Following the promulgation of the Data Law, which is set to take effect on July 1, 2025, the Vietnamese Government has recently released several draft documents guiding its implementation. These documents cover various aspects, including:
- The draft decree detailing certain articles and implementation methods of the Data Law;
- The draft decree regulating scientific, technological, and innovation activities and data products and services;
- The draft decree on the National Data Development Fund (NDDF); and
- The draft decision on the list of important and core data.
This article aims to provide an overview of the developments in Vietnam’s data regulation, focusing on critical insights into the draft decree detailing certain articles and implementation methods of the Data Law (the “Draft Decree”). The Draft Decree introduces regulatory mechanisms affecting organizations operating in Vietnam’s digital ecosystem, from data classification to cross-border transfers and government access requirements.
Expanded Scope of Data Regulation
The Draft Decree applies to:
- Vietnamese agencies, organizations, and individuals;
- Foreign agencies, organizations, and individuals in Vietnam; and
- Foreign agencies, organizations, and individuals outside Vietnam engaged in or associated with digital data-related activities in Vietnam.
With this broad scope, businesses, both local and international, will need to ensure their data governance frameworks align with the regulatory expectations set forth in the Data Law and the Draft Decree.
Classification of “Core” and “Important” Data
The Draft Decree provides clear criteria for defining “core data” and “important data,” which directly influences how organizations must manage, protect, and process such information. Key aspects include:
- Core data encompasses national security-related data, strategic economic infrastructure, and sensitive information impacting public safety; and
- Important data covers economic, social, and public health-related datasets.
Companies handling either category may face stricter compliance requirements, particularly in storage, access, and cross-border processing.
Cross-Border Data Transfers: Stricter Regulations
Vietnam has historically emphasized data localization, particularly in the 2018 Cybersecurity Law and Decree No. 13/2023/ND-CP on Personal Data Protection (Decree 13). The Draft Decree continues this trend by mandating that businesses transferring core or important data outside Vietnam must:
- Conduct a risk assessment before cross-border transfer;
- Submit an impact assessment dossier to the relevant government agency; and
- Clearly identify obligations and responsibilities on data protection in legitimate agreements concluded with data receivers offshore.
These obligations add a layer of bureaucratic oversight and may hinder seamless data flows for multinational businesses operating in Vietnam. Additionally, businesses are required to prepare and submit impact dossiers for transferring core and important data outside Vietnam, which may cause compliance overlap if lacking proper guidance.
Government Access to Data
The provision of data to government authorities is encouraged on a voluntary basis, with the consent of the data subject required for the processing of personal data and the permission of the data owner necessary for non-personal data.
However, the Draft Decree does not clearly state whether obtaining the data subject’s consent or permission is mandatory when outlining obligations to provide data to government authorities under specific circumstances, such as:
- National security threats;
- Public health emergencies;
- Disaster response efforts; and
- Counter-terrorism and anti-riot operations.
The Draft Decree imposes formal requirements for government data requests, but these are not particularly stringent. Verbal requests are allowed in cases where a written request cannot be provided immediately, provided that a written confirmation follows.
Businesses handling large volumes of personal or corporate data should assess the impact of these obligations on their data protection and compliance strategies.
Establishment of a National Data Infrastructure
The Draft Decree mandates the creation of the National Data Center, which will serve as a centralized hub for government data collection, storage, and exchange. Companies storing or processing regulated data may be required to integrate their systems with this center, raising concerns over operational flexibility and data security.
Key Considerations for Businesses Moving Forward
With the Data Law and its Draft Decree set to reshape Vietnam’s digital landscape, businesses should consider the following:
- Assess Data Handling Practices: Identify whether your organization processes core or important data and prepare for heightened compliance.
- Re-Evaluate Cross-Border Data Transfers: Ensure legal documentation and risk assessments align with new regulatory expectations.
- Engage in Regulatory Discussions: Since the Draft Decree is still under consultation, businesses should participate in policy dialogues and provide feedback to shape final regulations.
- Strengthen Data Protection Measures: Implement enhanced security controls and audit mechanisms to ensure compliance with potential government data access requests.
Conclusion
The Draft Decree represents a pivotal shift in Vietnam’s data governance regime. While it offers greater clarity on compliance obligations, it also introduces stringent regulations that businesses must navigate carefully.
Given the evolving regulatory landscape, organizations operating in Vietnam should take a proactive approach to compliance, adjusting data policies, engaging with regulators, and ensuring robust security practices to meet new legal requirements.
