Vietnam's parliament has approved a new cybersecurity law that requires all companies doing business in the country to store their data locally -- a principle known as forced data localization.
The legislation, which was passed in June and will come into effect on Jan. 1, 2019, is the latest illustration of a growing trend toward using broad definitions of national security and the public interest to justify data protection rules that amount to digital protectionism.
Yet, Vietnam has signed up to international trade rules that provide strong grounds for a legal challenge to such restrictive practices. The country's trading partners should test the compatibility of the new law with Hanoi's international obligations at the earliest opportunity, not least as a means of discouraging other countries from following suit.
Vietnam is not the first country to enforce local data storage. China, Indonesia, Nigeria, Russia, South Korea and other countries have implemented similar laws, prompting a debate at the World Trade Organization about how (or whether) trade rules designed for 20th century trade in physical goods apply to 21st century digital trade.
So far, there has been no attempt to stop the spread of enforced data localization through the WTO. The global trade regulator has rules that apply to internet-based services, but they are fairly weak, having been negotiated in the analogue era, and do not apply to all member states. Vietnam signed up to the internet rules when it joined the WTO in 2007, but uncertainty about the rules has discouraged any action by trading partners.
But there is another route for potential challengers. Hanoi has also agreed to a stronger set of data-related trade rules under the 11-country Comprehensive and Progressive Agreement for Trans-Pacific Partnership, known as TPP-11 -- a revised version of the Trans-Pacific Partnership trade agreement, from which the U.S. withdrew in 2017. Several of Vietnam's trading partners within TPP-11 have been publicly critical of the trend toward enforced data localization, including Australia, New Zealand and Japan. Any of these countries could initiate a trade dispute within TPP-11 to have this local data storage requirement removed.
To initiate a challenge, a TPP-11 country would need to demonstrate that Hanoi's local data storage requirements breach the agreement's prohibitions on barriers to cross-border transfers of data and unequal treatment for foreign companies conducting business in Vietnam. The complainant would need to show that the data localization requirement is a disguised trade restriction, and that there are alternative ways of improving commercial cybersecurity protection that do not act as a barrier to trade.
There is a strong case to be made. Forced data localization discriminates between domestic and foreign companies and their products and services. It forces foreign providers of cloud computing to set up or use local information technology services when they otherwise might not. Likewise, it forces other foreign companies to set up or use local IT facilities because the law prevents them from exporting data, including for offshore cloud storage and for use in centralized analytical platforms. These measures affect international trade, innovation and corporate competitiveness.
A difficulty in any such trade dispute would be that TPP-11 contains broad exceptions for countries to enact barriers to trade in the name of national security and the public interest -- provisions that are common to many trade agreements. Countries are largely free to decide how to apply these exemptions, but they have hitherto been regarded as appropriate only in times of national emergencies, such as wars.
This is clearly not the case in Vietnam, which acknowledged that its local data storage rules might breach its trade commitments, but decided to press ahead anyway.
Vietnam's trading partners should be preparing to test the TPP-11's willingness to enforce its rules, even though this would not provide a quick fix. The TPP-11 agreement will not come into force until 60 days after it has been ratified by six member states; so far only Japan, Mexico and Singapore have done so. In addition, Vietnam negotiated a two-year grace period from trade enforcement action on the data flow provisions of the e-commerce chapter, which will begin whenever the agreement comes into effect.
In the short-term, therefore, countries that oppose restraints on digital trade flows should concentrate on rebutting Hanoi's mistaken belief that data is more secure when stored within a country's borders. Vietnam is not alone in Asia in this misunderstanding: China has imposed draconian cybersecurity regulations, South Korea restricts mapping data and Indonesia is enacting localization for personal, financial, and internet services data. Unlike Vietnam, none of these states belong to the TPP-11 and so cannot be made subject to its rules.
In most instances, however, data-localization mandates do not enhance data security. Security breaches can happen no matter where data is stored, and the confidentiality of data does not generally depend on where it is stored. A secure server in Vietnam is no different from a secure server in Brazil.
Data security depends on the technical, physical and administrative controls implemented by the service provider, regardless of where the data is stored. This is where policymakers' focus should lie -- getting companies and users to be aware of the risks and to adopt best-in-class protective measures and practices.
The debate about legitimate cybersecurity measures is not restricted to Asia, or to authoritarian governments -- a parallel debate about privacy and data localization for personal data is taking place in many countries, including Australia, Canada and members of the European Union. The issue has also been complicated by U.S. President Donald Trump's use of a national security justification, widely regarded as specious, for higher tariffs on imports of steel and automobiles. It is hard for digital free traders to condemn authoritarian misuse of data localization on national security grounds when the leader of the democratic world is doing the same thing.
In the longer term, however, interrupting the global trend toward digital protectionism will require robust action by countries that oppose barriers to digital trade.
The misuse of exceptions to the rules has the potential to undermine the broader set of commitments that make up the international trading system. A formal challenge to Vietnam's new law would clarify the extent to which exceptions can be used as a cover for digital protectionism, and perhaps prompt countries considering following the Vietnamese example to think again.
Nigel Cory is an associate director covering trade policy at the Information Technology and Innovation Foundation, a nonprofit, public policy think tank based in Washington D.C.