Vietnam Digital Economy and Regulatory Challenges
Market Overview
A recent digital economy report by Google indicates that Vietnam’s digital economy had an estimated value of $14 billion in 2020, posting a growth of 450 percent since 2015. It is forecasted to grow at approximately 30 percent between 2020 and 2025, as Vietnam actively implements its National Digital Transformation Program to 2025 with a vision to 2030.
The growth of Vietnam’s digital economy is fueled by the strong development of its digital infrastructure and cyber economy. As of the end of 2020, Vietnam had roughly 69 million internet users and 61 million smartphone users, with a penetration rate of 71 percent and 63 percent respectively. Vietnam’s telecommunications service firms are expected to invest up to $2.5 billion to deploy and commercialize 5G technology from 2020-2025. In the meantime, Vietnam’s e-commerce industry, a major component of its internet economy, grew by 18 percent year-on-year and generated revenue of approximately $12 billion in 2020. The country’s online advertising industry on social media recorded approximately $3 billion in revenue, whereas its ride-sharing service industry reached an estimated revenue of $1 billion in 2020.
Regulatory Challenges
Despite significant commercial opportunities that Vietnam’s fast-growing digital economy offers, the country’s data-related legislations could negatively impact the development of its digital economy while posing certain challenges for international suppliers of internet-based software and services. In particular, the data localization requirement set by the Law on Cybersecurity, and the cross-border data transfer requirement set in the Draft Decree on Personal Data Protection would inhibit foreign enterprises’ ability to provide cyberspace-based software and services in Vietnam.
Law on Cybersecurity (No. 24/2018/QH14)
This law was issued by Vietnam’s National Assembly in June 2018. Article 26 stipulates that domestic and foreign enterprises who provide services on telecommunications networks or the internet, or other value-added services in cyberspace in Vietnam and who conduct activities of collecting, exploiting, analyzing and processing data must store such data physically within the borders of Vietnam in a period of time specified by the government. This data includes personal information, data about service users’ relationships, or data generated by service users. For foreign service providers, they must establish a branch or representative office in Vietnam.
However, this law has not been practically enforced as there has not been an official implementation guidance decree. Vietnam’s Ministry of Public Security has been working on several guidance decree drafts since 2018. The latest draft became available for public comments during the Vietnam Business Forum in December 2020. According to industry analysts, the data localization requirement set in this draft appears to be less restrictive in two aspects. Firstly, only foreign enterprises who provide prescribed services, including domain name service, e-commerce, electronic payment, social network, and social media are required to store user data and establish a branch or representative office in Vietnam. Secondly, these foreign enterprises must only fulfill this obligation if their service has been used to violate the Law on Cybersecurity and they have been notified of the violation by the Vietnamese authority.
Draft Decree on Personal Data Protection
This draft decree was issued by the Vietnam Ministry of Public Security in February 2021. Article 21 of the decree stipulates that personal data of Vietnamese citizens can be transferred out of Vietnam if the following four requirements are met:
1) Data subject/owner consents to the transfer.
2) Original data is stored in Vietnam.
3) Data processor must prove that the recipient country or territory has equal or higher personal data protection standards than that in Vietnam.
4) Written approval of the transfer issued by Personal Data Protection Committee (PDPC) under Vietnam’s Ministry of Public Security.
In particular, sensitive personal data must be registered with the PDPC prior to processing. Sensitive personal data includes financial data, physical and mental health data, biometric data, and criminal records. Accordingly, processors of sensitive personal data are required to submit a proper application to the PDPC for registration. It takes the PDPC 20 business days to process the application.
Disclaimer: The information provided in this report is intended to be of assistance to U.S. exporters. While we make every effort to ensure its accuracy, neither the United States government nor any of its employees make any representation as to the accuracy or completeness of information in this or any other United States government document. Readers are advised to independently verify any information prior to reliance thereon. The information provided in this report does not constitute legal advice. International copyright, U.S. Department of Commerce, 2008. All rights reserved outside of the United States.
For more information contact: Triet Huynh, Senior Commercial Specialist, U.S. Commercial Service Ho Chi Minh City, Vietnam
Email: Triet.Huynh@trade.gov