The importance of data centres for businesses and IT operations nowadays is undeniable, especially in this age of digitisation, e-commerce and digital banking.
For foreign companies doing business in Vietnam, it is worth noting the data localisation requirement under Vietnam’s Law on Cybersecurity, whereby both local and foreign companies collecting, exploiting, analysing and processing personal data, data about relationship of users or data generated by users in Vietnam must store such data in Vietnam. The data localisation requirement, plus the need for better processing speed to assist Vietnamese users are the main rationales to have a data centre in Vietnam.
This article will address the key issues that investors seeking to navigate the data centre market in Vietnam should be aware of.
1. Overview of data centers in Vietnam
1.1 What Are Data Centers
A data centre is commonly defined as a dedicated facility combining software and hardware components to store, exchange, process and manage large amounts of data , also used for data backup and recovery.
Data centres are typically classified into the following types:
- Enterprise data centres: data centres built, owned, and operated by companies and optimised for their end users; often located onsite within the company’s premises;
- Managed services providers: data centres managed by a third party - or a managed services provider - on behalf of a company where the company leases the equipment and infrastructure instead of buying it;
- Co-location data centres: a company rents space within a data centre owned by others and not located on the company’s premises; and the co-location data centre hosts the infrastructure (building, cooling, bandwidth, security, etc.), while the company provides and manages the components, including servers, storage, and firewalls; and
- Cloud data centres: an off-premises form of data centre, where data and applications are hosted by a cloud services provider such as Amazon Web Services (AWS), Microsoft (Azure), or IBM Cloud or other public cloud provider.
1.2 The Current Market in Vietnam
Vietnam is a developing data centre market with a strong potential, and being valued at USD165 billion in 2018 and having a forecasted valuation of USD294 billion in 2024.[1] However, Vietnam needs to make certain improvements to be able to catch up with Singapore, the strongest player in the Southeast Asea data centre market. For example, power shortage is a major issue that Vietnam must resolve to be able to bring the data centre market to the next level.
2. Data Center Solutions - Lease vs Build
2.1 Building a Data Centre
The main advantages of building and owning its own data centre are:
a. maximum control over security, maintenance, access and anything related to the centre;
b. no risk of having the lease terminated: and
c. unused space can be leased out or used for other purposes.
The main disadvantages are the large upfront expenses for construction, risks involving the construction contract with contractors, and regulatory compliance burdens.
2.2 Leasing from Existing Data Centre
In general, leasing seems to be a better option since the risks are more controllable via the contract with the data centre owner and the lessee allows more flexibility to adapt the leased data centre space to match business demands.
3. Technical Regulations and Standards
Investors of data centre construction projects in Vietnam should comply with Vietnam’s various technical regulations and standards related to data centres, currently listed in Circular 03/2013 issued by the Ministry of Information and Communications (MIC). Data centre services providers will need to declare their conformity to technical regulations and standards with the Telecommunications Authority under the MIC.
4. Licence
The Vietnamese law regulates some products and services related to cyber information security and civil encryption, which may impact data centre builders and/or owners. Below table lists out the relevant licenses. To ensure compliance, data centre builders and owners should seek professional advice whether they need such licenses on a case-by-case basis. Hereafter you will find a table with relevant information.
Licence Required
|
Definition
|
Harmonised System Codes
|
Authority
|
Licence to import, export civil encryption products
|
Civil encryption products : technical documents, equipment and encryption specialist skill to protect information outside state secret scope.
|
8443, 8471, 8473, 8517, 8523, 8525, 8526, 8528, 8529, 8542, and 8543
|
National Agency of Cryptography and Information Security
|
License to import, export cyber information security products
|
Information security products: software, hardware with function of protecting information, information system.
|
8471
|
MIC
|
Licence to trade, manufacture civil encryption products and provide civil encryption services
|
Civil encryption services: information protection using civil encryption products; appraisal, evaluation of civil encryption products; consultancy on cyber information security, protection using civil encryption products
|
|
National Agency of Cryptography and Information Security
|
Licence to trade, manufacture cyber information security products and provide cyber information security services
|
Cyber information security services : protect information, information system and divided into multiple small services.
|
|
MIC
|
5. Pending Business Conditions to Provide Data Center Services
It should be noted that data centre service is a conditional business in the 2020 Law on Investment of Vietnam even though the detailed conditions to provide data center service are still unknown. The MIC has published a draft decree to amend Decree 72/2013 and Decree 27/2018. It does not contain any stringent business conditions applicable to data centre services. The draft decree currently only requires data centre services providers to demand service users to comply with the laws on information security and suspend services in case of non-compliance.
Unless the draft decree is revised to include more conditions, investors only would need to pay attention to the licenses mentioned in section 4.
