Data Centres – Key Issues In Vietnam

ACSV Legal

The data centre market in Vietnam is a sector which is attractive for foreign investments. However, it is important to take into consideration certain points, such as data protection, required licences, build vs lease. In case of an M&A there are issues that might have to be considered depending on the type of deal.

The importance of data centres for businesses and IT operations nowadays is undeniable, especially in this age of digitisation, e-commerce and digital banking.

For foreign companies doing business in Vietnam, it is worth noting the data localisation requirement under Vietnam’s Law on Cybersecurity, whereby both local and foreign companies collecting, exploiting, analysing and processing personal data, data about relationship of users or data generated by users in Vietnam must store such data in Vietnam. The data localisation requirement, plus the need for better processing speed to assist Vietnamese users are the main rationales to have a data centre in Vietnam.

This article will address the key issues that investors seeking to navigate the data centre market in Vietnam should be aware of.

1. Overview of data centers in Vietnam

1.1 What Are Data Centers

A data centre is commonly defined as a dedicated facility combining software and hardware components to store, exchange, process and manage large amounts of data , also used for data backup and recovery.

Data centres are typically classified into the following types:

Enterprise data centres: data centres built, owned, and operated by companies and optimised for their end users; often located onsite within the company’s premises;

Managed services providers: data centres managed by a third party - or a managed services provider - on behalf of a company where the company leases the equipment and infrastructure instead of buying it;

Co-location data centres: a company rents space within a data centre owned by others and not located on the company’s premises; and the co-location data centre hosts the infrastructure (building, cooling, bandwidth, security, etc.), while the company provides and manages the components, including servers, storage, and firewalls; and

Cloud data centres: an off-premises form of data centre, where data and applications are hosted by a cloud services provider such as Amazon Web Services (AWS), Microsoft (Azure), or IBM Cloud or other public cloud provider.

1.2 The Current Market in Vietnam

Vietnam is a developing data centre market with a strong potential, and being valued at USD165 billion in 2018 and having a forecasted valuation of USD294 billion in 2024.[1] However, Vietnam needs to make certain improvements to be able to catch up with Singapore, the strongest player in the Southeast Asea data centre market. For example, power shortage is a major issue that Vietnam must resolve to be able to bring the data centre market to the next level.

2. Data Center Solutions - Lease vs Build

2.1 Building a Data Centre

The main advantages of building and owning its own data centre are:

a. maximum control over security, maintenance, access and anything related to the centre;

b. no risk of having the lease terminated: and

c. unused space can be leased out or used for other purposes.

The main disadvantages are the large upfront expenses for construction, risks involving the construction contract with contractors, and regulatory compliance burdens.

2.2 Leasing from Existing Data Centre

In general, leasing seems to be a better option since the risks are more controllable via the contract with the data centre owner and the lessee allows more flexibility to adapt the leased data centre space to match business demands.

3. Technical Regulations and Standards

Investors of data centre construction projects in Vietnam should comply with Vietnam’s various technical regulations and standards related to data centres, currently listed in Circular 03/2013 issued by the Ministry of Information and Communications (MIC). Data centre services providers will need to declare their conformity to technical regulations and standards with the Telecommunications Authority under the MIC.

4. Licence

The Vietnamese law regulates some products and services related to cyber information security and civil encryption, which may impact data centre builders and/or owners. Below table lists out the relevant licenses. To ensure compliance, data centre builders and owners should seek professional advice whether they need such licenses on a case-by-case basis. Hereafter you will find a table with relevant information.

 Licence Required

 Definition

 Harmonised   System Codes

 Authority

 Licence to import, export   civil encryption products

 Civil encryption products : technical   documents, equipment and   encryption specialist skill to protect   information outside state secret scope.

8443, 8471, 8473, 8517, 8523, 8525, 8526, 8528, 8529, 8542, and 8543

 National Agency of   Cryptography and   Information Security

License to import, export cyber information security products

Information security products: software, hardware with function of protecting information, information system.

8471

MIC

 Licence to trade,  manufacture civil encryption products and provide civil encryption services

 Civil encryption services: information protection using civil encryption products; appraisal, evaluation of civil encryption products; consultancy on cyber information security, protection using civil encryption products

 

 National Agency of Cryptography and Information Security

Licence to trade, manufacture cyber information security products and provide cyber information security services

Cyber information security services : protect information, information system and divided into multiple small services.

