What Decree
53/2022/ND-CP Detailing a Number of Articles of the Law on Cybersecurity 2018
Cover?
Cybersecurity is one of
the important issues for every country in the increasingly strong development
of the internet. Although this development brings great benefits in many areas
of life, it is accompanied by challenges to national security such as cybercriminals
that appropriate and steal data of the user; taking advantage of the internet
to spread false information against the state. Therefore, the promulgation of
policies and laws on cybersecurity as a basis for management and optimal
measures in order to protect national cybersecurity, eliminating illegal acts
in cyberspace is extremely necessary. On August 15th, 2022, the
Government issued Decree 53/2022/ND-CP detailing a number of articles of the Law on Cybersecurity 2018. The Decree will take effect from October 1st,
2022 with the following:
Cybersecurity Lawyers in Vietnam
Measures to protect
network security: Request the removal of illegal or false information in
cyberspace that infringes upon national security, social order and safety, and
legitimate rights and benefits of agencies, organizations, and individuals
Requesting the removal
of illegal or false information in cyberspace is one of the cybersecurity
protection measures specified in the 2018 Law on Cybersecurity. Accordingly,
Decree 53/2022/ND-CP has detailed regulations, listing specific cases where
this measure can be applied as follows:
-When information in
cyberspace is identified by competent agencies to have contents that infringe
upon national security, disseminate information that sabotages the Socialist
Republic of Vietnam, incite riots, and disrupt public security and order
according to regulations of the law;
-When there are legal
bases to determine that information in cyberspace has humiliating and
slanderous contents; infringes upon the order of the economic management;
fabricates and falsifies information, causing confusion among the people and
severe damage to socio-economic activities to the extent that such information
must be removed;
-When other information
in cyberspace has contents including: Distortion of history, denial of
revolutionary achievements, undermining national solidarity, blasphemy,
discrimination by gender or race; Prostitution, vice, human trafficking;
posting pornographic or criminal information; damaging Vietnam’s good
traditions, social ethics or public health; Enticing, persuading or tempting
others to commits crimes.
The information listed
in the above cases are all illegal and false information, and the person who
uses cyberspace to spread the above negative information is an act of violation
strictly prohibited under the 2018 Cybersecurity Law. Once the above
information is widely spread and publicized online, it will adversely affect
the security, social order and safety of the country. Therefore, the regulation
to apply the measure to request the deletion of the above information is
practical for the above cases. The Director of the Department of Cyber
Security and Hi-tech Crime Prevention of the Ministry of Public Security of
Vietnam and Directors of competent agencies of the Ministry of Information and
Communications are the ones who have the authority to decide on the application
of measures to remove these information.
Measures to collect data
related to acts of infringing upon national security, social order and safety,
and legitimate rights and benefits of agencies, organizations, and individuals
in cyberspace
The collection of data
(data is information in the form of symbols, letters, numbers, images, sounds
or equivalences) related to activities infringing upon national security,
social order and safety, legitimate rights and interests of agencies,
organizations and individuals in cyberspace shall comply with the provisions of
law, and at the same time ensure the following requirements:
-Maintenance of the
status of digital devices and data;
-The copying and
recording of data shall be done according to correct procedures via recognized
devices and software that are verifiable and can protect the integrity of data
stored in such devices;
-The process of
restoring data or search data shall be recorded via minutes, images, and
videos. The process may be repeated if it is necessary for presentation at a
court;
-Data collectors shall
be specialized officials assigned to collect data.
The principles of
copying and restoring data related to acts of infringing upon national security,
social order and safety, and legitimate rights and benefits of organizations,
organizations, and individuals in cyberspace shall follow: If the data is
considered necessary to be copied or restored or there is a request to copy and
restore the data for the purpose of proving the commission of a crime, the
assigned person shall be authorized to copy and restore such data and acquire a
decision on approval of competent authority according to regulations of the
law. In addition, to make a record for the copying and recovery activities of
the electronic evidence, the case may be invited to an independent third party,
witness and certification of this process.
The Director of the
Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of
Public Security of Vietnam shall decide to take this measure.
Internal computer
networks have the storage and transmission of state secrets must be completely
separated from the network of computers and devices and electronic devices
connected to the internet
The decree clearly
specifies that state agencies and the political organization at central and
local levels must develop regulations on the use, management and security of
internal computer networks and computer networks connected to the Internet.
agencies or organizations they manage. This is an activity to protect network
security in state agencies, central and local political organizations.
