Vietnam has introduced regulations for Data localization in an effort to increase data security within the country. All foreign investors operating in Vietnam must prepare for the implementation of this regulation, which will impact their business operations.
What’s in the Data localization Regulation?
Vietnam’s Cybersecurity Law was enacted on June 12, 2018 and came into effect from January 1, 2019, with most provisions taking effect from the effective date. However, a number of legal provisions, including the very worrisome requirements for data localization, are still awaiting further guidance from the enforcement regulations.
After considering and approving the draft for more than three years, the Government finally issued Decree No. 53/2022/ND-CP on August 15th 2022, effective October 1, 2022, which provides guidance for implementing several articles of the Law on Cybersecurity.
The National Digital Transformation Programme’s goals and ongoing efforts to update laws related to e-transactions, IT, and telecommunications have a connection with the issuance of Decree 53. The security of cyberspace and managing present, near, and future risks significantly affects enhancing technologies to enable and accelerate digital transformation.
Data localization requirements
According to the LCS 2018 and Decree 53/2022, there are two crucial measures under the data localization requirements:
– The Storage Requirement: This requirement mandates that companies, both domestic and foreign ones, must store Localised Data in Vietnam.
– Local Presence Requirement: This requirement applies only to foreign enterprises and necessitates that they establish a representative office or a branch in Vietnam.
There are a few issues to consider when it comes to the Local Presence Requirement, including:
– Per Vietnamese law, a foreign enterprise can only establish a branch if Vietnam agrees to allow it in relevant treaties such as WTO commitments or CPTPP. As a result, setting up a representative office is the more probable option.
– It remains unclear whether the local branch or representative office of the foreign enterprise will be accountable for ensuring that the foreign enterprise complies with the LCS 2018 and Decree 53/2022.
– With regards to the Storage Requirement, Decree 53/2022 allows enterprises to determine the form of storage, giving them flexibility in deciding how to store Localised Data in Vietnam.
However, it is unclear whether companies must store Localised Data in an easily readable format by the authorities or whether encryption or non-electronic storage is acceptable. Also, Decree 53/2022 stipulates that the data storage period should be at least 24 months from the date on which the enterprise receives the request for storage. It is unclear whether this provision applies to both domestic and foreign enterprises or only foreign ones. In situations where foreign enterprises receive requests for data storage from the competent authority, it is unclear how long domestic enterprises must store data if the storage period does not apply to them.
Data localizations requirements for foreign companies
Foreign enterprises that provide certain businesses or services, known as “regulated services,” must comply with the data storage and branch/representative office establishment requirements in Vietnam. The ten types of regulated services are: Telecom services; Data storage and sharing services in cyberspace (cloud storage); National or international domain name supplies for service users in Vietnam; E-commerce services; Online payment services; Intermediary payment services; Transport connection services via cyberspace; Social networking and social media services; Online electronic games services; Providing, managing, or operating other forms of information in cyberspace through messages, phone calls, video calls, emails, or online chats.
Foreign enterprises need to follow the data localization requirements only if they met specific conditions. Domestic enterprises are obliged to store regulated data in Vietnam, whereas foreign enterprises are not required to store regulated data unless:
– They operate in one of the ten regulated businesses/services as mentioned above.
– The Department for Cybersecurity and Prevention of High-Tech Crime (A05) under the Ministry of Public Security (MPS) has alerted them that their services have been used to commit a cybersecurity breach, and they have taken no action to prevent, handle, combat, or avoid such a breach. Alternatively, if they have refused, hindered, or ignored requests from relevant authorities.
What should foreign businesses pay attention to?
First and foremost, foreign investors should ensure that they understand the regulation and whether it applies to their business operations. The regulation only applies to foreign enterprises that operate in one of the ten regulated businesses/services, which include telecom services, e-commerce, and online payment services, among others. If an enterprise operates in one of these business areas, they must ensure that they have taken all necessary steps to comply with the regulation.
One of the most important steps that foreign investors can take is to establish a branch or representative office in Vietnam. This will ensure that they have a local presence in the country, which is a requirement under the regulation. Establishing a branch or representative office will also make it easier for foreign enterprises to comply with other aspects of the regulation, such as ensuring that the country stored their data securely.
Foreign investors should also keep in mind the potential costs of complying with the new regulation. These costs may include the cost of establishing a branch or representative office in Vietnam, as well as the cost of hiring local staff to manage the enterprise’s operations in the country. Foreign investors should ensure that they have a comprehensive understanding of these costs and budget accordingly.
Another important step that foreign investors can take is to work with local experts and advisors who can help them navigate the new regulatory landscape. This may include legal experts who can advise on compliance requirements and other aspects of the regulation, as well as local professionals who can help with the establishment of a local branch or representative office.
Conclusion
In summary, foreign investors need to take several steps to prepare for Vietnam’s new data localization regulation. This includes understanding the regulation and whether it applies to their enterprise, establishing a local branch or representative office in Vietnam, and budgeting for the potential costs associated with compliance. Foreign investors can rely on the assistance of local experts and advisors to ensure that foreign investor well-prepared for the new regulatory landscape in Vietnam, allowing them to continue to operate successfully.
HMLF is always available to offer assistance in understanding the procedures with authorities.
Harley Miller Law Firm “HMLF”
Head office: 14th floor, HM Town building, 412 Nguyen Thi Minh Khai, Ward 05, District 3, Ho Chi Minh City.
Phone number: +84 937215585
Website: hmlf.vn Email: miller@hmlf.vn