MNCs seek legal data localisation updates

Harmonisation of frameworks can ensure data is more secure, photo Le Toan

One official of the ministry admitted that current regulations, guided through Decree No.53/2022/ND-CP published in 2022, may not be suitable for all businesses.

“Entities subject to the regulation can contact for further guidance on how to resolve any practical difficulties they may encounter. If there are significant obstacles, the ministry can ask for changes in current regulations to ensure a fair legal environment,” he said.

In January, the Digital Sector Committee (DSC) of the European Chamber of Commerce in Vietnam (EuroCham) raised some issues with Decree 53.

The decree details a number of articles of the Law on Cybersecurity, which provides strong requirements on data localisation and local office establishment. The legislation requires government agencies and domestic enterprises to store certain types of data in Vietnam, while mandating both local storage and physical presence in Vietnam of foreign enterprises in stipulated instances.

Bruno Sivanandan, co-chairman of the DSC, said, “Decree 53 impacts both government bodies and domestic enterprises. We seek explicit guidance on the definition of a domestic enterprise in the context of a local branch of an offshore company.”

He elaborated that additionally, the potential clash between the data localisation requirements of Decree 53 and the cross-border data transfer rules regarding personal data protection raises concerns about regulatory inconsistencies. A definitive procedure for cross-border data transfer, including the acceptability of duplicating data in Vietnam while transmitting it abroad, is crucial.

For example, in the banking industry, the State Bank of Vietnam enables foreign branches to host and process users’ data abroad, in their headquarters. However, Decree 53’s data localisation provisions and the cross-border data transfer rules of personal data protection may create conflict with other existing regulations. At present, therefore, there is a risk that companies, especially foreign ones, are experiencing difficulties in their compliance efforts.

EuroCham also proposes harmonisation of the data protection framework. The European Union boasts the General Data Protection Regulation (GDPR) and various other digital service and governance acts. Meanwhile, Vietnam has updated and continued to develop the legislation on cybersecurity and a decree on management and use of internet services and online information, as well as the Law on E-transactions, among others.

In light of the National Digital Transformation Programme to 2025, with orientation to 2030, Vietnam is ardently working to develop its digital government, economy, and society. It is also establishing local digital businesses with improved global competitiveness and capacity.

However, conflicts may arise for companies already subject to EU-GDPR and Vietnamese companies doing business with EU data subjects that need to comply with GDPR, EuroCham said.

“To achieve a unified digital framework, the disparities between Vietnamese regulations and the GDPR must be addressed. We advocate for a facilitating entity and a collaborative approach with relevant institutions from both sides to help companies to comply with these regulations and ensure smooth data flow,” Sivanandan recommended.

In anticipation of great growth potential of data in the country, multinationals are expanding in this field. In particular, US-based Amazon Web Services, the largest cloud service provider globally, is expanding its footprint in Vietnam and other ASEAN markets. It now operates two AWS Edge locations in Hanoi and Ho Chi Minh City, and has been further strengthening its network of customers and partners in Vietnam by signing various cooperation agreements.

Microsoft and Google are also seeking new opportunities in the country in areas such as cloud computing, data, and AI.

Rules for localisation of data need clearer guidance In past years, we witnessed the great efforts Vietnam has put into building a regulatory framework for digital technologies. Less than two years ago, the government issued Decree No.53/2022/ND-CP guiding the implementation of the Law on Cybersecurity (LoC), detailing regulations on data localisation in Vietnam.