While this article is about data localisation requirements in Vietnam, it is the first in a long series (occasionally interrupted) of blog posts I intend to write about data privacy and cybersecurity in Vietnam. This is part of my continuing effort to inform myself (see this post on e-wallets for an introduction of my intended blog abuse to educate myself on tech law) –and you–about the legal side of tech matters in the country. Without further ado, then, let’s dive in.
What is data localisation?
When a person uses the internet they create data. Whether that data is personal data that they upload through completing forms (name, birthday, ID, bank card, etc.) or simply by connecting to the internet (IP address) it can be collected by the companies that provide internet services. For Vietnamese residents, sometimes those internet services are provided by Vietnamese companies (tiki.vn, chinhphu.gov, etc.) and sometimes by offshore companies (Facebook, TikTok, etc.). Like all providers on the internet, once they collect information about a user, they process and store that information on physical servers.
Data localisation, then, is a requirement imposed by governments on the companies that process and collect the data of the residents of that government’s country. Usually, the requirement is for, according to Wikipedia (here), those residents’ data “to be collected, processed, and/or stored inside the country, often before being transferred internationally.” This means that offshore companies providing internet services to residents of a given country must have physical servers within the territory of that country on which they collect, process, or store the data collected from their users. In some cases, all of this must be done within the territory of the given country before the data can be transferred beyond its borders–and there may be additional requirements for such transfers.
Data localisation requirements in Vietnam have evolved over the last seven years since they were first imposed on international internet service providers. The rest of this article will examine the historical, current, and proposed data localisation requirements in Vietnam.
Historical Data Localisation Requirements in Vietnam
Though the idea for the internet came into being in the mid-1960s, it was not available in Vietnam until November 1997 (see a 2017 article on the history of the internet in Vietnam, here). Even then, it took some time for the concept to develop sufficient penetration in Vietnam for the Government to begin actively regulating its use. And concerns over data ownership and protection have only recently begun to arise as mega-tech companies like Google and Facebook have groaned under increasing international regulation of their manipulation of collected data.
The first data localisation requirements in Vietnam were legislated in 2013 in a decree providing guidance on the laws on information technology, telecommunications, and the press. That decree proclaimed that anyone setting up a general website or social network, enterprises providing internet content services on mobile networks, and electronic game service providers must
“have at least one server system located in Vietnam which satisfies the inspection, check, storage and provi[de] information as required by the competent State administrative authority.”
This requirement was broad and encompassed anyone providing these services anywhere. There were no specific guidelines localising the provision of services to Vietnam. That meant, in theory, that someone in Podunk, Idaho, USA who maintained a general website about their very local dog grooming service could be subject to the requirements of this decree and made to maintain “at least one server system located in Vietnam.” This was obviously unenforceable and, as a consequence, was very loosely enforced. It wasn’t until 2019 that this requirement was reformed.
Current Data Localisation Requirements in Vietnam
In 2018 the National Assembly passed the controversial new law on cybersecurity that subsequently went into effect on 1 January 2019. In addition to providing rules that allowed the government to arguably censor residents who posted objectionable content on the internet, it also expanded and simultaneously solidified the data localisation requirements in Vietnam.
“Both domestic and foreign companies providing services of telecommunications, internet, and value-added services in cyberspace in Vietnam that conduct the collection, exploitation, analysis, or processing of data of individuals, data about relationships of service users, or data generated by users in Vietnam must preserve that data in Vietnam during the time period regulated by the Government.”
Finally the Government provides specific requirements for what activities actually give rise to the data localisation requirements in Vietnam. Only those foreign companies providing services that access and use data of Vietnamese users must preserve that data within the territory of Vietnam. These requirements remain broad and far from concrete. Much like the GDPR in Europe, this requirement still could be interpreted to require a dog groomer in Idaho to maintain a server in Vietnam if that dog groomer collected data from an outlier Vietnamese visitor to her website. That alone prevents this requirement from being truly enforceable, but the language of the above legislation also provides a vaguely “to be defined” requirement as to the time period. Also, the preservation of “that data in Vietnam” does not specify how that data is to be preserved. Will a data cloud hosted in Vietnam be sufficient, or is the requirement of the 2013 decree requiring a physical server still in effect?
If that weren’t enough, the law on cybersecurity imposes a second, more onerous and controversial requirement on these service providers. Any company that provides the services described above must additionally open either a branch or representative office in Vietnam. Some commentators saw this as an effort by the Vietnamese Government to increase the reach of its regulatory authority by making anyone who provides internet services in the country open an office in the country. Many commentators also saw this as an overreach of that authority.
In the United States, each state has its own legislator and makes its own laws. It has its own regulations and its own enforcement mechanisms. Sometimes a company or individual in one state wants to start a company in an other state and register that business as an alien to the state in which such registration occurs. When this happens, the state wherein the company is registers requires the founders of that company to either maintain a mailing address within the state’s borders or to sign an agreement that the founder will submit to that state’s jurisdiction should there be a dispute or regulatory matter affecting the founded company.
