This reality highlights a significant opportunity for Vietnam to foster its digital economy. However, it also raises concerns regarding the protection of personal data beyond national jurisdictions, the competitiveness of the domestic IT sector against foreign players, and national cybersecurity in the digital realm.
To capitalize on this opportunity and address these challenges, fostering accountability and advancing multilateral cooperation in cross-border personal data governance appears to be the most effective policy approach.
These were the key themes discussed during the seminar titled "Cross-Border Data Flows and Personal Data Protection," held online by the Institute for Policy Studies and Media Development (IPS) on August 27, 2021.
At the seminar, experts explored the advantages that cross-border personal data flows bring to global economic growth, with particular emphasis on Vietnam.
Measurable Economic Benefits and Losses
Mr. Jeff Paine, CEO of the Asia Internet Coalition (AIC), emphasized that cross-border data enables businesses and consumers to access the best technologies and services, benefiting all sectors, including manufacturing, financial services, education, and healthcare.
Echoing Mr. Paine's view but with more detail, Ms. Eunice Lim, a representative of the Global Data Alliance (GDA), highlighted four key benefits of cross-border personal data flows: (i) enabling micro, small, and medium-sized enterprises (MSMEs) and other businesses to access international markets and global supply chains (a 2019 study by AlphaBeta estimated that digital tools have reduced export costs for MSMEs across Asia by 82% and transaction times by 29%); (ii) improving access to financial services (expanding microloan options, facilitating remittances to developing countries, enhancing financial transparency, and combating corruption and money laundering); (iii) driving innovation and competitiveness (AI-driven research and innovation, and facilitating cross-border intellectual property registration processes); and (iv) enhancing and ensuring the efficient functioning of global supply chains.
On the other hand, countries that impose barriers on cross-border personal data flows are likely to suffer economic and social welfare losses. Ms. Eunice Lim cited a 2021 study by the Global System for Mobile Communications Association (GSMA) conducted in South America, Southeast Asia, and Africa, which found that data localization measures on IoT and M2M data could result in: $4-5 billion in lost investments and the loss of 182,000-372,000 jobs. Similarly, Mr. Paine referenced a report by the Information Technology and Innovation Foundation (ITIF) in 2021, indicating that an increase of one point in a country's data restriction index could lead to a 7% reduction in GDP, a 2.9% drop in labor productivity, and a 1.5% increase in consumer prices over five years.
For Vietnam, data localization requirements would lead to the loss of access to international service providers and foreign markets. The estimated total losses include 1.7% of GDP, 3.1% of domestic investment, and $1.5 billion in consumer welfare.
Cross-Border Personal Data Governance Models
Policy and legal experts have introduced cross-border personal data governance models from various countries to provide guidance and recommendations for Vietnam.
Ms. Tsunoda Rika, Deputy Director of the Information Technology Strategy Office, Cabinet Secretariat of Japan, presented Japan’s data governance model under the motto “Data Free Flow with Trust” (DFFT) – an initiative launched during the G20 Osaka Summit. In this model, "Trust" is emphasized as a cornerstone. To establish a trusted framework for cross-border personal data transfers, Japan has advanced: (i) personal identity verification mechanisms; (ii) data safety certification mechanisms, including a trust list of verified and reliable services; and (iii) an international cooperation framework for personal data protection that enables mutual recognition of standards between countries.
Achieving such mutual recognition, as exemplified by the European Union's model (where the European Commission recognizes countries and international organizations with data protection standards equivalent to the EU through “Adequacy Decisions”), requires harmonized and compatible data protection regulations across nations.
Dr. Clarisse Girot, Senior Research Fellow at the Asian Business Law Institute, highlighted three critical aspects of this issue: (i) key concepts, such as personal data, anonymization, and the distinction between data controllers and processors; (ii) legal bases for processing personal data: consent, legitimate interests, public interests, and scientific research; and (iii) conditions for cross-border data transfers, such as data subject consent, codes of conduct, data security certifications, and data localization requirements.
Building on this, Mr. Fan Tuck Chee, Deputy Director of Investigations at the Personal Data Protection Commission of Singapore, showcased Singapore's cross-border personal data governance model, which is founded on the Personal Data Protection Act (PDPA) for the private sector. Singapore’s approach focuses on accountability obligations for data controllers, driven by risk management principles in mitigating data breaches.
To strengthen accountability among personal data controllers, Singapore has implemented the following measures: (i) Data Protection Trust Mark (DPTM) certification; (ii) mandatory reporting of data breaches (ensuring proactive risk management by organizations); (iii) compulsory risk assessments for certain types of data usage; and (iv) voluntary undertakings in data breach investigations, allowing violators to propose and implement effective remediation plans.
Mr. Nguyễn Quang Đồng, Director of the Institute for Policy Studies and Media Development (IPS), emphasized a policy approach structured around three pillars: (i) legal regulations; (ii) international cooperation within multilateral frameworks; and (iii) self-regulation within the industry. Beyond legal tools, Vietnam should prioritize international cooperation frameworks and strengthen self-regulation mechanisms.
For Vietnam, it is imperative to accelerate participation in regional multilateral frameworks such as the APEC Privacy Framework and ASEAN PDP, while promoting the adoption of Privacy Enhancing Technologies (PETs) to safeguard privacy.
In summary, to capitalize on the opportunities and mitigate the challenges posed by cross-border personal data flows, Vietnam should: (i) foster multilateral cooperation in data governance; (ii) enhance accountability among data controllers and processors. To achieve these goals, three key actions are necessary: (i) refine legal regulations on personal data protection to ensure internal consistency and alignment with global standards; (ii) reduce data localization requirements; and (iii) strengthen technological solutions to protect data and unlock its value.
Nguyen Lan Phuong – Institute for Policy Studies and Media Development
.jpg "A picture with many shades of red.")