 

MIC

 

5. Pending Business Conditions to Provide Data Center Services

It should be noted that data centre service is a conditional business in the 2020 Law on Investment of Vietnam even though the detailed conditions to provide data center service are still unknown. The MIC has published a draft decree to amend Decree 72/2013 and Decree 27/2018. It does not contain any stringent business conditions applicable to data centre services. The draft decree currently only requires data centre services providers to demand service users to comply with the laws on information security and suspend services in case of non-compliance.

Unless the draft decree is revised to include more conditions, investors only would need to pay attention to the licenses mentioned in section 4.

6. Data Privacy Regulations

6.1 General

Data privacy regulations play a major role in the operations of data centres, more so if the data centre processes the data as well, not just provides a space to store the data. After Europe’s General Data Protection Regulation (GDPR) came into effect, in general, customers work more closely with data centre owners and perform more audits to manage their risks. Data centre owners also had to reevaluate and revise their policies, procedures, security measures and contract templates to ensure compliance with GDPR.

6.2 Current Regulations

Currently, Vietnam’s regulations on personal data protection are quite general and scattered across multiple legislations. This issue is expected to be resolved by the issuance of a decree solely on personal data protection.

6.3 Draft Decree on Personal Data Protection

The Ministry of Public Security has prepared Vietnam’s first ever draft decree on personal data protection and released for public opinions. The draft decree, if adopted, will greatly influence companies collecting and processing personal data of their customers. The proposed effective date of the decree is 1 December 2021. The draft decree is heavily referenced from the GDPR. For more details please read our general update GDPR-like draft decree on data protection introduced. We summarise the most relevant parts below.

Personal data : data about a person or related to the identification of or can identify a specific person and includes basic and sensitive personal data;

Use of technical measures to safeguard personal data: under the draft decree, data processors must implement executive, technical and security measures to protect personal data; as the draft decree does not provide detailed guidance on technical measures, pending further guidance, data processors should refer to internationally accepted technical standards to safeguard personal data, such as ISO 27001:2013;

Personal data protection commission : if established as per the draft, this commission will be the supervisory authority overseeing personal data matters in Vietnam, similar to the European Data Protection Board under the GDPR;

Personal data protection department and officer : data processors must have a department supervising personal data protection and data protection officer(s).

Sensitive personal data processing registration : prior to processing sensitve personal data, data processor must register with the Personal Data Protection Commission.

Cross-border transfer of personal data : the draft decree restricts cross-border transfer of personal data; according to the draft decree, cross-border transfer of personal data is permitted only if

a. the data subject agreed to the transfer;

b. the original data is stored in Vietnam;

c. the country of the recipient imposes the same or a higher level of data protection (with documented evidence); and

d. the personal data protection commission agrees with the transfer.

7. M&A

If an investor seeks to enter the data centre market in Vietnam via M&A, such investor should carefully consider whether to pursue an asset deal or a share deal.

7.1 Asset Deal

Under an asset deal, the seller disposes of and transfers individual assets (and liabilities) under an asset purchase agreement. In a data centre M&A deal, the transferred assets typically include the data centre facilities, the customer contracts and other anciliary contracts (e.g. power supply agreement and security service agreement).

The main upside of an asset sale is that the liabilities of the seller normally will not transfer to the buyer, which greatly reduces the risk on the buyer. The downside is that under Vietnamese law, contract assignment normally requires consent of the counterparty, which may prolong the deal completion.

7.2 Share Deal

Under a share deal, the buyer will acquire all or part of the equity or the shares in a company owning and operating a data centre, thus becoming a member or shareholder of such company and gaining all rights, obligations and liabilities associated with the acquired shareholding.

