ON 1 January 2019, when Vietnam’s Law on Cybersecurity came into effect, there were concerns among foreign and Vietnamese enterprises with a business interest in Vietnam that they would be caught under the law’s data localisation requirements despite not having a physical presence in Vietnam.
The relevant provision would require “domestic and overseas providers of telecommunications services, internet services and value-added services in Vietnam’s cyberspace that collect, analyse or process private information or data about relationships of their service users or data created by their service users in Vietnam” to retain such data for a period of time specified by the Vietnamese government. Such providers would need to establish a branch or a representative office in Vietnam.
As the provision was subject to legal guidance (by a government decree which, until now, has not been enacted), there was uncertainty as to how wide the state had intended the provision to apply. Would it apply to all companies (including foreign ones) that merely had an internet-based business with users in Vietnam? The unease was further exacerbated by the fact that a draft guiding decree issued earlier by the government broadly identified services in “cyberspace” as including services in telecommunications, data storage and sharing, domain name, e-commerce, online payment, payment intermediation, transportation networking, social network and social media, online gaming and other services for providing, managing and operating information on cyberspace in the form of messages, voice calls, video calls, email and online games.
It was not until recently that the Ministry of Public Security (MPS) had stated that the localisation requirement would be narrowed. Accordingly, based on recent dialogue with the MPS, the legislative intent is that in order for a company to be subject to the requirement, all of the following conditions would need to be met:
(a) The company provides services on telecommunications networks, the Internet or otherwise on cyberspace;
(b) The company collects, exploits, analyses or processes data on personal information, data generated by service users in Vietnam or data on relationships of service users in Vietnam; and
(c) The company has been notified that its provided services have been used to commit violations of Vietnamese law but the company (i) has not taken measures to stop or handle the violations, (ii) resists, obstructs or fails to comply with requests of the relevant authorities in cooperating to investigate and handle such violations or (iii) neutralises and disables the effect of cybersecurity protection measures taken by the authorities.
Therefore, while the scope of the conditions in (a) and (b) is broad, the intent is that unless the condition in (c) applies, the data localisation requirements would not be triggered. This has effectively narrowed the scope of localisation subjects as earlier envisaged when the law was enacted.
In any case, the above position remains subject to enactment by the government of an official guiding decree to the Law on Cybersecurity.
Commentary from Rajah & Tann LCT Lawyers, a member firm of Rajah & Tann Asia: The recent developments provide some comfort to enterprises which have an internet-based business with customers or users in Vietnam, as it would do away with the automatic application of the data localisation requirements. However, enterprises should still monitor their internet-based business to avoid violating Vietnam’s cybersecurity regulations which would place them at risk of localisation.