Further to the initial Draft Decree detailing certain articles of the Law on Cybersecurity, the Ministry of Public Security (MPS) released the revised draft decree (Draft Decree) in August, guiding the implementation of the Law on Cybersecurity (LOCS) which, among other things, adds a new definition of service users in Vietnam and reduces the triggers for data localization and local office requirements.
I. Data localization and local office requirements are further elaborated
1. Enterprises subject to the data localization and local office requirements
Enterprises providing services on telecommunication networks, the Internet, value-added services on cyberspace in Vietnam (Cyberspace Service Providers or CSPs) are specified as enterprises providing one of the following services:
- Telecommunication services;
- Data storage and sharing on cyberspace;
- Services providing national or international domain names to service users in Vietnam;
- Online payment;
- Payment intermediary;
- Connecting transportation on cyberspace;
- Social networks and social media;
- Online games; and
- Other services that provide, manage and operate information on cyberspace in the form of messages, voice calls, video calls, email, online chatting.
2. Requirements of data localization and locating branches or representative offices in Vietnam
In Article 26.1 of the Draft Decree, the former four triggers which subject governed entities to data localization and local office requirements are now reduced to three as below:
- Being a CSP;
- Conducting such activities as collecting, exploiting, analyzing, processing the types of data required to be stored in Vietnam;
- Having been alerted to the fact that the service, for which the business in question provides, is being used to commit acts in violation of Vietnamese laws but does not undertake to stop and apprehend those acts; or resist, obstruct and ignore requests by the Cybersecurity and Anti-High Tech Crime Agency of the MPS for cooperation in investigating and apprehending violations of the laws; or conduct activities to neutralize and disable the effects of the cybersecurity protection measures taken by a competent cybersecurity protection authority.
The types of data to be stored in Vietnam when so requested are detailed in Article 26.2 to include the following:
- Data regarding personal information of service users in Vietnam;
- Data generated by service users in Vietnam, including: service account name, time of using service, credit card information, email address, Internet Protocol (IP) addresses to which the most recent login [and/or] logout was made, registered telephone number associated with the account or data with regard to data specified in point a) of this article;
- Data regarding relationships of service users in Vietnam, including: friends, and groups with whom users connect or interact.
3. Grace period for data localization and local office requirements
The requested CSPs must complete the data storage and establishment of branches or representative offices in Vietnam within 06 months from the issuance of the decision by the Minister of Public Security. This timeline has been significantly shortened as compared to the proposed grace period of 12 months in the previous version of the Draft Decree.
II. Director General of the Department of Cybersecurity and High-Tech Crime Prevention and Control under the MPS to request deletion of illegal or untrue information
Under Article 19.2 of the Draft Decree, in case of illegal or untrue information in cyberspace that is prejudicial to national security, social order and safety, legitimate rights and interests of agencies, organizations and/or individuals, Director General of the Department of Cybersecurity and High-Tech Crime Prevention and Control under the MPS shall be responsible for deciding on the required deletion, sending written requests for deletion to the relevant entities and auditing such entities’ compliance.
III. Vietnamese organizations and enterprises to coordinate with authorities to deter, prevent and handle violations of cross-border service providers
In addition to its current provisions, Article 22.3 now provides that Vietnamese organizations and enterprises shall be responsible for coordinating with competent functional agencies to deter, prevent and handle violations of the law committed by cross-border service providers.