mask
Draft decree requires data localization
The Ministry of Public Security has recently unveiled the second draft of the decree detailing the Law on Cyber Security, dealing with burning issues such as data storage and establishment of foreign service providers’ branches and representative offices in Vietnam.

The Ministry of Public Security has recently unveiled the second draft of the decree detailing the Law on Cyber Security, dealing with burning issues such as data storage and establishment of foreign service providers’ branches and representative offices in Vietnam.

Under the draft decree, data on personal information of a service user in Vietnam covers his full name, date and place of birth, citizenship, occupation, professional title, place of residence, contact address, email address, telephone number, identity card number, personal identification number, citizen identification number, passport number, social security card number, credit card number, health status, medical records, and biometric data. These information must be stored in the country throughout the operation of enterprises or until enterprises no longer provide services.

As per data generated by users, which consists of all information uploaded, synchronized or imported from their devices, and data on users’ relationship, which includes their friend lists and groups which they connect to or interact with, the duration of storage would be 36 months.

The draft goes on to specify enterprises subject to requirements on data localization. Accordingly, all enterprises, regardless of whether they are local or foreign businesses, will have to store users’ information in Vietnam if they: (i) provide services in telecommunications networks or the Internet or provide added-value services on cyberspace in one of the following business lines: telecommunications, data hosting and sharing on cyberspace, grant of national or international domain names to service users in Vietnam, e-commerce, online payment, payment intermediation, via-cyberspace connection of transport services, social network and social media, online video games, and email services; (ii) collect, exploit, analyze and process users’ personal information; (iii) allow service users to commit the acts prescribed in Clauses 1 and 2, Article 8 of the Law on Cyber Security; and (iv) violate regulations in Clauses 4, Article 8; and at Point a or b, Clause 2, Article 26 of the Law on Cyber Security. Particularly, foreign enterprises falling into this case would be required to establish branches or representative offices in Vietnam.

If approved, the draft decree will come into force on the first day of 2019, concurrently with the Law on Cyber Security.- (VLLF)

back to top