What Decree 53/2022/ND-CP Detailing a Number of Articles of the Law on Cybersecurity 2018 Cover?

What Decree 53/2022/ND-CP Detailing a Number of Articles of the Law on Cybersecurity 2018 Cover?

Cybersecurity is one of the important issues for every country in the increasingly strong development of the internet. Although this development brings great benefits in many areas of life, it is accompanied by challenges to national security such as cybercriminals that appropriate and steal data of the user; taking advantage of the internet to spread false information against the state. Therefore, the promulgation of policies and laws on cybersecurity as a basis for management and optimal measures in order to protect national cybersecurity, eliminating illegal acts in cyberspace is extremely necessary. On August 15^th, 2022, the Government issued Decree 53/2022/ND-CP detailing a number of articles of the Law on Cybersecurity 2018. The Decree will take effect from October 1^st, 2022 with the following:

Cybersecurity Lawyers in Vietnam

Measures to protect network security: Request the removal of illegal or false information in cyberspace that infringes upon national security, social order and safety, and legitimate rights and benefits of agencies, organizations, and individuals

Requesting the removal of illegal or false information in cyberspace is one of the cybersecurity protection measures specified in the 2018 Law on Cybersecurity. Accordingly, Decree 53/2022/ND-CP has detailed regulations, listing specific cases where this measure can be applied as follows:

-When information in cyberspace is identified by competent agencies to have contents that infringe upon national security, disseminate information that sabotages the Socialist Republic of Vietnam, incite riots, and disrupt public security and order according to regulations of the law;

-When there are legal bases to determine that information in cyberspace has humiliating and slanderous contents; infringes upon the order of the economic management; fabricates and falsifies information, causing confusion among the people and severe damage to socio-economic activities to the extent that such information must be removed;

-When other information in cyberspace has contents including: Distortion of history, denial of revolutionary achievements, undermining national solidarity, blasphemy, discrimination by gender or race; Prostitution, vice, human trafficking; posting pornographic or criminal information; damaging Vietnam’s good traditions, social ethics or public health; Enticing, persuading or tempting others to commits crimes.

The information listed in the above cases are all illegal and false information, and the person who uses cyberspace to spread the above negative information is an act of violation strictly prohibited under the 2018 Cybersecurity Law. Once the above information is widely spread and publicized online, it will adversely affect the security, social order and safety of the country. Therefore, the regulation to apply the measure to request the deletion of the above information is practical for the above cases. The Director of the Department of Cyber​​Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam and Directors of competent agencies of the Ministry of Information and Communications are the ones who have the authority to decide on the application of measures to remove these information.

Measures to collect data related to acts of infringing upon national security, social order and safety, and legitimate rights and benefits of agencies, organizations, and individuals in cyberspace

The collection of data (data is information in the form of symbols, letters, numbers, images, sounds or equivalences) related to activities infringing upon national security, social order and safety, legitimate rights and interests of agencies, organizations and individuals in cyberspace shall comply with the provisions of law, and at the same time ensure the following requirements:

-Maintenance of the status of digital devices and data;

-The copying and recording of data shall be done according to correct procedures via recognized devices and software that are verifiable and can protect the integrity of data stored in such devices;

-The process of restoring data or search data shall be recorded via minutes, images, and videos. The process may be repeated if it is necessary for presentation at a court;

-Data collectors shall be specialized officials assigned to collect data.

The principles of copying and restoring data related to acts of infringing upon national security, social order and safety, and legitimate rights and benefits of organizations, organizations, and individuals in cyberspace shall follow: If the data is considered necessary to be copied or restored or there is a request to copy and restore the data for the purpose of proving the commission of a crime, the assigned person shall be authorized to copy and restore such data and acquire a decision on approval of competent authority according to regulations of the law. In addition, to make a record for the copying and recovery activities of the electronic evidence, the case may be invited to an independent third party, witness and certification of this process.

The Director of the Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam shall decide to take this measure.

