Decree 53: Explanatory on Data Localization in Vietnam

2023/04/02 02:07

On December 22, 2022, The Ministry of Public Security of Vietnam (MPS) organized a Dissemination Conference to discuss the implementation of Decree No. 53/2022/ND-CP (Decree 53), which provides guidance on certain articles of the Law on Cybersecurity. The Department of Cybersecurity and Hi-tech Crimes Prevention (A05), a specialized cybersecurity force under the MPS, moderated the conference. A05 discussed the contents of specific articles of Decree 53 that are crucial for both domestic and foreign companies to comply with the new data localization regulations. Here are some important takeaways that enterprises need to know.

Decree No. 53/2022/ND-CP on Cybersecurity Law came into force on October 1, 2022

1. Explanation of applicable services

A05 directed the audience to refer to the laws and regulations on Telecommunications and Internet management and usage for guidance on the general definitions of the “captured services” applicable to businesses operating in Vietnam. For example:

  • To identify telecommunications-based services and value-added services in cyberspace under Decree 53, reference should be made to the definitions of "telecommunications services" and "telecommunications applied services" under the Telecommunications Law No. 41/2009/QH12 and the classification of telecommunication services under Decree No. 25/2011/ND-CP.
  • To identify Internet-based services, the definition of "internet services" under Decree No. 72/2013/ND-CP and "cellular network content provision services" under Circular No. 17/2016/TT-BTTTT, as amended by Circular No. 08/2017/TT-BTTTT, should be used.

2. Applicable data

On April 17, 2023, the Government issued Decree 13/2023/ND-CP on Personal Data Protection. This is the first legal document in Vietnam that regulates the protection of personal data. The PDPD will come into effect on July 1, 2023.

According to Decree 13, personal data refers to information in the form of signs, characters, numbers, images, sounds, or similar forms in the electronic environment that is associated with or helps identify a specific individual. Personal data includes both basic and sensitive personal data.

Read more about the classification of "personal data" in Decree 13 here.

Vietnam has issued Decree 13/2023/ND-CP on Personal Data Protection, which will be effective from July 1, 2023

3. Applicable domestic enterprises

A05 verified that domestic enterprises subject to the data localization requirements include those established in accordance with Vietnamese law and based in Vietnam, regardless of foreign ownership. Additionally, A05 clarified that branches or representative offices of foreign enterprises in Vietnam are not classified as domestic enterprises subject to the data localization requirements. Therefore, foreign enterprises conducting business in Vietnam through branches or representative offices are exempt from complying with the data localization requirements until an official request from the MPS obligates them to do so.

4. Data storage method

A05 provided recommendations for two data storage methods, although the subject enterprises have the discretion to choose their preferred method:

  • Real-time synchronization method: Enterprises can create a separate storage system to support their operations in Vietnam.
  • Periodical back-up method: Enterprises can regularly back up their data and store it in suitable media in Vietnam (such as local servers, hard drives, flash drives, and CDs) at least once every 7 days.

5. Data retention period

A05 provided clarification on the data retention period, stating that the domestic enterprises subject to data localization requirements must store the target data from the effective date of the regulations until the end of their operations. However, if requested by the enterprises, the MPS may consider setting a specific data retention period of no less than 24 months.

Businesses should notice the requirements of data localization in Vietnam

6. Possible transition period granted to domestic enterprises

According to the conference presentation material, A05 mentioned the possibility of a 12-month transition period for domestic enterprises to comply with the data localization requirements starting from the effective date of Decree 53 (October 1, 2022). However, there is no official text indicating this transition period in Decree 53. It appears that the MPS may provide some leniency in practice to help domestic enterprises prepare for compliance with the new requirements.

During the conference's closing remarks, the Director of A05 acknowledged that the current regulations may not be suitable for all businesses. As a result, entities subject to the regulations can reach out to A05 for further guidance on navigating any practical difficulties they may encounter. If there are significant obstacles, the MPS may recommend changes to the current regulations to the Government of Vietnam to ensure a fair regulatory environment that balances economic development and national security.