediary payment; (vii) service of transport connection via cyberspace; (viii) social networking and social media; (ix) online electronic games; (x) services of providing, managing, or operating other information in cyberspace in the form of messages, phone calls, video calls, email, or online chat.