Vietnam: Cybersecurity Data Localization Requirements
In August 2022, the Government of Vietnam promulgated Decree No. 53/2022/ND-CP, elaborating a number of articles of the Law on Cybersecurity of Vietnam. Decree 53 is expected to make the Cybersecurity Law, which was issued in June 2018, more enforceable in practice. Decree 53 takes effect on October 1, 2022.
In particular, Decree 53 subjects foreign and domestic enterprises that provide services on telecommunications networks, the Internet, and the value-added service (VAS) in cyberspace in Vietnam to data retention requirements. Accordingly, a foreign enterprise providing this type of services (see list of captured services below) into Vietnam on a cross-border basis are required to store the data of service users in Vietnam if it receives a formal request for data retention from the Ministry of Public Security for the following reasons:
1. The foreign enterprise’s services have been used to violate the Vietnam’s cybersecurity law.
2. The foreign enterprise has failed to comply, or inadequately complied with the request by Department of Cybersecurity and High-Tech Crime Prevention and Control (A05) under the Ministry of Public Security to cooperate, prevent, investigate and resolve such violation.
Under this Decree, foreign enterprise would have to complete the data storage in Vietnam and the establish a branch or representative office in Vietnam within 12 months from the date of the Minister of Public Security’s formal request. This period can be extended for 30 business days with prior approval from the authority in a force majeure event. The data has to be retained for a minimum period of 24 months.
Captured Data
• Data on personal information of service users in Vietnam;
• Data created by service users in Vietnam: account names, service use time, information on credit cards, emails, IP addresses of the last login or logout session, and registered phone numbers in association with accounts or data;
• Data on relationships of service users in Vietnam: friends and groups such users have connected or interacted with.
Captured Services
1. Telecommunications
2. Data storage and data sharing in cyberspace
3. National or international domain names for service users in Vietnam
4. E-Commerce
5. Online payment
6. Payment intermediary
7. Transportation connection service via cyberspace
8. Social network and social media
9. Online video games
10. Messaging, voice call, video call, email, or online chat via cyberspace
Disclaimer: The information provided in this report is intended to be of assistance to U.S. exporters. While we make every effort to ensure its accuracy, neither the United States government nor any of its employees make any representation as to the accuracy or completeness of information in this or any other United States government document. Readers are advised to independently verify any information prior to reliance thereon. The information provided in this report does not constitute legal advice.
International copyright, U.S. Department of Commerce, 2008. All rights reserved outside of the United States.
Contact:
Triet Huynh
Senior Commercial Specialist
U.S. Commercial Service Ho Chi Minh City, Vietnam
Email: Triet.Huynh@trade.gov