Do foreign enterprises have to store their data in Vietnam?

November 8, 2023

Do foreign enterprises have to store their data in Vietnam?

In this day and age, data in general is increasingly becoming more and more valuable. Most service-based companies live off data collected from their clients, prime examples of this type of companies include social media networks such as Facebook or search engines such as Google where user data is being used for commercial purposes on a daily basis. This reality is becoming more and more prevalent in the modern world. Countries and governments are also taking note of this invisible resource that is being exploited by domestic and foreign enterprises without government oversight. As a result, many countries have adopted regulations to force enterprises to localize data within their territory. Vietnam is also beginning to catch on to this trend. Relevant to the topic at hand is the Cybersecurity Law 2018 (“Cybersecurity Law”) and the recently issued guiding Decree No. 53/2022/ND-CP (“Decree”).

KEY TAKEAWAYS:
– Certain kinds of data must be stored in Vietnam;
– Foreign enterprises in certain businesses must store data in Vietnam such as e-commerce, online payment, telecom, etc;
– The minimum amount of data storage time in all cases is 24 months;
– Foreign service providers are also obligated to set up branches/representative offices upon the request of the Minister of Public Security.

General regulations

In 2018, Vietnam’s National Assembly passed the Cybersecurity Law with the main purpose of providing protection for national security and public order in cyberspace. This law is one of the many first steps of the Vietnamese government into the realm of personal data protection. Pertaining to the topic of the article, clause 3 of Article 26 of the Cybersecurity Law states that:
“Domestic and foreign providers of telecommunications services, internet services and value-added services in Vietnam’s cyberspace that collect, exploit, analyze or process data on personal information or data about relationships of their service users or data created by their service users in Vietnam shall store such data in Vietnam for a specific period of time pursuant to regulations of the Government.
 Foreign enterprises mentioned in this Clause shall open branches or representative offices in Vietnam.”
By mandating the storage of data in Vietnam, the Vietnamese government would have much better control over the data and its usage. Since this provision applies to both domestic and foreign enterprises, it also helps to prevent data leakage from within the country. The establishment of branches or representative offices of foreign enterprises that process data Vietnamese’ user data in Vietnam would also help make it easier to hold such enterprises accountable. However, this regulation also brought a lot of concern since it covers a broad scope of foreign enterprises and contained vague terms on “value-added service in Vietnam” and “data storage”. These concerns have been prolonged for 4 years since the adoption of the new law and the Decree seems to make it crystal clear.

What kind of data must be stored in Vietnam?

The Decree contains guidance for the Cybersecurity Law in which Article 26 of the law is further elaborated. According to Article 26 of Decree, the following data must be stored in Vietnam (‘Applicable Data’):

a) Data on personal information of service users in Vietnam;
b) Data created by service users in Vietnam: account names, service use time, credit card information, emails, IP addresses of the last login or logout session, and registered phone numbers in association with accounts or data;
c) Data on relationships of service users in Vietnam: friends and groups that users have connected or interacted with.
It can be observed that the above regulation only applies to the data of service users in Vietnam including Vietnamese citizens and foreigners. This means that the regulation is still only targeting data in the commercial sector rather than general personal data as a whole. Meaning that personal data not collected from service users such as data on employees are exempted from this requirement.

Which foreign entities must store data in Vietnam

Foreign enterprises in certain businesses must store data in Vietnam

Foreign enterprises conducting business in the following fields are obligated to store user data in Vietnam upon the request of the Minister of Public Security (‘Applicable Enterprises’):
a) telecommunications services;
b) storage and sharing of data in cyberspace;
c) provision of national or international domain names for service users in Vietnam;
d) e-commerce;
e) online payment;
f) payment intermediaries;
g) services of connection and transportation in cyberspace; social media and social communication;
h) online games;
i) services of provision, management, or operation of other information in cyberspace in forms of messages, calls, video calls, emails, and online chatting.
The reason why the Decree elaborates in details which foreign enterprise are subject to data storage, while neglecting to do the same for domestic enterprises is because foreign enterprises are the main focus of this specific regulation. This regulation specifically calls out and targets such enterprises to ensure that there is no ambiguity.

