What impact will it have on data regulations?
Introduction
As the call has grown to ensure national security in cyberspace, the Vietnam government issued the controversial Law on Cybersecurity (CSL) on 12 June 2018. With it due to come into effect on 1 January 2019.
There are two main issues in the CSL worrying the data industry — a data localization requirement and the compulsory establishment of branches and representative offices (Data Localization and Presence Establishment Requirement).
However, as the CSL has ambiguous wording on the two issues, the Ministry of Public Security (MPS) worked on a draft decree guiding the implementation of the CSL and published their second draft on 31 October 2018 for public consultation. The Draft Decree provided guidance on:
Proposed changes on the Draft Decree
In this update, we would like to focus on the issues around data. While Article 24 and 26 of the Draft Decree clarified the type of information to be stored and its term of storage in Vietnam, Article 25 of Draft Decree set out conditions to trigger the requirements on Data Localisation and Presence Establishment Requirement.
Type of information to be stored and its term
We set out the relevant information and the corresponding terms of storage in Vietnam:
|
No. |
Type of information |
Term of storage (at minimum) |
|
1 |
Full name, date of birth, place of birth, nationality, occupation, job titles, residential address, contact address, email, phone number, ID card number, personal identification number, passport number, social insurance number, credit card number, health status, medical records, biometric data |
Permanent (depending on the operating time of the data processor or stoppage of services) |
|
2 |
Vietnamese user-created data, including the type of data to be uploaded, synchronised or copied from devices |
36 months |
|
3 |
Data on the relations of Vietnamese users, including friends, groups that the users connected to or interacted with |
36 months |
|
4 |
Network logs |
12 months |
Clarification of the businesses involved
Article 25 of the Draft Decree clarified that telecommunication networks, the Internet and value-added services on cyberspace in Vietnam are to be subject to the Data Localization and Presence Establishment Requirement. The list includes telecommunication services, hosting and sharing data on cyberspace, providing national or international domain names for service users in Vietnam, E-commerce, online payment, payment intermediation, mobility services via cyberspace, social network and social media, online video games and email. This demonstrates to the public the potential reach of the CSL on the data industry.
Reduced burden on Data Localization and Presence Establishment Requirement
Article 26.3 of the CSL stipulated that the government would impose a Data Localization and Presence Establishment Requirement on all entities who:
In contrast, Article 25 of the Draft Decree sets two more conditions for imposing the requirement. Particularly, the entities must also:
In short, this means the relevant entities would need to have violated the CSL before being the Data Localization and Presence Establishment Requirement is imposed upon them. Looking at it optimistically, it is the public backlash against the CSL which has influenced the lawmakers to limit the scope of the requirement by imposing further conditions. However, many data processing giants (especially social networks) may not escape the CSL because of the increased regulatory expectation of moderating content in the networks or complying with the requests from the authorities.
Unclear sanctions against violations
If the entities met all four conditions set out in Article 25 of Draft Decree, they would be requested to comply with the Data Localization and Presence Establishment Requirement (by the Minister of the MPS). Although the article stated that failure to comply may be subject to sanctions, it did not specify them. It is usual that the government would issue a separate decree on administrative sanctions against violations in a particular field. However, it is unclear how the government could issue sanctions against companies having no commercial presence in Vietnam (in particular, for the failure to open branches or representative offices or store data in Vietnam).
Conclusion
In the meantime, the Draft Decree is attracting wide attention from the public, and the MPS is accepting public consultation on this draft until 2 December. It is expected that the finalised decree would be issued after the effective date of the CSL. Although this draft made great attempts to clarify the implementation of the CSL, it remains to be seen how the public can contribute further to the draft and perhaps more importantly the receptiveness of the MPS to consider and accept changes.
