Effective from October 1, Decree No.53/2022/ND-CP is expected to help tighten cybersecurity for cross-border online services, where violations have been frequent.
Domestic enterprises operating in telecommunication and internet services are also subject to the new regulation, including those in telecommunications services, telecoms-based application services, internet services, online content services, and value-added telecoms services.
Offshore enterprises must process regulated data, including in telecommunications, cloud storage, online payments, social networks, and e-commerce. A number of large international tech companies fall into this category, such as Google, Facebook, YouTube, TikTok, Shopee, and Lazada.
The list of data that must be stored in Vietnam can be divided into three main groups. The first is data on the personal information of service users in Vietnam.
The second includes data generated by service users in Vietnam, such as account name for use of services, duration of use, credit card information, email address, phone numbers, and IP address.
The third is data on the relationships of service users in Vietnam, including friends or groups with whom the users connect and interact.
In terms of timeline, offshore enterprises need to begin the data storing process upon receiving a written decision from the Minister of Public Security. Enterprises then have 12 months as of the decision’s issuance date to complete the storage of data, with a minimum storage time of 24 months.
According to Tin Nguyen, founder and CEO of Polaris Infosec, the decree means the government is taking the position they deem best to protect the community and data of Vietnamese nationals.
“While this may be difficult for international companies because of concerns of data oversight, these requirements are not much different than those that exist in other parts of the world,” Nguyen said.
“Members of the European Union, for example, have the General Data Protection Regulations that they must abide by, and anyone that does business with the EU is also subject to them.”
Manh Hung Tran, head of IPTech Practice at Baker McKenzie Vietnam, noted that Decree 53 also sets out numerous legal bases for local authorities to take action on illegal activities in cyberspace, such as issuing takedown requests, requesting data disclosure, or terminating operations of information systems.
“Therefore, it would be reasonable to expect that Vietnamese authorities are more active in their cybersecurity enforcement efforts once Decree 53 takes effect,” Tran said.
The government received feedback from businesses when drafting the decree, and will continue to do so to refine it, according to one governmental source.
A number of businesses and associations in the process have submitted their input, including the American Chamber of Commerce in Vietnam and the Asia Internet Coalition.
According to Bruno Sivanandan, co-chair of the European Chamber of Commerce’s Digital Sector Committee, parts of the decree are not sufficiently clear for companies to adapt their compliance programmes and factor compliance requirements into their business strategies.
“For foreign companies, there is a list of specific services that have to store a list of specific data locally. But there are cases where it’s hard to tell if a company falls into these categories,” Sivanandan said.
“Especially for new-concept companies, like embedded finance, it’s hard for businesses to assess themselves. Going forward, this is what needs to be clarified in the text,” he added.
Nguyen of Polaris Infosec stressed that the focus now for businesses, both domestic and foreign, should be on compliance, adding that companies that maintain data of Vietnamese partners and customers overseas only need to create a backup of said data here in Vietnam.
“This actually serves as an added benefit of having backup and recovery capabilities, which assist in mitigating other cyber risks as long as they protect those backups,” Nguyen said.
The Minister of Information and Communications last month issued Decision No.1762/QD-BTTTT, promulgating the Action Plan to implement the National Cybersecurity and Safety, with vision to 2030.
The decision aims to organise the effective implementation of the tasks assigned in Decision No.964/QD-TTg dated August 2022 approving the National Cybersecurity and Safety plan.
Under the strategy, until 2025, the government will maintain Vietnam’s ranking of between 25th and 30th in the Global Cybersecurity Index, assessed by the International Telecommunications Union.
Meanwhile, the country is expected to lay a foundation for a cybersecurity and cyber information safety industry and formulate an appropriate policy platform for startups in these fields. The goal is to have 3-5 key products and services related to information safety that will dominate the domestic market and be able to compete globally.
In a larger context, Vietnam’s Law on Cybersecurity has been around for three years. Taking effect in January 2019, the Law on Cybersecurity, with seven chapters and 43 articles, was a collaborative effort with the participation and comments from functional ministries and organisations, large domestic telecommunications and IT enterprises in Vietnam including VNPT, FPT, and BKAV; a number of domestic and foreign experts; economic and telecommunications groups including Facebook, Google, Apple, and Amazon; and the US-ASEAN Business Council and the Asia Cloud Computing Association, amongst others.
The law since 2019 has stipulated that domestic and foreign enterprises providing services on telecommunications networks, the internet, and value-added services in cyberspace in Vietnam – and carrying out the activities of collecting, exploiting, analysing, and processing data about personal information, data on the relationship of service users, and data created by service users in Vietnam – must be stored in Vietnam for the period prescribed by the government.
Source: VIR