Vietnam’s new Cybersecurity Law requiring data localisation to take effect on 1 October 2022

Asia-Pacific

The Law on Cybersecurity, Decree No. 53/2022/ND-CP (“Decree 53/2022”) was issued by the Vietnamese Government on 15 August 2022, and will become fully effective on 1 October 2022.

The following are some key matters to note arising from Decree 53/2022:

  • Information systems important for national security: A list of important national security information systems would be prescribed, where owners of such important information systems are required to, among others, (a) provide certain prescribed information to the relevant Government authorities, and (b) comply with prescribed security measures.
  • Powers relating to illegal activities: Decree 53/2022 empowers authorities to require companies to take certain measures (such as deleting data, providing authorities with data, and suspension of domain names) in the circumstances such as where there is a violation of law, or an infringement of national security, social order and safety.
  • Data localisation: Domestic companies, and certain foreign companies providing specified services (e.g. telecommunications, e-commerce, online payment), will have to store specific types of data in Vietnam for a minimum period of 24 months, and system logs relating to violations of the law must be stored for at least 12 months. These foreign companies are also required to set up a branch or representative office in Vietnam.

Commentary

International companies doing business in Vietnam should be aware of the obligations required under this new law.

In relation to data localisation, foreign companies should evaluate if they fall within the specified services under the Decree and determine if they are required to comply with the localisation and branch / representative office requirement.

Finally, all companies should be aware of the powers granted to authorities relating to illegal activities, and where required, comply with these measures imposed.