6. Data Privacy Regulations
6.1 General
Data privacy regulations play a major role in the operations of data centres, more so if the data centre processes the data as well, not just provides a space to store the data. After Europe’s General Data Protection Regulation (GDPR) came into effect, in general, customers work more closely with data centre owners and perform more audits to manage their risks. Data centre owners also had to reevaluate and revise their policies, procedures, security measures and contract templates to ensure compliance with GDPR.
6.2 Current Regulations
Currently, Vietnam’s regulations on personal data protection are quite general and scattered across multiple legislations. This issue is expected to be resolved by the issuance of a decree solely on personal data protection.
6.3 Draft Decree on Personal Data Protection
The Ministry of Public Security has prepared Vietnam’s first ever draft decree on personal data protection and released for public opinions. The draft decree, if adopted, will greatly influence companies collecting and processing personal data of their customers. The proposed effective date of the decree is 1 December 2021. The draft decree is heavily referenced from the GDPR. For more details please read our general update GDPR-like draft decree on data protection introduced. We summarise the most relevant parts below.
- Personal data : data about a person or related to the identification of or can identify a specific person and includes basic and sensitive personal data;
- Use of technical measures to safeguard personal data: under the draft decree, data processors must implement executive, technical and security measures to protect personal data; as the draft decree does not provide detailed guidance on technical measures, pending further guidance, data processors should refer to internationally accepted technical standards to safeguard personal data, such as ISO 27001:2013;
- Personal data protection commission : if established as per the draft, this commission will be the supervisory authority overseeing personal data matters in Vietnam, similar to the European Data Protection Board under the GDPR;
- Personal data protection department and officer : data processors must have a department supervising personal data protection and data protection officer(s).
- Sensitive personal data processing registration : prior to processing sensitve personal data, data processor must register with the Personal Data Protection Commission.
- Cross-border transfer of personal data : the draft decree restricts cross-border transfer of personal data; according to the draft decree, cross-border transfer of personal data is permitted only if
a. the data subject agreed to the transfer;
b. the original data is stored in Vietnam;
c. the country of the recipient imposes the same or a higher level of data protection (with documented evidence); and
d. the personal data protection commission agrees with the transfer.
7. M&A
If an investor seeks to enter the data centre market in Vietnam via M&A, such investor should carefully consider whether to pursue an asset deal or a share deal.
7.1 Asset Deal
Under an asset deal, the seller disposes of and transfers individual assets (and liabilities) under an asset purchase agreement. In a data centre M&A deal, the transferred assets typically include the data centre facilities, the customer contracts and other anciliary contracts (e.g. power supply agreement and security service agreement).
The main upside of an asset sale is that the liabilities of the seller normally will not transfer to the buyer, which greatly reduces the risk on the buyer. The downside is that under Vietnamese law, contract assignment normally requires consent of the counterparty, which may prolong the deal completion.
7.2 Share Deal
Under a share deal, the buyer will acquire all or part of the equity or the shares in a company owning and operating a data centre, thus becoming a member or shareholder of such company and gaining all rights, obligations and liabilities associated with the acquired shareholding.
7.3 Due Diligence
Regardless of which type of deal an investor pursues, thorough due diligence is a must-have to understand the liabilities and risks accompanying the target company or asset. In a data centre M&A deal, it is recommended to focus on the following issues:
- Contracts: very important in a data centre M&A deal, as the data centre’s revenue may come from some key clients; it is not sufficient to only examine if the contracts are legally binding but all risks must be assessed to avoid losing key clients and the connected large revenue stream for the data centre;
- Corporate ownership and organisation (for share deal);
- Finance;
- Employment: special attention should be given to employees having access to data stored in the data centre;
- Required third party approvals: third party approvals required for the transaction (if any) must be accounted for, such as change of control approval (in case the data center contracts require change of control approval from clients) or bank approval (in case the data centre is used as collateral for a bank loan);
- Real estate;
- Permits and licenses; and
- Environment.
8. Conclusions
With the ongoing digital transformation trend, the data centre market in Vietnam could be very lucrative and full of potential. However, there are risks and challenges to take into consideration as well. To thrive in this market, investors would need to effectively navigate and mitigate the challenges and risks.
For more information, please contact:
Mark Oakley / Managing Partner mark.oakley@acsvlegal.com
Hieu Pham / Special Counsel hieu.pham@acsvlegal.com
Duc Tran / Associate duc.tran@acsvlegal.com
When a company wants to streamline its IT operations by establishing a data centre, there are 2 options: build vs lease.
© 2021 ACS Legal Vietnam Company Limited – All rights reserved. This legal update is not an advice and should not be treated as such.