What Decree 53/2022/ND-CP Detailing a
Number of Articles of the Law on Cybersecurity 2018 Cover?
Cybersecurity is one of the important
issues for every country in the increasingly strong development of the
internet. Although this development brings great benefits in many areas of
life, it is accompanied by challenges to national security such as cybercriminals
that appropriate and steal data of the user; taking advantage of the internet
to spread false information against the state. Therefore, the promulgation of
policies and laws on cybersecurity as a basis for management and optimal
measures in order to protect national cybersecurity, eliminating illegal acts
in cyberspace is extremely necessary. On August 15th, 2022, the
Government issued Decree 53/2022/ND-CP detailing a
number of articles of the Law on Cybersecurity 2018. The Decree will
take effect from October 1st, 2022 with the following:
Cybersecurity Lawyers
in Vietnam
Measures to protect
network security: Request the removal of illegal or false information in
cyberspace that infringes upon national security, social order and safety, and
legitimate rights and benefits of agencies, organizations, and individuals
Requesting the removal of illegal or false
information in cyberspace is one of the cybersecurity protection measures
specified in the 2018 Law on Cybersecurity. Accordingly, Decree 53/2022/ND-CP
has detailed regulations, listing specific cases where this measure can be
applied as follows:
-When information in cyberspace is
identified by competent agencies to have contents that infringe upon national
security, disseminate information that sabotages the Socialist Republic of
Vietnam, incite riots, and disrupt public security and order according to
regulations of the law;
-When there are legal bases to determine
that information in cyberspace has humiliating and slanderous contents;
infringes upon the order of the economic management; fabricates and falsifies
information, causing confusion among the people and severe damage to
socio-economic activities to the extent that such information must be removed;
-When other information in cyberspace has
contents including: Distortion of history, denial of revolutionary achievements,
undermining national solidarity, blasphemy, discrimination by gender or race;
Prostitution, vice, human trafficking; posting pornographic or criminal
information; damaging Vietnam’s good traditions, social ethics or public
health; Enticing, persuading or tempting others to commits crimes.
The information listed in the above cases
are all illegal and false information, and the person who uses cyberspace to
spread the above negative information is an act of violation strictly
prohibited under the 2018 Cybersecurity Law. Once the above information is
widely spread and publicized online, it will adversely affect the security,
social order and safety of the country. Therefore, the regulation to apply the
measure to request the deletion of the above information is practical for the
above cases. The Director of the Department of CyberSecurity and Hi-tech
Crime Prevention of the Ministry of Public Security of Vietnam and Directors of
competent agencies of the Ministry of Information and Communications are the ones
who have the authority to decide on the application of measures to remove these
information.
Measures to collect data
related to acts of infringing upon national security, social order and safety,
and legitimate rights and benefits of agencies, organizations, and individuals
in cyberspace
The collection of data (data is
information in the form of symbols, letters, numbers, images, sounds or
equivalences) related to activities infringing upon national security, social
order and safety, legitimate rights and interests of agencies, organizations
and individuals in cyberspace shall comply with the provisions of law, and at
the same time ensure the following requirements:
-Maintenance of the status of digital
devices and data;
-The copying and recording of data shall
be done according to correct procedures via recognized devices and software
that are verifiable and can protect the integrity of data stored in such
devices;
-The process of restoring data or search
data shall be recorded via minutes, images, and videos. The process may be
repeated if it is necessary for presentation at a court;
-Data collectors shall be specialized
officials assigned to collect data.
The principles of copying and restoring
data related to acts of infringing upon national security, social order and
safety, and legitimate rights and benefits of organizations, organizations, and
individuals in cyberspace shall follow: If the data is considered necessary to
be copied or restored or there is a request to copy and restore the data for the
purpose of proving the commission of a crime, the assigned person shall be
authorized to copy and restore such data and acquire a decision on approval of
competent authority according to regulations of the law. In addition, to make a
record for the copying and recovery activities of the electronic evidence, the
case may be invited to an independent third party, witness and certification of
this process.
The Director of the Department of Cyber
Security and Hi-tech Crime Prevention of the Ministry of Public Security of
Vietnam shall decide to take this measure.