Regulations on the use
and assurance of computer network security by state agencies and political
organizations at central and local levels must include the following basic
contents: Identify major information and information network systems to be
prioritized for cybersecurity assurance. Elaborate on prohibitions and
principles of management and use and ensure cybersecurity and internal computer
networks that store or transmit state confidentiality shall have a complete
physical separation from computer networks, devices, and electronic means with
Internet connection, other cases shall ensure compliance with regulations of
laws on state confidentiality protection. Have procedures for professional and
technical management in operating, using, and ensuring cybersecurity of data
and technical infrastructure. Such procedures shall satisfy basic requirements
for information system safety assurance. Ensure the personnel conditions for
network management and operation and security of cyber information security,
information safety and handling of violations of regulations on assurance of
network security.
Thus, to ensure confidentiality
of the internal data of the state agency, the internal computer network shall
have the state secrets which are required to separate completely from the
computer network or the equipment and electronic devices connected to the
internet. This is the regulation for managing agencies to control, minimize the
risk of internal data that is spread out into the electronic environment,
causing serious impact on national security issues.
Will data must be
stored in Vietnam ?
The decree has
stipulated a separate chapter to clarify the storage of data and set the branch
or representative office of foreign enterprises in Vietnam.
The following data must
be stored in Vietnam:
-Data on personal
information of service users in Vietnam;
-Data created by service
users in Vietnam: account names, service use time, information on credit cards,
emails, IP addresses of the last login or logout session, and registered phone
numbers in association with accounts or data;
-Data on relationships
of service users in Vietnam: friends and groups such users have connected or
interacted with.
Domestic enterprises and
foreign enterprises are the subjects that must store the above data. In
particular, it only applies to foreign enterprises doing business in Vietnam in
one of the following fields:
–Telecommunication services in Vietnam;
-Storage and sharing of
data in cyberspace;
-Provision of national
or international domain names for service users in Vietnam;
-E-commerce; Online
payment in Vietnam;
-Payment intermediaries;
Services of connection and transportation in cyberspace in Vietnam;
-Social media and social
communication in Vietnam;
-Online video games in
Vietnam;
Services of provision,
management, or operation other information in cyberspace in forms of messages,
calls, video calls, emails, online chatting in Vietnam.
However, not at all
foreign enterprises is required to store data according to regulations. Decree
53/2022/ND-CP also sets conditions for the storage of data in Vietnam,
specifically as follows: services provided by such foreign enterprises are used
for violations of laws on cybersecurity, notified and requested for cooperation,
prevention, investigation, and handling in writing by the Department of Cyber
Security and Hi-tech Crime Prevention of the Ministry of Public Security of
Vietnam but they fail to comply or incompletely comply with such documents or
prevent, obstruct, disable, or nullify the effect of cybersecurity protection
measures performed by cybersecurity protection forces;
In case of an exception
to the conditions for force majeure circumstances, the foreign enterprise
cannot comply with the requirements of the law on cyber security, the foreign
enterprise shall notify the Cybersecurity Department and high-tech crime
prevention and control under the Ministry of Public Security within 03 working
days for inspection of the verification of such force majeure. In this case,
the enterprise will have 30 days to adopt remedial methods.
For the form of data
storage, Decree 53/2022/ND-CP does not provide any specific requirements, but
allows businesses to decide for themselves how to store their data in Vietnam,
whether domestic or foreign enterprises.
For the time duration
for data storage: for domestic enterprises, it automatically stores data; for
foreign enterprises starting when the enterprise receives the request to store
data from the Minister of Public Security until the end of the request; Minimum
storage period is 24 months.
The Decree stipulates
more specifically and strictly on the order and procedures for applying
measures to ensure network security as well as the rights and obligations of
state agencies in data security, building a network security system management
system to ensure internal network security at the agency. Companies operating
in the internet business should take into consideration of the new regulations
and ensure compliance. It is important to engage cybersecurity lawyers in Vietnam for legal advice and
update.
Source
ANTLawyers: https://antlawyers.vn/library/decree-53-2022-nd-cp-detailing-of-the-law-on-cybersecurity-2018.html