Discussions on data localisation in Vietnam have been in vogue since the issuance of Law No. 24/2018/QH14 on cybersecurity (the ‘Cybersecurity Law’) in 2018. After much anticipation, Decree 53/2022/ND-CP ('Decree 53') and Decree 13/2023/ND-CP on personal data protection ('Decree 13') now provide further guidance with regard to this issue.
Under Decree 53
Foreign enterprises
Under Decree 53, a foreign enterprise may be requested by the Department of Cyber Security and Hi-Tech Crime Prevention (the ‘A05’) under the Ministry of Public Security of Vietnam to (i) store data in Vietnam (the ‘Storage Requirement’) and (ii) establish a local presence (branch or representative office) in Vietnam (the ‘Local Presence Requirement’) (together the 'Requirements') only if the following tests are met:
- the foreign enterprise, though not operating physically in Vietnam, provides services in Vietnam which is in one of ten enumerated fields under Decree 53;
- if the services provided by the foreign enterprise have been used to violate applicable cybersecurity-related laws; and
- the A05 has sent the foreign enterprise a written request for coordination in preventing, investigating and handling such violations but the foreign enterprise has not complied with, or has otherwise impeded, the efforts of the A05.
If a foreign enterprise meets all three above tests, the Minister of Public Security may require the foreign enterprise to perform either or both of the Requirements, following which the foreign enterprise will have 12 months to do so.
For the Storage Requirement, an enterprise is allowed to determine the form of data storage itself. It appears that the legislative intent is to ensure easy enforcement over data server owners/administrators by the Vietnamese cybersecurity investigation authorities. So, the enterprise may consider, among others, establishing a server in Vietnam or housing the same data in physical data centres in Vietnam.
Types of personal data to be stored in Vietnam for the Storage Requirement comprise:
- data on personal information of service users in Vietnam, which is defined to mean information in form of signs, characters, numbers, pictures, voice or similar information used to identify an individual;
- data created by service users in Vietnam: account names, service use time, credit card information, email addresses, the latest Internet Protocols (IP) used for log-ins and log-outs, registered telephone numbers pertaining to the relevant accounts or data;
- data on relationships of services users in Vietnam: linked or interactive friends and groups.
Domestic enterprises (including foreign-invested enterprises)
Under Decree 53, the Storage Requirement applies to domestic enteprises without any triggering conditions (the Local Presence Requirement is not relevant). Though the language in Decree 53 is not crystal clear, arguably only certain domestic enterprises are covered. Article 26 of the Cybersecurity Law (which is guided by Decree 53) stipulates that domestic enterprises which provide telecommunication services, Internet services and value-added services on the cyberspace shall store data for a period of time. Accordingly, Decree 53 could reasonably be interpreted as only further clarifying this Article 26, which is limited to only a subset of domestic enterprises, rather than imposing a new requirement on all domestic enterprises. For instance, manufacturing businesses which operate e-commerce sales websites, which are a means for the manufacturers to promote their sales of goods or services, rather than a new service unto itself to be used by the website servers, should not be considered as providing value-added services on the cyberspace.
Under Decree 13
Decree 13 is the over-arching legal instrument on personal data protection in Vietnam, though various aspects remain unclear or difficult to implement. Under Decree 13, parties conducting acts of processing personal data are classified as follows:
- data controller: The organization/individual which determines the purpose and the means of personal data processing;
- data processor: The organization/individual which processes the personal data on behalf of the data controller through a contract or agreement with the data controller;
- data controller and processor: The organization/individual which determines the purpose, the means of data processing and also directly processes the personal data;
- third party: The organization/individual which, other than the data subject and the listed parties from (a) to (c), is allowed to process the personal data.
Under Decree 13, each of the above listed parties must perform the following requirements with regard to the overseas transfer of personal data:
- to conduct an impact assessment for cross-border data transfer ('CBDT') and keep it in a dossier in prescribed form. The CBDT dossier must be delivered to the A05 within 2 months from 1 July 2023;
- the CBDT dossier must be available at the premises of the applicable enterprise for examination by the A05, and must be prepared and sent to the A05 within 60 days from 1 July;
- after any CBDT event, to inform the A05 in writing of (i) details of the CBDT, and (ii) contact details of the department / personnel in charge. There is not yet any guidance on how to implement this requirement.
No applicable administrative sanctions exist to date and the level of enforcement of the above requirements remains uncertain.