Internal computer networks have the storage and transmission of state secrets must be completely separated from the network of computers and devices and electronic devices connected to the internet

The decree clearly specifies that state agencies and the political organization at central and local levels must develop regulations on the use, management and security of internal computer networks and computer networks connected to the Internet. agencies or organizations they manage. This is an activity to protect network security in state agencies, central and local political organizations.

Regulations on the use and assurance of computer network security by state agencies and political organizations at central and local levels must include the following basic contents: Identify major information and information network systems to be prioritized for cybersecurity assurance. Elaborate on prohibitions and principles of management and use and ensure cybersecurity and internal computer networks that store or transmit state confidentiality shall have a complete physical separation from computer networks, devices, and electronic means with Internet connection, other cases shall ensure compliance with regulations of laws on state confidentiality protection. Have procedures for professional and technical management in operating, using, and ensuring cybersecurity of data and technical infrastructure. Such procedures shall satisfy basic requirements for information system safety assurance. Ensure the personnel conditions for network management and operation and security of cyber information security, information safety and handling of violations of regulations on assurance of network security.

Thus, to ensure confidentiality of the internal data of the state agency, the internal computer network shall have the state secrets which are required to separate completely from the computer network or the equipment and electronic devices connected to the internet. This is the regulation for managing agencies to control, minimize the risk of internal data that is spread out into the electronic environment, causing serious impact on national security issues.

Will  data must be stored in Vietnam ?

The decree has stipulated a separate chapter to clarify the storage of data and set the branch or representative office of foreign enterprises in Vietnam.

The following data must be stored in Vietnam:

-Data on personal information of service users in Vietnam;

-Data created by service users in Vietnam: account names, service use time, information on credit cards, emails, IP addresses of the last login or logout session, and registered phone numbers in association with accounts or data;

-Data on relationships of service users in Vietnam: friends and groups such users have connected or interacted with.

Domestic enterprises and foreign enterprises are the subjects that must store the above data. In particular, it only applies to foreign enterprises doing business in Vietnam in one of the following fields:

–Telecommunication services in Vietnam;

-Storage and sharing of data in cyberspace;

-Provision of national or international domain names for service users in Vietnam;

-E-commerce; Online payment in Vietnam;

-Payment intermediaries; Services of connection and transportation in cyberspace in Vietnam;

-Social media and social communication in Vietnam;

-Online video games in Vietnam;

Services of provision, management, or operation other information in cyberspace in forms of messages, calls, video calls, emails, online chatting in Vietnam.

However, not at all foreign enterprises is required to store data according to regulations. Decree 53/2022/ND-CP also sets conditions for the storage of data in Vietnam, specifically as follows: services provided by such foreign enterprises are used for violations of laws on cybersecurity, notified and requested for cooperation, prevention, investigation, and handling in writing by the Department of Cyber Security and Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam but they fail to comply or incompletely comply with such documents or prevent, obstruct, disable, or nullify the effect of cybersecurity protection measures performed by cybersecurity protection forces;

In case of an exception to the conditions for force majeure circumstances, the foreign enterprise cannot comply with the requirements of the law on cyber security, the foreign enterprise shall notify the Cybersecurity Department and high-tech crime prevention and control under the Ministry of Public Security within 03 working days for inspection of the verification of such force majeure. In this case, the enterprise will have 30 days to adopt remedial methods.

For the form of data storage, Decree 53/2022/ND-CP does not provide any specific requirements, but allows businesses to decide for themselves how to store their data in Vietnam, whether domestic or foreign enterprises.

For the time duration for data storage: for domestic enterprises, it automatically stores data; for foreign enterprises starting when the enterprise receives the request to store data from the Minister of Public Security until the end of the request; Minimum storage period is 24 months.

The Decree stipulates more specifically and strictly on the order and procedures for applying measures to ensure network security as well as the rights and obligations of state agencies in data security, building a network security system management system to ensure internal network security at the agency. Companies operating in the internet business should take into consideration of the new regulations and ensure compliance. It is important to engage cybersecurity lawyers in Vietnam for legal advice and update.