With the rapid growth of the digital landscape, the utilization and implementation of cloud computing solutions have become a crucial aspect of business strategies for many enterprises in Vietnam. However, this trend also comes with a heightened emphasis on adhering to legal regulations in data security and cloud infrastructure deployment.
In Vietnam, several important regulations have been published in legal documents, including the 2013 Constitution and laws pertaining to Cybersecurity, Network Security, Civil Law, and Telecommunications. These regulations focus on safeguarding personal information and ensuring cybersecurity across digital networks.
Compliance with the legal provisions and laws regarding cloud computing in Vietnam is not only a fundamental requirement to protect personal information and sensitive data of businesses but also a pivotal factor determining trust for customers and partners when selecting cloud service providers. Organizations and individuals must have a thorough understanding of the legal framework and apply it appropriately to ensure responsible and compliant cloud computing adoption in accordance with local laws.
Regulations on Personal Data Protection
In the context where all personal data is stored and shared in digital environments, ensuring information security for users has become a pressing issue. Accordingly, 2013 Constitution established provisions regarding the protection of personal information and secrecy. Subsequently, the Civil Code 2015 and Law on Cyberinformation Security 2015 introduced fundamental principles for safeguarding the privacy of data, regulating the collection, use, modification, and deletion of personal information. These laws also placed the responsibility of safeguarding citizens' private data on the Government.
The 2015 law stipulates the obligations of organizations and individuals in handling information, requiring them to ensure data security and disclose policies regarding the use of such data. After that, the Cybersecurity Law 2018 added the requirement that businesses providing services on the online space in Vietnam must directly notify users in case their data is violated, compromised, or lost. Additionally, Vietnamese laws have established specific measures to address actions that infringe upon personal data. For instance, the "Illegal provision or use of information on computer networks or telecommunications networks" as outlined in the Criminal Code of Vietnam 2015.
In 2022, the Government of Vietnam issued Decree No. 53/2022/ND-CP providing detailed guidance on some provisions of the Cybersecurity Law 2018. This decree is regarded as a significant step in enhancing cybersecurity and managing online activities in Vietnam. Specific instructions regarding the Cybersecurity Law were outlined, including the delineation of rights and obligations of organizations, individuals, and entities involved in cybersecurity activities. Furthermore, the decree introduced concrete measures to ensure cybersecurity across various domains such as network infrastructure management, protection of sensitive information, cyberattack prevention, and addressing cybersecurity violations.
More recently, Decree No. 13/2023/ND-CP concerning the protection of personal data has been enacted to promote the enforcement of relevant rights and obligations. This decree provides clear and specific guidelines for organizations and individuals engaged in the collection, processing, storage, and management of personal data. Notably, it mandates transparent demonstration of the purpose of data processing, sets limitations on data retention periods, and stipulates reporting obligations to competent authorities. Decree No. 13 also emphasizes the necessity for organizations to implement appropriate security measures to ensure the safety of personal information.
Regulations on Intellectual Property Rights
Vietnam has undertaken significant legislative efforts to enact various legal documents such as laws, decrees, and circulars to comprehensively regulate and safeguard intellectual property rights. Key legal documents include the Intellectual Property Law of 2009 (amended in 2019), Decree No. 99/2013/ND-CP on Sanctioning of Administrative Violations in Industrial Property, and Decree No. 28/2017/ND-CP amending and supplementing Decree No. 131/2013/ND-CP on Sanctioning Administrative Violations of Copyright and Related Rights.
In addition to domestic legal provisions, Vietnam also adheres to international commitments in the realm of intellectual property protection. Multilateral and bilateral international agreements of which Vietnam is a member play a crucial role in promoting effective copyright protection. Agreements such as the Trade-Related Aspects of Intellectual Property Rights (TRIPS) and those with international partners like the United States and Switzerland concerning intellectual property protection contribute significantly to ensuring efficient copyright protection.
Legal Framework for Cloud Computing
On April 3, 2020, the Ministry of Information and Communications of Vietnam issued Official Letter No. 1145/BTTTT-CATTT to provide guidance on a set of technical standards and specifications (referred to as "Guidelines") for cloud computing solutions in the implementation of e-government.
Government agencies and state organizations will rely on these Guidelines to evaluate and select cloud computing solutions or services for the development of e-government. Private enterprises are also encouraged to refer to these Guidelines when establishing and deploying their own cloud computing platform solutions.
This marks the first time Vietnam has introduced a dedicated set of criteria and technical standards for cloud computing platforms. The objective is to promote domestic IT enterprises' ability to independently develop essential core technologies, reducing dependence on foreign technology. Additionally, this initiative aims to build cloud computing infrastructure for e-government, local authorities, and further advance the digital government, digital economy, and digital society goals.
Technical Standards and Specifications include two groups of standards. Group 1 includes standards, technical specifications, and features related to: (1) Virtual machines, (2) Storage devices, (3) Software-defined networking, (4) Physical servers, (5) Administration and Operational processes, and (6) Integration and other related requirements. Group 2 covers requirements related to: (1) Fundamental information security features, and (2) Security configuration requirements for cloud computing infrastructure.
According to the Guidelines, they provide concepts about cloud computing (definitions and fundamental characteristics of cloud computing), categorize cloud computing deployment methods (public cloud, private cloud, hybrid cloud, and multi-cloud), and classify cloud computing service delivery models: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service). The Guidelines offer two options for deploying cloud computing platforms: self-deployment, management, and operation; or professional cloud computing service from cloud providers.
For the option of self-deployment, management, and operation, government agencies and businesses need to have an experienced team capable of building, managing, maintaining, and ensuring the security of the infrastructure. Therefore, they are recommended to consider option 2, which is using cloud computing services from professional providers. With the option of using professional cloud computing services, the Ministry of Information and Communications recommends that government agencies and businesses prioritize selecting cloud providers that meet technical standards and specifications listed in the published list by the Ministry. Chosen cloud providers must comply with laws related to network security, adhere to prescribed technical standards, and meet the technical standards and specifications outlined in the Guidelines.
In recent discussions related to the Draft Telecoms Law (amended), there have been suggestions for clearer and more flexible legal frameworks to manage and control cloud computing and data center activities. This is also aimed at promoting the development and application of this technology to enhance the efficiency of businesses while protecting the information security and privacy rights of users.
As a result, specific provisions and regulations within the Telecoms Law will be adjusted to align with the requirements for information security, data management, and privacy in the cloud computing and data center environment. Additionally, businesses also propose simplifying registration procedures and business conditions in the telecommunications, data center, and cloud computing sectors to create favorable conditions for business activities. This demonstrates the government's interest and readiness to create opportunities for fostering innovation and development in the IT sector in Vietnam.
VNG Cloud solutions ensure Vietnamese legal compliance
For businesses, selecting a cloud provider that is suitable and ensures full compliance with Vietnamese legal regulations is the optimal solution for the digital transformation process. With two data centers located in Vietnam, VNG Cloud commits to strict adherence to safety and security regulations, certified by international standards such as ISO 27001, ISO 27017, ISO 27019, PCI DSS. Furthermore, it fully complies with the requirements of Vietnamese laws pertaining to cybersecurity and the cloud computing sector.
Not only that, VNG Cloud has successfully met all the criteria set forth by the Ministry of Information and Communications in 2020, consisting of 153 criteria for evaluating "Make in Vietnam" cloud computing platforms. This includes 84 technical criteria and 69 criteria related to information security. This underscores our strong commitment to safeguarding intellectual property rights and personal data security in the cloud computing domain.