The Law on Cybersecurity (LOC) was adopted and came into force on
In this update, we summarise some of the main points.
1. Definition of Localised Data
Prior to Decree 53, the LOC required domestic and overseas entities to store certain data in
- data on personal information;
- data generated by service users; and
-
data on the relationships of service users in
Vietnam , (collectively, Localised Data).
However, definitions of each type of Localised Data had not been set out in the LOC. This has now been done in Decree 53. Localised Data can be in the form of symbols, writing, numbers, images, sounds, or similar forms.
Data on Personal Information
This is any data that is or can be used to identify an individual.
Data Created by Service Users in
This is data that reflects how service users use and operate on
Data on the Relationships of Service Users in
This is data that illustrates the relationship interactions between a service user and other people in cyberspace such as friends communicating with each other.
2. Definition of Domestic and Overseas Entity
Decree 53 also clarifies how to identify a domestic or overseas entity. A domestic entity is defined as an entity established under the laws of
3.
Under Decree 53, an overseas entity is not required to store the data locally, or open a branch or a representative office in
- The entity does business in
Vietnam involving or related to- telecommunication services;
- data storage and sharing in cyberspace;
-
supply of national or international domain names to service users in
Vietnam ; - e-commerce;
- online payment services;
- intermediary payment services;
- service of transport connection via cyberspace;
- social networking and social media;
- online gaming; or
- services of providing, managing, or operating other information in cyberspace in the form of messages, phone calls, video calls, email, or online chat.
-
The services provided by the overseas entity have been used by service users to commit acts that violate the LOC, and the
Department for Cybersecurity and Prevention of High-Tech Crime under the Ministry of Public Security has sent a written notice requesting the coordination, prevention, investigation and handling of such acts, but the entity fails to (inadequately) comply, resists, obstructs or disables cybersecurity measures applied by a specialised task force for cybersecurity protection.
An overseas entity has 12 months from the date of receiving such a request by the Public Security Minister to store the data locally and to establish a branch or representative office in
4. Form and Duration of
The form of data storage in
5. Measures for Cybersecurity Protection
Decree 53 contains several provisions and detailed procedures aimed at cybersecurity. These provisions include the evaluation of cybersecurity, assessments of cybersecurity conditions, inspections of cybersecurity, examinations of cybersecurity, responses to and remedying any cybersecurity incidents, using cryptography to protect network information, requiring the deletion of unlawful or false information in cyberspace, collection of infringing e-data relevant to acts in cyberspace, suspending or permanently shutting down the operation of information systems or withdrawing domain names.
6. Deletion of Unlawful or False Information
For this update, we will focus on the measure of requiring the deletion of unlawful or false information in cyberspace, which infringes upon national security, social order and safety, or the lawful rights and interests of individuals, organisations and agencies. It is expected that the competent authority in charge of checking information published on social networks will apply this measure frequently. Unlawful or false information includes information which:
- is published in cyberspace that is determined by the competent authority to infringe upon national security, propagandise against the State, incite violence, disrupt security or public order;
- based on legal grounds, is humiliating or slanderous, infringes economic management order, fabricates and falsifies leading to confusion among people, and causes severe damage to social economic activities; and
- violates the LOC, for example, offensive language against any religion, gender or race, or incites crime or violence.
The competent authorities are the Head of the
7. Responsibilities in Implementing Measures for Cybersecurity Protection
Organisations and individuals shall promptly coordinate with and assist the specialised cybersecurity force in implementing the necessary and requested measures to protect cybersecurity. When the competent authorities announce that cross-border service providers are in violation of Vietnamese law, Vietnamese organisations and enterprises will, within their scope of power and responsibilities, need to coordinate with the competent authorities in preventing and handling these violations.
8. Conclusion
If an entity fails to comply with the LOC and Decree 53 such as failure to store data locally, open a branch or a representative office in
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
ACSV Legal
Level 11,
Tel: 283822 4539
E-mail: Marieke@acsvlegal.com
URL: www.acsvlegal.com
© Mondaq Ltd, 2022 - Tel. +44 (0)20 8544 8300 - http://www.mondaq.com, source