Data plays a critical role in the global economy. Various governing philosophies and international commitments of countries have nurtured many different approaches to data governance. Pundits classify the approaches into three broad categories—the open model, the control model, and the limited model. China often stands out as a textbook-limited model in the literature, but not every country that falls into this category adopts utterly the same data policies as China. Recent legal and regulatory developments indicate that Vietnam is another limited model country that is worth examining.

Vietnam and China share national security and cybersecurity priorities in data governance, but the former’s approach to data deviates from the latter. There are several key laws underpin Vietnam’s data regime: the Law on Information and Technology, the Law on Cyberinformation Security, and the Law on Cybersecurity (CSL). The authors highlight that the CSL, along with Decree 53 (guiding Cybersecurity Law) and Decree 13 (on Personal Data Protection) are of utmost importance.

The national security concern leads to relatively stringent data localisation requirements. Decree 53 mandates that domestic firms localise data for at least 24 months. Foreign companies face fewer constraints thanks to external pressures exerted by trading partners and international obligations. Only those that operate in 10 specific sectors and violate cybersecurity regulations are required to store data in Vietnam. Compared to the conventional sector-specific and data-specific approaches adopted by China and the US, this approach is more friendly to foreign businesses in Vietnam.

Decree 13 outlines procedures for cross-border data flow. Data can be legally transferred out of Vietnam if the firms submit impact assessment reports to the Ministry of Public Security within 60 days of data processing commencement for inspection. Following the completion of the data transfer, a written notice must be sent to the Ministry.

Notably, the ex-post accountability approach of the finalised Decree 13 departs significantly from its initial draft. Under the draft Decree 13, data controllers and processors will have to meet various conditions simultaneously and obtain a written agreement from the data authority of Vietnam. The government noticed that this ex-ante approach might impede the free flow of information and revised the draft.

The authors highlight that the origin-based treatment of data localisation and eased cross-border data flow mechanisms are both heavily influenced by Vietnam’s international agreements. Vietnam is a party to the Association of Southeast Asian Nations (ASEAN) and two mega-regional preferential trade agreements: Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and Regional Comprehensive Economic Partnership (RCEP). These trade agreements contain an extensive data governance regime, which includes restrictions on data localisation, prohibitions on the ban of data flows, and personal information protection. Therefore, Vietnam has been taking progressive steps to align its data-related regulations with international commitments.

Vietnam showcases how a security-driven limited model can accommodate multilateral data provisions with innovative approaches. The international commitments play a crucial role in Vietnam’s progress in developing a business-friendly limited model. Countries that wish to prioritise national security and cybersecurity without greatly harming international commitments and digital trade might learn from Vietnam’s experience.

By XU, Ni Scarlet     

Researchers: PHAN, Thi Hong Hanh and BANH, Thi Hang