Internal computer
networks have the storage and transmission of state secrets must be completely
separated from the network of computers and devices and electronic devices
connected to the internet
The decree clearly specifies that state
agencies and the political organization at central and local levels must
develop regulations on the use, management and security of internal computer
networks and computer networks connected to the Internet. agencies or
organizations they manage. This is an activity to protect network security in
state agencies, central and local political organizations.
Regulations on the use and assurance of
computer network security by state agencies and political organizations at central
and local levels must include the following basic contents: Identify major
information and information network systems to be prioritized for cybersecurity
assurance. Elaborate on prohibitions and principles of management and use and
ensure cybersecurity and internal computer networks that store or transmit
state confidentiality shall have a complete physical separation from computer
networks, devices, and electronic means with Internet connection, other cases
shall ensure compliance with regulations of laws on state confidentiality
protection. Have procedures for professional and technical management in
operating, using, and ensuring cybersecurity of data and technical
infrastructure. Such procedures shall satisfy basic requirements for
information system safety assurance. Ensure the personnel conditions for
network management and operation and security of cyber information security,
information safety and handling of violations of regulations on assurance of
network security.
Thus, to ensure confidentiality of the
internal data of the state agency, the internal computer network shall have the
state secrets which are required to separate completely from the computer
network or the equipment and electronic devices connected to the internet. This
is the regulation for managing agencies to control, minimize the risk of
internal data that is spread out into the electronic environment, causing
serious impact on national security issues.
Will data must be
stored in Vietnam ?
The decree has stipulated a separate
chapter to clarify the storage of data and set the branch or representative
office of foreign enterprises in Vietnam.
The following data must be stored in
Vietnam:
-Data on personal information of service
users in Vietnam;
-Data created by service users in Vietnam:
account names, service use time, information on credit cards, emails, IP
addresses of the last login or logout session, and registered phone numbers in
association with accounts or data;
-Data on relationships of service users in
Vietnam: friends and groups such users have connected or interacted with.
Domestic enterprises and foreign
enterprises are the subjects that must store the above data. In particular, it
only applies to foreign enterprises doing business in Vietnam in one of the
following fields:
–Telecommunication services in Vietnam;
-Storage and sharing of data in
cyberspace;
-Provision of national or international
domain names for service users in Vietnam;
-E-commerce; Online payment in Vietnam;
-Payment intermediaries; Services of
connection and transportation in cyberspace in Vietnam;
-Social media and social communication in
Vietnam;
-Online video games in Vietnam;
Services of provision, management, or
operation other information in cyberspace in forms of messages, calls, video
calls, emails, online chatting in Vietnam.
However, not at all foreign enterprises is
required to store data according to regulations. Decree 53/2022/ND-CP also sets
conditions for the storage of data in Vietnam, specifically as follows:
services provided by such foreign enterprises are used for violations of laws
on cybersecurity, notified and requested for cooperation, prevention,
investigation, and handling in writing by the Department of Cyber Security and
Hi-tech Crime Prevention of the Ministry of Public Security of Vietnam but they
fail to comply or incompletely comply with such documents or prevent, obstruct,
disable, or nullify the effect of cybersecurity protection measures performed
by cybersecurity protection forces;
In case of an exception to the conditions
for force majeure circumstances, the foreign enterprise cannot comply with the
requirements of the law on cyber security, the foreign enterprise shall notify
the Cybersecurity Department and high-tech crime prevention and control under
the Ministry of Public Security within 03 working days for inspection of the
verification of such force majeure. In this case, the enterprise will have 30
days to adopt remedial methods.
For the form of data storage, Decree
53/2022/ND-CP does not provide any specific requirements, but allows businesses
to decide for themselves how to store their data in Vietnam, whether domestic
or foreign enterprises.
For the time duration for data storage:
for domestic enterprises, it automatically stores data; for foreign enterprises
starting when the enterprise receives the request to store data from the
Minister of Public Security until the end of the request; Minimum storage
period is 24 months.
The Decree stipulates more specifically
and strictly on the order and procedures for applying measures to ensure
network security as well as the rights and obligations of state agencies in
data security, building a network security system management system to ensure
internal network security at the agency. Companies operating in the internet
business should take into consideration of the new regulations and ensure
compliance. It is important to engage cybersecurity lawyers in Vietnam for legal advice and
update.
0 comments:
Post a Comment