Data localization, often referred to as the requirement to store data physically within a nation’s borders, first appeared in Vietnamese legislation in Decree 72/2013/ND-CP as an obligation for certain internet service providers to have “at least one server” located in Vietnam. The provision, however, did not have much practical impact, because there is no specific localization guidance although the application scope was not clear, and the localization was required only to the extent that it would “satisfy the inspection, storage, and provision of information at the request of competent authorities, and settlement of customers’ complaints” (Articles 24.2, 25.8 and 28.2 of Decree 72/2013/ND-CP). It was not until 2018, with the passing of the Law on Cyber Security, that the data localization requirement became actual. The requirement in Article 26.3 of Law on Cyber Security states as follows:
Domestic and foreign service providers on telecom networks and on the Internet and other value added services in cyberspace in Vietnam carrying out activities of collecting, exploiting, analyzing and processing data being personal information, data about service users’ relationships and data generated by service users in Vietnam must store such data in Vietnam for a specified period to be stipulated by the Government.
Foreign enterprises referred to in this clause must have branches or representative offices in Vietnam.
It is difficult to enforce the aforementioned article because the scope, again, appears to be overly broad considering its intended purpose, and Law on Cyber Security itself provides that the Government shall guide the implementation of Article 26.3. The Government is in the process of drafting a decree pertaining to such guidance; however, the draft has been pending for more than 2 years and it is unclear what the details of the data localization requirement will be following several drafts.
In addition, lately we have observed that the country is also endeavoring to apply the data localization requirement to other regulations; in particular: cross-border personal data transfer, under the draft Personal Data Protection Decree; and data storage by insurance service providers, under the draft Amended Law on Insurance Business.
The table below summarizes the specific requirements on data localization, which may be included in future laws and regulations:
Businesses seem to be reluctant to comply with such requirements, which are said to create a huge financial burden with respect to placing a server onshore. Further concerns raised are cyber security and natural disasters. Due to localization, a large amount of data will be located in one place, which may lead to hacking incidents of greater magnitude and total destruction by any catastrophe.
It is apparent that data localization legislation is a rising trend and Vietnam may add, to other laws, the requirement to localize data. Further updates to the laws will be discussed in the future.