7.3 Due Diligence

Regardless of which type of deal an investor pursues, thorough due diligence is a must-have to understand the liabilities and risks accompanying the target company or asset. In a data centre M&A deal, it is recommended to focus on the following issues:

- Contracts: very important in a data centre M&A deal, as the data centre’s revenue may come from some key clients; it is not sufficient to only examine if the contracts are legally binding but all risks must be assessed to avoid losing key clients and the connected large revenue stream for the data centre;

- Corporate ownership and organisation (for share deal);

- Finance;

- Employment: special attention should be given to employees having access to data stored in the data centre;

- Required third party approvals: third party approvals required for the transaction (if any) must be accounted for, such as change of control approval (in case the data center contracts require change of control approval from clients) or bank approval (in case the data centre is used as collateral for a bank loan);

- Real estate;

- Permits and licenses; and

- Environment.

8. Conclusions

With the ongoing digital transformation trend, the data centre market in Vietnam could be very lucrative and full of potential. However, there are risks and challenges to take into consideration as well. To thrive in this market, investors would need to effectively navigate and mitigate the challenges and risks.

 

For more information, please contact:

Mark Oakley / Managing Partner  mark.oakley@acsvlegal.com
Hieu Pham / Special Counsel  hieu.pham@acsvlegal.com
Duc Tran / Associate  duc.tran@acsvlegal.com

 

 

When a company wants to streamline its IT operations by establishing a data centre, there are 2 options: build vs lease.

© 2021 ACS Legal Vietnam Company Limited – All rights reserved. This legal update is not an advice and should not be treated as such.

Please Login or Register for Free now to view all updates and articles

In addition to free-to-view updates and articles, you can also subscribe to the full Legal Centrix Vietnam Service including access to:

  • Overview notes on the law
  • Thousands of high quality translations of legislation covering all key business areas
  • Legal and tax updates
  • Articles on important legal and tax issues
  • Weekly email alerts
  • Sophisticated web platform and search

Legal Centrix is trusted by top law and accounting firms.

ACSV Legal

ACSV Legal is a vibrant and dynamic, Vietnam based law-firm, located in Ho Chi Minh City. Not only do we have unparalleled domestic expertise, but we are part of the One Asia Lawyers’ international network with partner offices across Southeast Asia and the Pacific Rim.

We have one of the premier Corporate / M&A practices in Vietnam and we have extensive experience in private equity transactions with a strong commercial focus. We have advised various clients on (re-) structuring their businesses in the light of investments in or outside Vietnam.

Our clients are typically businesses within South-East Asia which are experiencing significant growth, as well as leading international and local corporations who need advice on a broad array of multi-jurisdictional transactions. We have advised our clients on matters in a wide range of sectors and industries such as healthcare, beauty and fitness, pharmaceutical, food and beverage, IT and technology, hospitality and leisure, education, retail, manufacturing and distribution, apparel and fashion, Fintech and payment services.

We have a team of experienced lawyers who are qualified in Vietnam, the UK, the US and Malaysia in civil and common law jurisdictions. The languages spoken at ACSV Legal include Vietnamese, English, German, Japanese, Italian, Dutch, French and Malay.

 

"The corporate team has vast cross-border expertise and is skilled in handling M&A mandates for large Vietnamese conglomerates."

"Great communicators. Very fair on pricing. Very thorough.
Legal 500 Asia Pacific 2020
 

 

“The law firm is very good. In addition to being very knowledgeable and professional, they provide advice that is in the client's best interest, not what generates the most fees. Furthermore, they work with a sense of urgency I greatly appreciate. They always deliver their work in a timely manner, they are organized, they provide high-quality work, and are very responsive.
ILFR1000 2020
 

 

"Mark and his team are perfect partners for us. I would not hesitate to recommend ACSV to any of my friends or colleagues. Mark’s team is particularly knowledgeable on cross-border private equity structuring and transactions.”
ILFR1000 2019
 

 

“ACSV Legal is ‘a strong firm for M&A, which excels in transactions’, with strong presence in consumer-facing sectors such as retail and leisure.”
Legal 500 Asia Pacific 2018

Click here to view the author's profile

Author

Related Content

Tags

  • Vietnam
  • Internet & Social Media
  • Telecommunications & Post
  • Mergers & Acquisitions
  • Data Protection & Privacy

Recent updates

Cookies On
Our Website
We use cookies on our website. To learn more about cookies, how we use them on our site and how to change your cookie settings please click here to view our cookie policy. By continuing to use this site without changing your settings you consent to our use of cookies in accordance with our cookie policy.