Also on the differences between foreign and domestic enterprises, while Article 26.3 of the Cybersecurity Law 2018 states that domestic and foreign providers of telecommunications services, internet services and value-added services in Vietnam’s cyberspace that collect, exploit, analyze or process data on personal information or data about relationships of their service users or data created by their service users in Vietnam shall store such data in Vietnam for a specific period of time pursuant to regulations of the Government, Article 26.2 of Decree simply states that domestic enterprises have to store the Applicable Data in Vietnam. As we can see, there is a contradiction here as the Decree completely ignores the condition regarding the services being provided by the enterprise and simply states that all domestic enterprises (regardless of them being service providers or not) have to store their data in Vietnam (indefinitely). There is a clear difference between the domestic and foreign enterprises here which hampers domestic enterprises’ abilities and deter foreign enterprises from setting up subsidiaries in Vietnam considering the mandatory local data storage requirement. Forcing domestic enterprises, regardless of type and business sector, to store data in Vietnam indefinitely could seriously lower the appeal of setting up subsidiaries in Vietnam in the eyes of foreign enterprises since they would have to set up a data storage center in Vietnam.

 Conditions to trigger the data localization in Vietnam

However, not all foreign enterprises providing the above services are required to store their data in Vietnam. There is a prerequisite for such regulation to apply which is that:
i. the service provided by the enterprise is used to commit violations of the Law on Cybersecurity; and
ii. the Cybersecurity and High-Tech Crime Prevention and Control Department of the Ministry of Public Security has notified and requested coordination, prevention, investigation, and handling in writing; and
iii. the concerned enterprise fails to comply, fails to comply fully, or prevents, obstructs, disables, or invalidates network security protection measure(s) performed by the force specialized in network security protection (‘Applicable Cases’).

Duration for which data must be stored in Vietnam

According to Article 27 of the Decree, applicable to foreign enterprises, the storage time of the data begins when the enterprise receives the request for data storage from the Minister of Public Security and ends when the request terminates, as such, the storage time shall be pursuant to the data storage request. The minimum amount of storage time in all cases is 24 months .
Furthermore, when the request from the Minister of Public Security arrives, the enterprise shall have a maximum of 12 months to complete the storage of the data in Vietnam . In cases of a force majeure where the foreign enterprise cannot comply with the data storage requirement, they shall notify the Cybersecurity Department within 03 working days for verification. Such foreign enterprises shall also have 30 days to remedy the situation.

On a side note, in accordance with clause 3 Article 27 of the Decree, the system log used for investigating, and handling legal violations regarding cybersecurity pursuant to point b, clause 2 Article 26 of the Cybersecurity Law 2018 must be stored for a minimum of 12 months.

Data storage format

Article 26.5 of Decree No. 53/2022 stipulates that the data storage format in Vietnam shall be up to the discretion of the enterprise.

Set up branches/representative offices in Vietnam

In Applicable Cases listed above, foreign service providers are also obligated to set up branches and representative offices upon the request of the Minister of Public Security and the service provider shall have a maximum of 12 months to complete the establishment according to point c, clause 6 Article 26 of the Decree. The branches and representative offices shall be maintained for as long as the enterprise is operating in Vietnam or the prescribed services are being provided in Vietnam .
However, this begs the question: “If a foreign company has already established a subsidiary in Vietnam and still falls within the Applicable Cases above, would it have to set up additional branches/representative offices in Vietnam?”. According to the regulations stated above, the answer to the question is “Yes”. From the perspective of the State, their main goal in mandating the establishment of branches and representatives office is so that they can hold foreign enterprises accountable. A subsidiary, on the other hand, is a separate legal entity and therefore does not share the legal liability of its mother company. However, from the perspective of the foreign enterprises, this regulation is counter-intuitive since a subsidiary is already the highest form of commercial pretense. Forcing foreign enterprises to set up branches/representative offices despite the existence of a subsidiary only to cooperate with the State in certain cases does not seems to be the optimal solution. The cost-benefit ratio of the regulation could deter foreign enterprises from setting up subsidiary in Vietnam and set up branches/representative offices instead. This could in turn hamper the economic growth and foreign investment into Vietnam. Considering the fact that companies operating in cyber space is becoming more and more common and are taking up a large portion of the global market, this regulation could certain impact the attractiveness of the Vietnamese market.
Another interesting aspect which warrants attention is the responsibility of the branches of foreign enterprises. Branches under Vietnamese laws are allowed to provide services to clients so would the branches have to comply with the regulations and store the Applicable Data in Vietnam? Decree 53/2022 only stipulates that foreign enterprises have to comply with the regulations, at the same time, it also defines foreign enterprises as enterprises established or registered under foreign laws . In this case, while branches are parts of the foreign enterprise, they are still established under Vietnamese laws. As such, there is room to argue that branches for foreign enterprises do not fall under the scope of this regulation and thus are not obligated to comply with data storage requirements. However, this is only a theoretical assumption. In reality, such questions can only be answered concretely by the competent State authorities.

