In this age of technology, it is often said that the most valuable resource is no longer oil or gas but data. In recent years, the Vietnamese government has attempted to follow global best practices in regulating data. One critical aspect of these new legislative attempts has to do with Vietnam’s data localization requirements. This article articulates the basic principles concerning these still-developing localization requirements.
In more detail Definition and terms The Law on Digital Transactions No. 51/2005/QH11 dated 29 November 2005, defines "data" (dữ liệu) as information in the form of symbol, script, number, image and sound or of other similar forms. Data localization should be distinguished from the relatively similar but separate concept of data sovereignty. Data sovereignty refers to the idea that data are subject to the law s and governance of the jurisdiction in w hich they are collected. This is evident w here national regulations state that they govern any personal data of the citizens of that country, regardless of w here thos e data are stored. Indeed, each jurisdiction may have different rules relating to that same matter, and as such, each is said to claim "sovereignty" over such data. Data localization takes a step further by requiring that the initial collection, processing and storage of a citizen's data occur first w ithin national boundaries. Data localization in Vietnam Data localization requirements in Vietnam are taking shape in three legislations. The first legislation is the Law on Cybersecurity 2018 ("Cybersecurity Law "). The relevant provision is as follow s: Article 26. Ensure cyberspace security 3. Onshore and offshore enterprises providing services on telecommunication netw orks or the Internet, value-added services on the cyberspace in Vietnam and w ho collect, exploit, analyze, process data about personal information, data about the service users' relationships, data created by service users in Vietnam must store such data in Vietnam for a period specified by the Government. Foreign enterprises under the scope of this paragraph must establish a branch or a representative office in Vietnam. 4. The Government shall stipulate this paragraph in detail. The scope of the above provision is broad and includes every enterprise that provides any service over cyberspace and that processes personal data (preemptive approach). Currently, there are no exceptions to this rule, and these service providers must store the customers'/users' personal data in Vietnam. Thus, for example, if a movie VOD service provider makes available their service on the internet, and users, to w atch he movies, must create an account w ith their name, email or phone number, the VOD provider is required to physically store the data on such users w ithin the Vietnamese border. The government has drafted a decree clarifying several provisions of the Law on Cybersecurity ("Cybersecurity Decree"). Artic le 26 of the decree stipulates that only foreign providers of certain prescribed services (domain name service, e-commerce, online