From 01 October 2022, user data must be stored in Vietnam. This rule is set under Decree No. 53/2022/ND-CP dated 15 August 2022 promulgated by Vietnam Government (“Decree 53”).
Under this Decree 53, all Vietnamese enterprises must store their user data* locally. This same obligation is also imposed on foreign tech firms if:
(i) foreign tech firms conduct their business in regulated fields**;
(ii) services of such foreign tech firms are used for violation of Vietnam cybersecurity laws; and
(iii) foreign tech firms failed to cooperate with Vietnam Cybersecurity Division*** to tackle the unlawful acts.
Besides, the aforementioned foreign tech firms must concurrently establish their branch or representative office in Vietnam. Decree 53 gives 12 months for foreign firms to set up their local presence and local data storage after the Minister of Ministry of Police gives such instructions. Mandatory minimum data storing time is 24 months.
* User data means: (i) Data on personal information of service users in Vietnam; (ii) Data created by users in Vietnam including: account name, time of using services, information on credit cards, email address, IP address of the last log-in and log-out, registered phone numbers in association with the account or data; and (iii) Data on relationship of service users in Vietnam including: friends, groups that the users have connected or interacted with.
**Regulated Fields include: (i) Telecommunications services; (ii) Storage and sharing of data in cyberspace; (iii) Provision of national or international domain names for service users in Vietnam; (iv) E-commerce; (v) Online payment; (vi) Payment intermediaries; (vii) Services of connection and transportation in cyberspace; (viii) Social media and social communication; (ix) Online games; and (x) Services of provision, management, or operation other information in cyberspace in forms of messages, calls, video calls, emails, online chatting.
*** Vietnam Cybersecurity Division is a division of Vietnam Ministry of Police, having the right to issue data collection requests for purpose of investigation and to ask service providers to remove content if it is deemed to violate the government’s guidelines.