The Vietnamese Government has just issued Decree No. 53/2022/ND-CP dated 15 August 2022 detailing a number of articles of the Cybersecurity Law (“Decree 53“).
By way of background, Decree 53 had been drafted, revised, and stayed pending for issuance for years. Without this decree, local regulators had not been able to fully enforce Vietnam Cybersecurity Law, notably its requirements under Article 26 of the law concerning (i) data localization (storing certain types of data, such as user data or personal data in Vietnam) and (ii) local office establishment (setting up a branch or a representative office in Vietnam).
This decree will become fully effective on 1 October 2022 without any grace period.
Key Issues under Decree 53
Decree 53, consisting of 30 articles and 6 chapters, provides detailed regulations on a number of articles of the Cybersecurity Law. Similar to this law, Decree 53 has an extra-territorial scope of application – foreign entities that are established or registered per foreign laws will be subject to this decree.
Notable issues under Decree 53 include:
- Data localization and local office requirements under Article 26 of Cybersecurity Law: Decree 53 provides for what type of data will be localized, what types of companies must comply, what the triggering condition is, how long the data must be stored, how long the office must stay operational, timeline and procedure for compliance, etc.
- Local authorities’ takedown measures concerning illegal information and fake news in cyberspace: Decree 53 provides for a detailed legal basis for local competent authorities to issue takedown requests against service providers.
- Local authorities’ data collection measures concerning illegal activities: Local authorities will have the authority to apply data collection measures to collect data for purposes of investigation and handling of illegal activities in cyberspace. Decree 53 provides detailed requirements concerning such data collection measures.
- Local authorities’ measures of suspending or terminating the operations of information systems: Information systems – a broad concept that can cover all different sorts of apps, websites, and devices – that are used for illegal purposes could be suspended or terminated at the order of the Ministry of Public Security.
What to expect
- Under Decree 53, broadly speaking, the data localization and local office requirements will not be immediately applicable to foreign service providers once the decree becomes effective. However, Decree 53 requires local companies to store certain users’ data in Vietnam.
- Decree 53 also sets out numerous legal bases for local authorities to take action against illegal activities in cyberspace, such as issuing takedown requests, requesting data disclosure or terminating operations of information systems. Therefore, it is expected that Vietnamese authorities will be more active in their cybersecurity enforcement efforts once Decree 53 takes effect.
As the effective date is fast approaching, it is advisable for stakeholders to review this decree closely and be prepared to tackle its implications.