Vietnam: Key Highlights Of Vietnam New Data Law

Venture North Law Firm

5th February 2025
A new Data Law, passed in late November 2024 and set to take effect on 1 July 2025, focuses primarily on establishing a national general database and data centre for state use. However, it also introduces rules on digital data (data in the rest of this article) that concerns the private sector, such as, data products and services.

A new Data Law, passed in late November 2024 and set to take effect on 1 July 2025, focuses primarily on establishing a national general database and data centre for state use. However, it also introduces rules on digital data (data in the rest of this article) that concerns the private sector, such as, data products and services. The Government is also drafting three draft decrees detailing key issues under the Data Law, including Data-Related Products & Services Draft Decree, Core & Important Data Draft Decree and a Master Draft Decree.

This blog will discuss several key points under the Data Law and related draft decrees. This post is written by Ha Thanh Phuc and Trinh Phuong Thao.

1)          The police will review and supervise your data activities

The Ministry of Public Security (MPS) again is authorized to regulate all activities relating to data except for data under the Ministry of Defence. Accordingly, it seems that Vietnam considers data as security issue and violation of data activities could result in significant liabilities. This could raise significant compliance costs for businesses and companies in Vietnam if they want to be fully comply with unclear rules (see discussion below).

1)          Conditional Business Lines

Amendments to the Investment Law 2020 in late 2024 now require businesses involved in (i) data intermediary products and services, (ii) data analysis and synthesis, or (iii) data platform services to meet certain conditions. The Data Law suggests that:

a. data platform services may be restricted to state enterprises and public providers, potentially excluding private companies; and

b. only providers of data analysis and synthesis services that potentially harm national defence, national security, social order, safety, social ethics, or public health, which have been detailed under the Data-Related Products & Services Draft Decree, will be subject to these conditions.

Under the Data-Related Products & Services Draft Decree, businesses in these sectors are subject to strict requirements. Notably, all such businesses must maintain an escrow of at least 5 billion VND at a Vietnamese commercial bank to cover compensation and expenses in the event their licenses are revoked.

2)          Core data and important data

Transferring "core data" (i.e. data directly affect national defence and security, foreign affairs, macroeconomic situations, social stabilization, community health and safety) and “important data” (i.e. data potentially affect those areas) overseas will require compliance with regulations designed to protect national security, public interest, and the legitimate rights and benefits of data subjects. The recent draft decrees of the Government introduce several critical provisions related to core data and important data, including:

  • Broad scope of core and important data: A wide range of data falls under this classification, including basic personal data of 1 million people or more (as important data);

  • Non-exhaustive list of core data: The Core & Important Data Draft Decree seems to not provide a definitive list of core data. Instead, it includes a catch-all category for “other unpublished data in state management activities,” leaving substantial discretion to the competent authority.

3)          Strict requirements for cross-border data transfers

Enterprises transferring core and important data (including personal data) across borders must (i) conduct a self-assessed risk evaluation; and (ii) submit a cross-border data transfer impact assessment report. Unlike Decree 13/2023 and Draft PDPL, where submitting an impact assessment report is merely procedural, the Master Draft Decree imposes a stricter approval mechanism, specifically:

  • Core data can only be transferred if the enterprise receives a “pass” result from the competent authority after submission; and

  • Important data may be transferred only if the competent authority does not issue a rejection within five days of submission.

Furthermore, data owners of core or important data and data administrator will have to comply with regulations on protecting those data to be issued by the Government.

4)          Confusing concept of data owner

The Data Law introduces the concept of data owner, which is a person who has the rights to decide on the construction, development, protection, administration, processing, use, and exchange of the value of data such person owns (such rights, Data Owner Rights). It is unclear that to be a data owner whether (i) one will have to have both ownership of and also the Data Owner Rights over the data or (ii) simply having the Data Owner Rights makes one the owner of the data.

The second interpretation seems to be the reasonable reading of the law. This is because ownership of data is a problematic concept that, if applied, will raises practical and legal problems. Both Decree 13/2023 and the Draft PDPL do not recognize the ownership right of data subject toward its personal data. Under the Civil Code 2015, if one owns a thing, one can possess, use, and dispose of it to the exclusion of others. Accordingly, if a person "owns" a list of names under the Data Law, would that affect the rights of individuals on the list to use their own names?

That said, the second interpretation is not without problem as it is still not clear on what basis one can have or originate the Data Owner Rights.

5)          Unclear if trading of personal data is permitted

Under the Data Law, data prohibited from trading includes (i) data that poses a threat to national defense, security, foreign affairs, or cryptographic operations; (ii) data without the consent of data subject, unless otherwise prescribed by laws; and (iii) other data prohibited from transactions as stipulated by law. Based on this wording, it seems that personal data trading is prohibited since both Decree 13/2023 and the Draft PDPL expressly prohibit trading of personal data in any form, (placing it under category (iii)). The MPS, in a conference, further confirmed that the data subject’s consent does not serve as a legal basis for personal data trading.

However, in a recent public statement concerning data platforms, the MPS seems to take a different view, suggesting that personal data may be traded on data trading platforms if the data subject consents. This position seems to contradict existing regulations, creating uncertainty over the legal framework for personal data transactions.

6)          Potential overlaps with other laws

Given its broad scope, the Data Law governs nearly all activities related to digital data, including personal data, leading to potential overlaps with other laws, particularly those regulating personal data. While the Data Law attempts to address these overlaps, its provisions on this matter remain unclear:

  • For laws enacted before the Data Law: If their provisions do not conflict with the “principles” of the Data Law, they will prevail. However, it is unclear whether “principles” refer specifically to those principles outlined in Article 5 of the Data Law or if the term refers broadly to any provision of the Data Law.

  • For laws enacted after the Data Law: If inconsistencies arise, it must be explicitly determined which provisions will apply under the Data Law and which will follow the new law. This principle raises concerns about potential power conflicts among competent authorities, as different interpretations may lead to disputes over which regulations take precedence.

Please Login or Register for Free now to view all updates and articles

 Login  Sign Up

In addition to free-to-view updates and articles, you can also subscribe to the full Legal Centrix Vietnam Service including access to:

  • Overview notes on the law
  • Thousands of high quality translations of legislation covering all key business areas
  • Legal and tax updates
  • Articles on important legal and tax issues
  • Weekly email alerts
  • Sophisticated web platform and search

Legal Centrix is trusted by top law and accounting firms.

Venture North Law Firm

Venture North Law Limited (VNLaw) is a Vietnamese law firm established by Nguyen Quang Vu, a business lawyer with more than 17 years of experience. VNLaw is a boutique professional law firm focusing on corporate, commercial and M&A practices in Vietnam. Our goal is to be an efficient, innovative and client-friendly firm. To achieve that goal, we are designing a working environment and a compensation system which encourage our lawyers to provide more efficient services to clients and to focus on the long term benefit of the firm.

Click here to view the author's profile

Author

Tags

  • Vietnam
  • Legal Updates
  • Data Protection & Privacy

Related Content

  • No related content

Recent updates

Cookies On
Our Website
We use cookies on our website. To learn more about cookies, how we use them on our site and how to change your cookie settings please click here to view our cookie policy. By continuing to use this site without changing your settings you consent to our use of cookies in accordance with our cookie policy.

 

A leading provider of legal and tax know-how and information for Asia.

Useful Links

Contact Us

Hong Kong, China
Tel: +852 3001 8810
support@legalcentrix.com

Copyright © 1997 - 2025 Legal Centrix. All Rights Reserved Privacy Policy | Terms of Use

Some text to show in popup