The Ministry of Public Security (‘MPS’) issued, on 2 November 2018, a draft decree on the implementation of the Law on Cybersecurity No. 24/2018/QH14 (‘the Cybersecurity Law’), approved on 12 June 2018, and later adopted by the National Assembly (‘the Draft Decree’). In particular, the Draft Decree provides guidance and clarification on data localisation requirements under the Cybersecurity Law.
Mai Thi Minh Hang and Chu Bao Khanh, Partner and Associate respectively at Russin & Vecchi LLC, told DataGuidance, “The Draft Decree considerably reduces the burden on companies providing online services, [originally] imposed by the Cybersecurity Law. The most notable relief, according to Article 25 of the Draft Decree, is that a company is only subject to the localisation requirements if it fails to comply with the Cybersecurity Law. [Therefore,] the localisation requirements under the Cybersecurity Law will not affect a private company, either foreign or domestic, unless it receives an official request from the MPS.”
The Draft Decree specifies that companies, including internet and telecommunications providers, are subject to data localisation requirements and must archive the data they process within Vietnam, and establish representative offices in the country. Furthermore, the Draft Decree clarifies the conditions under which data localisation must take place and imposes additional conditions that companies must abide by.
The most notable relief, according to Article 25 of the Draft Decree, is that a company is only subject to the localisation requirements if it fails to comply with the Cybersecurity Law
Hang and Khanh added, “The Draft Decree narrows down the scope of application of the requirements on data localisation and […] adds two more conditions for a company to be subject to the localisation requirements. These conditions include, non-compliance with the requirements of the Cybersecurity Law, and the obligation to cooperate with the authorities to prevent and delete ‘anti-Government,’ ‘offensive’ or ‘inciting’ content from its platform [as well as, allowing] service users [to carry out] prohibited acts using cyberspace to organise activities against the state on its platform.”
Moreover, the Draft Decree outlines the requirements for the protection of national security information systems and specifies that managers of such systems should aim to develop regulations, procedures and plans for network security. In addition, Article 24 of the Draft Decree provides further clarity on types of personal data required to be stored in Vietnam such as identification numbers, health status, biometric data, nationality, email addresses and place of residence.
Yee Chung Seck, Partner at Baker & McKenzie Vietnam Ltd., concluded, “The Cybersecurity Law provides key provisions, however, it is still necessary to have implementing regulations [as proposed by the Draft Decree,] to provide further details as to how certain provisions should be interpreted and applied.”
CLAUDIA STRUGNELL Privacy Analyst