In this post, we provide our comments to the draft Law on Telecom provided to us recently. The comments are prepared by Nguyen Quang Vu and Trinh Phuong Thao.

1.        Data center services and cloud computing services should be excluded from Law on Telecom

Position under the draft Law on Telecom

The draft Law on Telecom:

• considers data center services and cloud computing services to be telecommunication services;

• requires onshore providers of data center services and cloud computing services to obtain a telecom license; and

• requires offshore providers of cross-border data center services and cloud computing services to sign a contract with a Vietnamese telecommunication service provider or to set up a representative office in Vietnam.

If adopted as currently drafted, immediately when the amended Law on Telecom becomes effective:

• all onshore providers of server leasing service will need to obtain a telecom license;

• all onshore software providers who deliver software over the internet (e.g. Google App Store or Apple App Store) will need to obtain a telecom license;

• all onshore e-commerce apps or software which operate in the model of client-server will need to obtain a telecom license; and

• all offshore service providers of cross-border software, software as a services (SaaS), infrastructure as a service (IaaS) and platform as a service (PaaS) or e-commerce services will need to sign a commercial contract with a Vietnamese telecommunication service provider or establish a representative office in Vietnam.

Please click here to download the pdf version.

On 17 April 2023, the Government issued Decree 13 on personal data protection (Decree 13/2023). Decree 13/2023 marks a significant milestone as the first comprehensive legal document that governs the protection of personal data in Vietnam. As compared to the draft decree on personal data protection (Draft Decree), Decree 13/2023 has been significantly improved to incorporate key aspects necessary to protect personal data to align with the General Data Protection Regulation (GDPR). In this post, we will discuss key issues under Decree 13/2023 while comparing it to the Draft Decree and GDPR. This post is written by Trinh Phuong Thao and edited by Nguyen Quang Vu.

1.         Things to be done by 1 July 2023

Ideally, before 1 July 2023, both onshore and offshore entities involving in collecting and/or processing personal data of Vietnamese individuals or foreign individual residing Vietnam should do the following:

• having proper consents from the relevant data subject (see 7);

• if it is a data controller, having a contract with the relevant data processor (see 4);

• determining whether it deals with basic personal data or sensitive personal data;

• preparing and submitting an assessment of the impact of personal data processing to the Ministry of Public Security (MPS) (see 10);

• preparing and submitting an assessment of the impact of offshore transferring personal data to the MPS (see 11);

• setting up system to protect the safety and confidentiality of the personal data which it collects or processes; and

• setting up a personal data protection department and a data compliance officer if it deals with sensitive personal data.

Decree 13/2023 only exempts small and medium enterprises or start ups from complying with certain requirements until 1 July 2025.

One key missing ingredient though is the potential penalty which may apply in case of non-compliance. Accordingly, currently, Decree 13/2023 has no teeth in enforcing the above requirements. Unlike Decree 13/2023, the GDPR has clear penalties and fines applicable to violations of the GDPR.

In August 2022, the Government issued Decree 53/2022 to implement various provisions of the Law on Cyber Security 2018 (LCS 2018). We summarise below certain key points of Decree 53/2022:

• Data localization: Decree 53/2022 provides more detailed guidance on data localization in Vietnam. Please see our separate blog on this issue here.

• Using cryptography (“mật mã”) to protect network information: If necessary for the national security, safety and order of society or protecting legitimate rights and benefit of others, the authority could request related individuals/organizations to encrypt information not considered as State secret before storing, transmitting on the Internet;