After China, Russia, EU and India, Vietnam proposes law to restrict cross border data flow – Silicon Valley in panic

After China, Russia, India and the European Union, Vietnam has now proposed the Personal Data Protection Law (PDPL) which is aimed at ensuring digital privacy to its citizens. However, the Silicon Valley together has warned Vietnam of not rushing this decision and think of the impact it will have on its economy. As of today, Vietnam has a population of 100 million which makes it one of the biggest markets for American social media companies. Silicon Valley has cited the dangers of the new law and how it going to complicate operating and expanding in the country.

But this is not the first blow for the Silicon Valley. In the year 2017, 35 countries had put forth the need of implementing 67 restrictions on cross border data transfer and till 2023 more than 60 countries and regions have got close to 150 restrictions implemented. This means that more than 40% of the world population’s data is under restrictions. It is beyond doubt that cross border data restrictions do have an impact on the country’s economy and those industries which rely heavily on data. As per a report by Information Technology and Innovative Foundation, a 1‑point increase in a nation’s data restrictiveness cuts its gross trade output 7 percent and slows its productivity by 2.9 percent and increases downstream prices 1.5 percent over a period of five years. 

Vietnam’s new proposed law –

The Personal Data Protection Law (PDPL) eases the access of information by the authorities and increases restrictions on the cross-border data flow by providing for an authorisation which is needed for transfer of any data abroad. The act provides for classification of the data into 2 categories – (1) Core Data and (2) Important Data. Certain personal has heightened regulations such as children’s data, biometric data and location data. Notice and consent are the requirements that one must adhere to when processing these types of personal data.

India introduced a similar law in 2023 i.e. Digital Protection Data Protection Act (2023) –

In the domain of the Cross Border Data Transfer, the Indian law is using a blacklisting approach, whereby data transfer can be done if not specifically barred by law. Another salient feature of this law is that it allows sector specific regulation in transfer of data abroad. For Instance, RBI has asked all payment operators in India to store its information in data centres located in India itself. Furthermore, data processors are required to implement security measures to prevent data breaches, and it requires valid contracts between data processors and data fiduciaries. Lastly, the act has extra-territorial application i.e. it is applicable to foreign companies who are dealing with Indians and involves data transfers.

"It will make it challenging for tech companies, social media platforms and data centre operators to reach the customers that rely on them daily," said Jason Oxman, who chairs the Information Technology Industry Council (ITI), a trade association representing big tech companies including Meta, Google and data centres operator Equinix.