Phan Le argues that data localisation in Vietnam would not improve data privacy and could increase the chances of security breaches, given the country’s relatively less-developed IT infrastructure and workforce.
Vietnam’s Ministry of Public Security (MoPS) thinks it is killing two birds with one stone by passing new laws regulating data storage. But it could soon find out it has no use for two dead birds while the stone flies off and damages the economy.
In June 2017, the MoPS proposed a draft cybersecurity law that requires all foreign online service providers (including Facebook, Google and Twitter) to store their Vietnamese users’ data exclusively in Vietnamese data centres – a practice known as “data localisation”.
Foreign tech firms would likely have Vietnamese partners run their local data centres, manage domestic service sales and handle government requests for user data. The proposal has sparked a heated debate between those who believe in its benefits and those who warn against its serious threats to economic development.
For proponents of the law, data localisation is a no-brainer. The opening of local data centres would improve access to online services for local users and would generate a booming demand for high-skilled IT professionals.
With 64 million social media users and one of the fastest-growing e-commerce markets worldwide, Vietnam would be an irresistible destination for foreign tech firms regardless of the extra cost of data localization, or at least so thinks the Ministry.
In a broader context, proponents of the law see the mandate as part of a global effort to protect data privacy and to stop multinationals from pursuing tax avoidance strategies. In 2015 the European Court of Justice invalidated the Safe Harbour Agreement, which had allowed the free transfer of data between the European Union and the United States. This invalidation resulted in many US tech giants’ storing all EU citizen data on servers located within the European Union.
Furthermore, as most nations search for ways to quash tax avoidance by multinationals, the MoPS sees data localisation as a promising solution when it is combined with the recent Ministry of Finance proposal requiring all cross-border payments to be made via domestic payment gateways. Similar authentication schemes have been implemented in India and South Korea. “If others can do this”, reason opponents of the law, “why can’t we?”
The answer is simple: Vietnam can, but it shouldn’t.
Access to foreign online services would be much better if the government had relaxed its onerous regulations and censorship rules instead of adding more. Evidence on data localisation reveals mostly empty promises: even if foreign tech firms cave in to the mandate, the resulting number of high-quality jobs would be minimal. Data centres are increasingly being automated – Apple’s billion-dollar data centre in North Carolina created only 50 permanent jobs.
More importantly, data localisation would not improve data privacy at all – even though this is the key rationale for the proposal. Data privacy depends on the service providers’ technical capabilities, the quality of physical infrastructures and the robustness of administrative procedures. This is true regardless of where the servers are located. Given Vietnam’s relatively less-developed IT infrastructure and workforce, data localisation would likely increase the chances of security breaches.
In addition, data localisation under Vietnam’s strict censorship rules would be detrimental to data privacy. Until now, foreign tech companies who store user data outside Vietnam can avoid comprehensively complying with government censorship. Were the system to change, government agencies could force tech firms to provide them with users’ personal information in accordance with Decree 72 on the Management, Provision and Use of Internet Services and Online Information.
While the benefits of data localisation are mostly imaginary, its threats to Vietnam’s economic development are real. The past three decades of economic transition attest to the importance of opening up the economy and attracting quality investment with a facilitating state that ensures a conducive business environment.
The proposed mandate would betray all of these, which would result in higher costs of doing business and an even more restricted flow of information. And it would likely lead to heavier state intervention in the economy. Current data regulations are already estimated to cost the Vietnamese economy a 1.7 per cent reduction in GDP and a 3.1 per cent reduction in domestic investment. These figures would undoubtedly be higher if data localisation is passed.
Vietnam’s political leaders have repeatedly highlighted Singapore as a model for the country’s major cities. If their statements hold any merit, they should know that Singapore does not need a data localisation mandate to attract foreign tech firms to set up data centres or bring high-skilled jobs into the country.
Data localisation would be a setback for Vietnam’s emerging economy. The only light in this darkness is that the draft law still awaits the National Assembly’s consideration in May 2018.
Phan Le is a PhD candidate at the Australian National University. The commentary first appeared in East Asia Forum and can be read at http://bit.ly/2tQsHYw