Rules for localisation of data need clearer guidance

February 09, 2024 | 21:56
(0) user say
In past years, we witnessed the great efforts Vietnam has put into building a regulatory framework for digital technologies. Less than two years ago, the government issued Decree No.53/2022/ND-CP guiding the implementation of the Law on Cybersecurity (LoC), detailing regulations on data localisation in Vietnam.

However, there is now a case that the regulations in Decree 53 need to be made more consistent with the LoC. Most of all, we need to have more specific instructions and processes for domestic and foreign businesses to implement the application simpler and more effective.

Rules for localisation of data need clearer guidance
Hoang Viet Tien, deputy secretary general, Vietnam Digital Communication Association

The main gain for Vietnam from a cybersecurity and data protection point of view is a boost in productivity for companies operating on its territory. The number of digital tools, and along with it the amount of data that is processed, is growing exponentially.

While the relevant regulations need to reflect and frame the usage of digital tools and related processing of data, it must not hinder the digital transformation of businesses. If companies operating in Vietnam hesitate to implement the newest digital technologies for fear of non-compliance, their productivity will fall behind that of companies with the possibility of implementing such tools, in jurisdictions with clearer guidance, where a long-term digital transformation strategy can be designed.

This issue is even more daunting for international companies that have to comply not only with Vietnamese regulations, but also with equivalent ones in other regions they operate in. Any rule in Vietnam constraining how they can implement their IT system, for example, will reduce the attractiveness of the country in regard to other options.

For example, Decree 53’s rules for the implementation of the LoC’s data localisation and local office requirements cast a wide net and capture many entities. It is important to provide clear guidelines to companies concerned by the regulations. The data localisation measures will not necessarily boost security by much, and the physical placement of the data has no bearing on security.

Meanwhile, Vietnamese businesses should be allowed to store and process their data in the most secure data centres, which are audited against global security and privacy standards by independent third parties. Only global service providers can give this degree of security in this area.

Decree 53 requires government agencies and domestic enterprises to store certain types of data in Vietnam, while mandating both local storage and physical presence in Vietnam of foreign-invested enterprises (FIEs) in stipulated instances.

The decree stipulates that businesses can decide the form of storage. This regulation can provide businesses with significant flexibility in deciding how to store localised data in Vietnam. However, it is unclear whether the enterprises must store localised data in a form readable by competent authorities or whether enterprises can store localised data in encrypted form or in non-electronic form.

According to Decree 53, the minimum data storage period is 24 months from the date the business receives the data storage request. The storage period needs to be more clearly indicated whether this regulation applies to FIEs or both domestic and FIEs. This is because only FIEs receive data storage requests from authorities in certain cases. If the storage period does not apply to domestic businesses, it is unclear how long domestic businesses must store data.

According to Vietnamese law, FIEs can only establish branches if Vietnam commits to allowing the establishment of branches in relevant international treaties. Therefore, it is possible that the establishment of a representative office is a better option. However, it is unclear whether a branch or representative office in Vietnam of a foreign enterprise is responsible for complying with the LoC and Decree 53.

Decree 53 requires three types of data to be stored in Vietnam: personal information of service users in Vietnam, data created by service users in Vietnam, and service users’ relationships in Vietnam.

The decree fails to clearly stipulate whether data localisation requirements are applied to an enterprise that carries out all three activities of collecting, analysing, and processing localised data, or to businesses performing any of these activities.

A clear process is required to enable cross-border data transfer when needed. At the moment, the language of Decree 53 is unclear as to whether keeping a copy of the data in Vietnam, while sending data abroad, is compliant or not. Therefore, clarification in the form of official written guidance is needed for compliance purposes because international companies must send data to their headquarters in the process of their operations.

In the past, we saw the widespread use of personal data and its negative impact on the market, directly affecting people whose personal data was misused. We also saw many consequences of this in the era of digital explosion.

Nevertheless, there are some positive impacts on the market in recent times. For example, personal data is better protected; spam services have been significantly reduced, and we have sanctions against unhealthy businesses.

For state management agencies, they can evaluate the effectiveness of applying the law, have specific sanctions to punish businesses that violate the rules in the digital environment, creating a favourable business environment for domestic and foreign businesses.

As authorised agencies consider the problems, hopefully this year we will have guiding circulars so that domestic firms and FIEs can comply with the requirements of Decree 53.

Cloud and data centre advances on horizon Cloud and data centre advances on horizon

While the amended Law on Telecommunications is expected to bring new opportunities for businesses in cloud computing and data centres in Vietnam from next summer, experts and businesses are still concerned about barriers that may remain.

Mobile data traffic to grow strongly in Southeast Asia Mobile data traffic to grow strongly in Southeast Asia

Mobile data traffic per smartphone continues to grow strongly in Southeast Asia and is expected to triple to around 66GB per month by 2030, according to the just-released Ericsson Mobility Report.

Proper handling of data paramount for digital aims Proper handling of data paramount for digital aims

The banking industry is prioritising environmental, social, and governance (ESG) compliance, focusing on reducing infrastructure carbon footprint and innovating with ESG-aligned products. Hong Yea Chee, senior executive vice president for Customer Engagement at digital banking solutions provider Silverlake Axis, discussed with VIR’s Trung Duong the sector’s evolution towards integrated services and embedded finance.

Vietnamese adaptation of ChatGPT launched Vietnamese adaptation of ChatGPT launched

VinBigdata, a part of the conglomerate Vingroup, on December 27 announced the official launch of ViGPT, the first Vietnamese adaptation of the ChatGPT application, targeting both end-users and businesses. This move is seen as a significant leap in the country's growing AI industry.

By Viet Tien

What the stars mean:

★ Poor ★ ★ Promising ★★★ Good ★★★★ Very good ★★★★★ Exceptional