On October 1, a decree that requires international firms with services in Vietnam to store users’ data within Vietnamese territory and set up local offices went into effect, reported Vietnam Express.

This new decree is an addition to Vietnam’s existing Cybersecurity Law. It stipulates that data belonging to users, from account information to data about users’ relationships, must be stored in Vietnam for at least 24 months. International firms must complete data storage requirements and set up local offices within 12 months of being asked to do so by the Ministry of Public Security.

In early September, US business groups representing technology companies such as Amazon, Google, and Meta said in a letter to Prime Minister Pham Minh Chinh that this law may affect investments and make it difficult for companies to assess the cost of doing business in the Southeast Asian country, reported Bloomberg.

Vu Tu Thanh, the Vietnam representative of the US-Asean Business Council, told Bloomberg that the new decree was drafted with the consideration of balancing economic interests and national security, and is more flexible than those in previous drafts.

An opinion piece on Nikkei Asia also highlighted that the decree may provide further leverage for the country’s censorship requests to Big Tech.

Data localisation across the world

Vietnam’s decree is part of a broader trend of data localisation in Southeast Asia and the world, which refers to the practice of:

  1. requiring data to be collected, processed, and/or stored within a nation’s borders, so that foreign actors cannot access them
  2. requiring a copy of data to be kept in local servers or data centres, such that law enforcement agencies can access such data if found necessary
  3. placing limits on the transfer of personal data across borders

The primary reasons for data localisation laws involve matters of national security. For instance, in June 2022, Chinese-owned social media app, TikTok, said that it planned to move the private data of American citizens to cloud servers in the US to allay privacy concerns, reported The New York Times. Keeping the data of American citizens within America may lower the risk of foreign governments accessing such data.

Storing data locally may also help local law enforcement agencies access data if necessary.

From 2013 to 2018, US law agencies were embroiled in a legal battle with Microsoft when the company refused to hand over data stored on a data centre in Ireland, according to TechCrunch. The case was eventually resolved with regulations that stipulated that companies must provide information properly requested by law enforcement regardless of location.

Countries may also pose limits on the transfer of personal data across borders if they assess that data protection regimes in other jurisdictions may not be adequate. For instance, the EU’s General Data Protection Regulation (GDPR) ruled that personal data can only be transferred beyond the EU to external parties if the recipient country possesses a level of data protection equivalent to that of the EU.

In a journal article in the Asian Journal of International Law, Benjamin Wong from the National University of Singapore found low but significant levels of data localisation within ASEAN, with countries such as Philippines, Singapore, and Thailand possessing restrictions on the transfer of personal data across borders until certain standards of data protection are met.

Countries like Indonesia and Vietnam have regulations on processing and storing personal data within the nation’s borders, as well as on hosting a local copy of data. East Asia Forum reported that Indonesian regulations require all public sector data to be managed, stored, and processed within the country.

Costs of data localisation

However, data localisation may come at a cost to economic growth and investments, as well as inhibit the performance of certain technologies.

First, data localisation imposes additional costs on companies, who may have to spend additional resources on setting up server rooms, data centres, and local offices, says Lim May-Ann, Emeritus Director of the Asia Cloud Computing Association. Larger countries may require more servers and infrastructure to properly serve the market, leading to high compliance costs to business.

If the cost is too high, companies may choose to pull out or suspend operations. In 2016, online payments company PayPal suspended operations in Turkey as a result of new regulations that required companies to fully localise their information systems within the country, reported TechCrunch.

Data localisation can also impede free trade and affect the regional economic development of ASEAN. Wong noted in his journal article that that such policies could obstruct businesses’ access to foreign markets. This may run counter to the stated aims of the ASEAN Framework Agreement on Services, which aims to liberalise the trade in services, he argued. In fact, trade deals such as the Comprehensive and Progressive Agreement for Trans-Pacific Partnership, which Vietnam is party to, includes pledges against data localisation, said Nikkei Asia.

Finally, data localisation may inhibit the performance and efficiency of current technologies like cloud computing and artificial intelligence. Cloud computing works most efficiently when data is able to flow across borders, and artificial intelligence works best when it has a diverse range of data sources to draw upon. Data localisation policies may inhibit both these functions.

A tool among a broader arsenal

Perhaps data localisation is best applied as one tool amongst many, with a risk-based approach in mind.

First, it is important to note that data localisation policies on their own may not necessarily improve the security of data. Data stored elsewhere on the servers of a cloud service provider may have higher cybersecurity controls than a local data centre, for instance. Restrictive data localisation policies may also be harder to enforce, notes Lim.

This is where a risk-based approach may prove useful, where each country sets its own risk level and decides how it would like to balance security and economic considerations.

A risk-based approach first requires countries to have strong data classification models, which can help identify which data is more sensitive than others, says Lim. For example, personally identifiable information may require more protections than non-personal data, and data directly related to national security may be best stored within national borders.

As it may not be feasible or cost-effective to store all data within one’s country, a risk-based approach lets you “put as large a padlock as you want on the data that you think is most important,” says Lim.

In Singapore and Malaysia, personal data protection laws regulate that organisations transferring data across borders have a responsibility to ensure that data continues to be protected at comparable levels to that of their home country. Singapore’s Monetary Authority of Singapore has a technological risk management checklist, for one.

Other security best practices, such as the principle of least privileged access and zero trust systems, which requires portals to continuously verify one’s identity through methods such as multi-factor authentication, can help secure data. Lim says that banks in the region, from Thailand to the Philippines, have been leading the front on the adoption of such practices.

Finally, the growth of privacy-enhancing technologies may also prove to reduce barriers to data transfers, as a recent GovInsider article noted, though Lim says that technology can only help insofar that people on the ground understand how to adopt and use such tech.

If ASEAN countries aligned on data protection standards, this would help encourage further economic integration and reduce barriers for the provision of services, much like the EU has done. However, Wong’s article notes that ASEAN has a softer approach to regional regulations than the EU, and each ASEAN country will need to find its own path. As such, some restrictions on the transfer of data between countries may be inevitable.