Data Localization, Where We Stand
In 2018 the National Assembly passed the controversial new law on cybersecurity that subsequently went into effect on 1 January 2019. In addition to providing rules that allowed the government to arguably censor residents who posted objectionable content on the internet, it also expanded and simultaneously solidified the data localisation requirements in Vietnam.
“Both domestic and foreign companies providing services of telecommunications, internet, and value-added services in cyberspace in Vietnam that conduct the collection, exploitation, analysis, or processing of data of individuals, data about relationships of service users, or data generated by users in Vietnam must preserve that data in Vietnam during the time period regulated by the Government.”
Finally the Government provides specific requirements for what activities actually give rise to the data localisation requirements in Vietnam. Only those foreign companies providing services that access and use data of Vietnamese users must preserve that data within the territory of Vietnam. These requirements remain broad and far from concrete. Much like the GDPR in Europe, this requirement still could be interpreted to require a dog groomer in Idaho to maintain a server in Vietnam if that dog groomer collected data from an outlier Vietnamese visitor to her website. That alone prevents this requirement from being truly enforceable, but the language of the above legislation also provides a vaguely “to be defined” requirement as to the time period. Also, the preservation of “that data in Vietnam” does not specify how that data is to be preserved. Will a data cloud hosted in Vietnam be sufficient, or is the requirement of the 2013 decree requiring a physical server still in effect?
If that weren’t enough, the law on cybersecurity imposes a second, more onerous and controversial requirement on these service providers. Any company that provides the services described above must additionally open either a branch or representative office in Vietnam. Some commentators saw this as an effort by the Vietnamese Government to increase the reach of its regulatory authority by making anyone who provides internet services in the country open an office in the country.
Draft Decree dated 21 August 2019 guiding the LOCS (the “2019 Draft Decree Detailing the LOCS”)
Following the issuance of the Law on Cyber Security (LOCS) in the middle of 2018, the draft decree detailing the LOCS by the MPS was released on 31 August 2018 for public comment (the “2018 Draft Decree Detailing the LOCS”), in which is provided clarification for the LOCS’ requirement of data localization and establishment of representative offices by foreign entities.
Per Article 25.1 of the 2018 Draft Decree Detailing the LOCS, any enterprise, whether local or off-shore, which meets prescribed conditions, must conduct data storage onshore and establish a branch or representative office in Vietnam (the “Data Localization Regulation”). The Data Localization Regulation has raised concern both locally and internationally as sets obstacles for enterprises, especially off-shore enterprises, integrate and development technology in Vietnam.
This Data Localization Regulation was modified in a 2019 Draft Decree Detailing the LOCS. Accordingly, as per Article 26.1 of the 2019 Draft Decree Detailing the LOCS, the Data Localization Regulation is now as follows:
- The Data Localization Regulation shall be applied to protect the national security, social order and safety, social ethics and community health only. Other cases are excluded.
- The Data Localization Regulation shall be applied when there is sufficient basis to determine the following three elements:
In other words, an enterprise will only be subject to the Data Localization Regulation when all of the aforementioned conditions are met.
The Data Localization Regulation will only be applied upon the request of the Minister of MPS. The 2019 Draft Decree Detailing the LOCS also sets out the period for enterprises to implement the Data Localization Regulation, which is six (6) months as from the date of a decision of the Minister of MPS according to Article 26.4(c) therein.
When all of the conditions for applying the Data Localization Regulation are met as mentioned above:
- Local enterprises are responsible for data storing; and
- Off-shore enterprises are responsible for data storing and establishing a branch or representative office in Vietnam.
- Types of information to be stored include: data on personal information of service users in Vietnam; data generated by service users in Vietnam; and data on the relationships of service users in Vietnam, including friends, and groups with which the user connects or interacts.
- Regarding the period that data must be stored and a branch or representative office maintained, please refer to the table below:
| Subject to be governed | Period under the Draft Decree Detailing the LOCS |
| Data on personal information of service users in Vietnam | ü In accordance with the period of the storage request;
ü At least 12 months |
| Data generated by service users in Vietnam | ü In accordance with the period of the storage request;
ü At least 12 months |
| Data on the relationships of service users in Vietnam | ü In accordance with the period of the storage request;
ü At least 12 months |
| Maintaining branch/representative office in Vietnam | ü From: the date of receiving request;
ü To: the date enterprise no longer operates in Vietnam; or stipulated services are no longer provided in Vietnam |
| The system log for the purpose of investigating and processing breaches of the law on cybersecurity | ü Not exceed 12 months;
ü At the request of the DOCS & HCP |
Data Localization, An Update
Earlier this year, the Ministry of Public Security (MPS) disclosed to a meeting of interested chambers of commerce that the enforcement of the data localization rules of the LOCS will only be applied in certain circumstances. Namely, the MPS requires that should information posted on a website or app be on the list of prohibited content, and the service provider has received a request from the MPS or other authorities to remove the content, and the service provider fails to remove the content, then, and only then, will the MPS require the data localization occur.
While this is a nifty update, it is unofficial and made as a verbal statement during a meeting to discuss the draft decree. We have yet to see a specific regulation passed and promulgated which actually spells this detail out. However, when that occurs, we will update you accordingly. Until then, this is the best we’re going to get as far as clarity on data localization.