Other requirements related to data storage

In addition to the requirements stated above related to data storage in Vietnam, domestic and foreign enterprises must also take note of the following general requirements:
(a) In case where the enterprises do not collect, exploit, analyze and process all of the Applicable Data, the enterprise must coordinate with the Cybersecurity Department to confirm such conditions and proceed to store the data currently being collected, exploited, analyzed and processed.
(b) In case where an enterprise collects, exploits, analyzes and/or processes additional Applicable Data, the enterprise is responsible for coordinating with the Cybersecurity Department to supplement the list of data that must be stored in Vietnam.

Assessment of the regulations

The author notices that the regulations above were designed mostly for security purposes. Such regulations help government agency to quickly handle violations or directly intervene if necessary. On the surface, this would greatly increase data security in Vietnam and help to prevent the overseas violations. However, there are also adverse effects on the enterprises themselves, especially foreign enterprises. One such effects is the cost incurred from setting up data storage facilities, branches or representative offices. Tech giants could shoulder such costs. For example, Google and Facebook have complied with the regulations of most countries around the world regarding the localization of data. Google has set up 70 representative offices while Facebook set up 80 of the same around the world. In South East Asia alone, Google and Facebook have set up representative offices in Singapore (both also set up data storage servers in this country, Malaysia, and Indonesia (Facebook also set up a data center pursuant to Indonesian laws in 2014) . On the other hand, it is uncertain whether small to medium foreign tech companies can do the same. This could make the Vietnamese market unappealing to foreign enterprises operating in the field of data.
Looking around the world, currently, 18 member nations of WTO (including the US, Canada, Australia, Germany, France) have regulations that stipulate the storage of data within their territories . So Vietnam enacting these regulations are in line with the overall trend of data protection in the world. However, whether our regulations are optimal and suitable for the current situation in Vietnam is still up for debate. Whether the pros of this provision outweigh the cons is something only time can tell. In the current data landscape, changes are inevitable and every country must prepare itself for the future./.

PrivacyCompliance

________

[1]  Article 2.1 of Decree: “Data on personal information” is data on information in the form of symbols, letters, numbers, images, sounds, or equivalences to identify an individual

[2] Article 2.3 of Decree:  “Service users in Vietnam” are organizations and individuals using cyberspace in the territory of the Socialist Republic of Vietnam.”

[3] [definition of foreign enterprises]

[4] Decree 53/2022/ND-CP art 26(3)(a)

[5] Decree 53/2022/ND-CP art 26(3)(a)

[6] Decree 53/2022/ND-CP art 27(1)

[7] Decree 53/2022/ND-CP art 26(6)(c)

[8] Decree 53/2022 art 2.12

[9] Tra Vinh Public Security, ‘Regulations on data storage, establishment of branches or representative offices in Vietnam of the Cyversecurity law is compatible with international practices’ (Tra Vinh Public Security, 25 December 2019) <http://congan.travinh.gov.vn/catv/ch10/802-Quy-dinh-ve-luu-tru-du-lieu-dat-chi-nhanh-hoac-van-phong-dai-dien-tai-Viet-Nam-cua-Luat-An-ninh-mang-hoan-toan-phu-hop-voi-thong-le-quoc-te.mhtml> access 7 Novmeber 2022.

[11] Thanh Thuy Pham, ‘What are the regulations regarding setting up servers in Vietnam?’ (Luat su X, 26 August 2022) <https://luatsux.vn/quy-dinh-ve-dat-may-chu-tai-viet-nam-nhu-the-nao/> accessed 5 November 2022.


Privacy Compliance

 Territorial Scope of GDPR

 Territorial Scope of GDPR In the modern world, data is flowing across borders at an unprecedented rate. This creates risks for the data since most laws are only effective within their respective borders and cannot guarantee adequate protection when the data is transferred abroad. It is for this reason that the General Data Protection Regulation […]

Learn more

Privacy Compliance

Independent Supervisory Authorities Under GDPR

Independent Supervisory Authorities Under GDPR The EU’s General Data Protection Regulation (“GDPR”) is an incredibly useful framework to protect personal data. However, all rules are only as good as our ability to enforce them, a legal framework alone cannot protect personal data. As such, independent enforcement agencies are required to put the regulations into practice. […]

Learn more

Privacy Compliance

E-Privacy Directive

E-Privacy Directive The Directive 2002/58/EC or e-Privacy Directive (ePD) – also known as the Privacy and Electronic Communications Directive, is a regulatory framework established by the European Union (EU) to protect the privacy of individuals. With similar functions to the General Data Protection Regulation (GDPR), the ePD remains in effect alongside the GDPR with the […]

Learn more