While not dissimilar to Vietnam’s requirements of internet service providers opening a branch or representative office within its territory, there are substantial differences. A PO Box costs a few dollars a month compared to costs ranging into thousands of dollars annually to incorporate and maintain a branch or representative office, employees must be hired and employed on an ongoing basis, taxes paid, etc. But perhaps that’s the point. Perhaps Vietnam’s Government is looking to do more than just impose liability on internet service providers, but to access their bank accounts for the imposition of taxes and other fees. Whatever the reasons, the requirement as currently defined remains largely ambiguous and unclear.
Proposed Data Localisation Requirements in Vietnam
But there are proposals in the works, still, to amend these requirements and to develop concrete criteria for when an internet service provider must actually maintain servers or open a branch or representative office within the territory of Vietnam.
Now in its second draft, a proposal decree detailing the application of the law on cybersecurity is currently in circulation. That said, it has been in application–in one form or another–since the law on cybersecurity was passed two years ago and there seems to be little progress in moving the proposal into actual legislation anytime soon.
The proposed decree imposes a three-pronged approach to the data localisation requirements in Vietnam. This approach applies to both the storage of data within the territory and the incorporation of a branch or representative office. According to the draft decree, an enterprise must store data and open an entity in Vietnam if it meets all of the following requirements:
- it provides services of telecom, data storage and sharing in cyberspace, supply of national or international domains to service users in Vietnam; e-commerce; online payment; intermediary payment; service of transport connections via cyberspace; social networking and social media; online electronic games; services of providing, managing or operating other information in cyberspace in the form of a message, phone call, video call, email or online chat;
- it carries out activities of collecting, exploiting, analysing and processing
- data on personal information of service users in Vietnam;
- data generated by service users in Vietnam, including: account name for use of services, duration of use of services, credit card information, email address, IP addresses for the latest login and logout, registered telephone number attached to the account or data relevant to personal data; or
- data on the relationships of service users in Vietnam, including friends, and groups with which the user connects or interacts.
- it is warned that the services provided by it are used to commit a breach of the laws of Vietnam and it does not take any measure for avoiding, dealing with, fighting against or preventing such breach, or does not comply with a written request from the Department for Cybersecurity and Prevention of High-tech Crime under the Ministry of Public Security for coordination in investigating and dealing with a breach of law or an act of neutralizing or rendering ineffective cybersecurity protective measures.
In essence, then, before a company is required to store data and open a branch or representative office in Vietnam, they must provide certain specified internet services, collect and manipulate certain specified types of data, and such data has been implicated in a breach of the laws and, upon warning, the company failed to take action to remedy the breach.
The proposed data localisation requirements in Vietnam will only be imposed upon request. The Ministry of Public Security would be the ministry responsible for making such a request and have the option of requiring either the local storage of data, the opening of a branch or representative office, or both. Upon receipt of such a request, the service provider would have six months to comply with the request.
This proposal suggests that the purposes of the Government of Vietnam are not pecuniary, but in fact, security based. This is further supported by the preamble to the article in the proposed draft which states: “in the case of protection of national security, social order and safety, social ethics and health of the community . . .” The data localisation requirements in Vietnam, therefore, are for the interests of the public, not the country’s coffers.
But as I mentioned above, this proposal is still in draft form. It is unclear whether it will actually remain as proposed in the final legislation and when such legislation might be adopted and promulgated for enforcement.
Data localisation requirements in Vietnam have undergone, and are undergoing, a gradual shift from a broad and unenforceable requirement that all service providers store data in Vietnam to a much more specific imposition of data storage and onshore representation for the purposes of law enforcement to protect service users both in Vietnam and globally. A list of specific crimes contemplated to trigger the data localisation requirement in Vietnam includes:
- cyberattack, cyberterrorism, cyberespionage or cybercrime;
- causing a cybersecurity incident;
- attacking, infringing, or hijacking operational control of, or distorting, interrupting, stalling, paralyzing or destroying an information system critical for State security; and
- resisting or obstructing the operation of network security protection forces or illegally disabling or rendering ineffective network security protection measures.
- the provision, posting, or transmission of:
- information in cyberspace with contents that may be considered propaganda against the State of the Socialist Republic of Vietnam;
- information in cyberspace inciting riot, disrupting security, disturbing public order;
- information in cyberspace causing humiliation, slander;
- information in cyberspace with contents for violation of economic management order;
- information in cyberspace with fabricated or untruthful contents causing confusion amongst the citizens, causing loss and damage to socio- economic activities, causing difficulties for the activities of the State agencies or officials in performing their duties, or infringing the lawful rights and interests of other agencies, organizations and individuals; and
- Other information infringing upon State security; and
- Preventing the sharing with authorities or the removal of such information.
The above list is specific, for the most part, while leaving a large swath of discretion to Government authorities. The listed types of information violations that can trigger the data localisation requirements in Vietnam suggest that, more than security, the Government is concerned about its reputation. I won’t get into questions of censorship and human rights, but it is easy to see that the Government is being careful to maintain its rights to enforce certain interpretations on netizens operating in such a manner as to influence residents in the country.
Data localisation requirements in Vietnam remain in flux. Perhaps in the near future they will be finalized, but in the meantime enforcement is difficult and only companies providing specific internet services targeting Vietnam as a market–who would open a branch or representative office anyway–are truly subject to their requirements. Until such time as the draft decree is adopted there remains little the Government can realistically do to impose its will on foreign service providers.