Last week, I posted our firm’s coverage of the new decree for implementation of the law on Cybersecurity in Vietnam (the “Decree”). This week I want to look at some of the effects this will have on enterprises doing business in Vietnam. As a base definition, data localization roughly means a requirement that data collected from the residents of a certain location remain within that location. In this case, a national jurisdiction.

Starting at the macro level, and according to Wikipedia (here), there are a baker’s dozen of countries that impose some form of data localization regulations. They include:

  1. Australia,
  2. Canada (certain provinces)
  3. China
  4. Germany
  5. India
  6. Indonesia
  7. Kazakhstan
  8. Nigeria
  9. Russia
  10. Rwanda
  11. South Korea
  12. Spain
  13. Vietnam

The European Union has contemplated rules to limit member states from implementing data localization protocols as a protectionist policy that would hinder the economic development of the EU. This gives rise to the observation that, in the CPTPP, RCEP, and the E-VFTA, Vietnam has agreed to reduce non-tariff obstacles to investment and trade. As the data localization requirement in Vietnam is so recent, there has yet to be an opportunity for treaty partners to weigh in with their responses. However, it is conceivable that data localization will be seen as a hindrance to investment and give rise to application of dispute resolution measures.

The consequences here could be much larger than Vietnam’s government contemplated. The data localization requirement automatically applies to Vietnamese enterprises. Vietnamese enterprises which are broadly defined to include “enterprises that are established or registered for establishment according to the laws of Vietnam and that have their head office in Vietnam.” For a head office to be considered as located in Vietnam, it must have an address for the purposes of contact, confirmation from the relevant administrative unit, and maintains a phone number, fax number, or email (if any).

Application of the data localization requirements might be applicable to foreign companies incorporated within Vietnam as incorporation requires the operation of a head office in the country. This would appear to include joint ventures and even 100% wholly foreign owned enterprises that are incorporated according to the 2020 Enterprise Law. Herein lies the biggest obstacle from the Decree.

Internationally linked enterprises currently in Vietnam constitute a major contribution to the country’s economy. And many of these companies operate continuing data transfers across their international footprint. Take for instance, international law firms or banks. They regularly communicate data regarding clients and activities cross border. From its definition, they are likely now required to cease such activities and hold specific types of data in situ.

In review, the types of data that must be localized includes: (i) personal information of service users in Vietnam; (ii) data generated by service users in Vietnam; and (iii) data regarding the relationships of service users in Vietnam. This means that any enterprise in Vietnam possessed of an enterprise registration certificate will not be allowed to transfer these types of data, regardless of their previous policies regarding data sharing. And the time left to comply is less than three weeks until the Decree comes into effect, a very large task awaits.

Compliance is easier for cross border providers.

The application of the data localization on “foreign enterprises” includes those enterprises that are incorporated under a foreign nation’s laws. Even then, not every foreign enterprise offering cross border services is required to comply. The business sectors in which the foreign enterprise acts and that give rise to application of the data localization requirements include:

(i) telecom services; (ii) services of data storage and sharing in cyberspace (cloud storage); (iii) supply of national or international domain names to service users in Vietnam; (iv) e-commerce; (v) online payment; (vi) intermediary payment; (vii) service of transport connection via cyberspace; (viii) social networking and social media; (ix) online electronic games; and (x) services of providing, managing, or operating other information in cyberspace in the form of messages, phone calls, video calls, email, or online chat.

From a review of these sectors, there is a definite theme, telecommunications and internet-based services dominate the list. Traditional hard assets or trade goods delivered through brick and mortar stores or freight transport may, according to relevant trade agreements, be provided cross border and will not need to comply with the data localization requirement. Nor, in fact, will most foreign enterprises providing digital services to Vietnam. A good thing as the list encircles huge MNCs like Google, Meta, AirBNB, Paypal, Visa, and a host of others. So long as enterprises cooperate with the authorities of Vietnam, they will escape the data localization requirements. In addition to being included in the list of sectors to which the requirements apply, such services must be used to violate Vietnam’s cybersecurity law in order to trigger the data localization requirements.

The following is a sample of the potential violations of the cybersecurity law which would trigger the data localization requirements. This list is not complete as there are several pages, but demonstrative.

  1. Information in cyberspace with contents being propaganda against the Socialist Republic of Vietnam comprises:
    1. Distortion or defamation of the people’s administrative authorities;
    2. Psychological warfare, inciting an invasive war; causing division or hatred between [Vietnamese] ethnic groups, religions and people of all countries;
    3. Insulting the [Vietnamese] people, the national flag, national emblem, national anthem, great men, leaders, famous people or national heroes.
  2. Information in cyberspace with contents inciting riots, disrupting security or causing public disorder comprises:
    1. Calling for, mobilizing, instigating, threatening or causing division, conducting armed activities or using violence to oppose the people’s administrative authorities;
    2. Calling for, mobilizing, inciting, threatening, or embroiling a mass/crowd of people to disrupt or oppose people [officials] conducting their official duties, or obstructing the activities of agencies or organizations causing instability to security and order.
  3. Information in cyberspace which causes embarrassment or which is slanderous comprises:
    1. Serious infringement of the honour, reputation/prestige or dignity of other people;
    2. Invented or untruthful information infringing the honour, reputation or dignity of other agencies, organizations or individuals or causing loss and damage to their lawful rights and interests.
  4. Information in cyberspace which violates economic management order comprises:
    1. Invented or untruthful information about products, goods, money, bonds, bills, cheques and other valuable papers;
    2. Invented or untruthful information in the sectors of finance, banking, e-commerce, e-payment, currency trading, capital mobilization, multi-level trading and securities.
  5. Information in cyberspace with invented or untruthful contents causing confusion amongst the Citizens, causing loss and damage to socio-economic activities, causing difficulties for the activities of State agencies or people performing their public duties [or] infringing the lawful rights and interests of other agencies, organizations and individuals.

One more requirement exists before the foreign enterprise providing cross border services will be required to localize data and maintain a local presence via a branch or representative office in the country. That requirement is that, upon information and request of the relevant department under the Ministry of Public Security, the foreign enterprise failed to comply, failed to fully complied, or otherwise challenges any method of dealing with the breach recommended by the cybersecurity task force.

That’s it. But it does greatly extend Vietnam’s control of data originating in the country. I am wary to point to any example from the twelve other countries who enforce data localization requirements, but it does smell a bit of an attempt to limit certain information critical of Vietnam from appearing on the Vietnamese inter webs. It also may be a step in the government’s ongoing efforts to impose tax duties on large international telecommunications and internet service providers who have a major role in advertising cross border into Vietnam.

One other point, if a foreign enterprise falls within all three of the requirements listed above and are required to localize their data and incorporate a presence in the country, they will have 12 months from the receipt of such enforcement notice to comply. A bit more 1984 than Brave New World, but still a large step for a country on its way to becoming an emerging market.