Understanding Vietnam's Data Law: Key Objectives and Business Implications

APAC Region

Vietnam's new Law on Data (“Data Law”), passed on 30 November 2024, will take effect on 1 July 2025. The law regulates both personal and non-personal data, similar to the Chinese Data Security Law (“Chinese Data Law”). Vietnam’s Law represents a significant milestone in regulating Vietnam's digital environment.

Comparison with Vietnam’s Personal Data Protection Law

The Data Law regulates digital data, data products, and services, applying to both domestic and foreign entities in Vietnam, as well as offshore entities engaged in Vietnam's digital data activities. Unlike Vietnam’s Personal Data Protection Law, which is in draft form and focuses on personal data, the Data Law covers a broader range of digital data, including both personal and non-personal data.

Key Objectives and Obligations under the Data Law

A. Sharing Data with State Agencies

Organisations are required under the law to share data with state agencies at their request in case of emergencies, national security threats, disaster response, or terrorism prevention. The scope of data that state agencies may request is undefined. This may cause uncertainty for businesses, making it challenging to balance legal responsibilities with safeguarding sensitive information. Additional guidance is expected in April 2025.

State agencies are responsible for maintaining the confidentiality and security of such data that is provided to them, ensuring they are using it for relevant purposes, and destroying it when it is no longer required.

B. Restrictions on Processing and Transfers of Core and Important Data

Under the Data Law, both the processing of and cross-border transfers of “important” and “core data” must meet requirements to ensure national defence, security, and protect national and public interests as well as the rights of data subjects and owners, in line with Vietnamese laws and international treaties.

The Data Law identifies two types of data:  'core' and 'important'.

  • Core data is data that directly affects national security, foreign affairs, macroeconomics, social stability, public health, and safety. 
  • Important data, if compromised, could impact the above-mentioned areas.

Although the Data Law lacks clarity on the definitions of core and important data, it is worth noting that the Chinese Data Law includes these concepts. Core data under the Chinese Data Law includes strategic plans for national defence, data related to critical infrastructure such as power grids and transportation networks, and economic data that could impact national stability, like financial market information. It also encompasses health records and data related to public health emergencies, as well as information on social security and welfare programs. Important data includes unpublished government reports and internal communications, as well as data on government procurement and contracts. It also covers confidential business strategies and operational plans, along with proprietary research and development data. Further clarity on the Data Law is expected by July 2025, and Vietnam may draw upon the Chinese Data Law in defining these categories.

State agencies, data owners, and managers must implement the classification of core and important data, conduct periodic risk assessments, and report to cybersecurity units under the Ministry of Public Security or the Ministry of National Defence to ensure safety of this data.

Detailed regulations on cross-border data transfer and processing are expected by July 2025. Without these, ambiguous classifications could create confusion, deter investment, and hinder Vietnam’s digital economy growth.

C. Regulating Data Management, and Data Products and Services

The Data Law imposes new obligations on data managers[1], who must assess risks, protect data, and notify relevant parties of any issues. Data subjects can request data recovery, deletion, or destruction. Further regulations on data intermediary products and services, as well as data analysis and aggregation, will be issued. Data managers are responsible for establishing the process and implementing measures and methods of data recovery, deletion, or destruction at the request of a data subject.

Further regulations will be issued on data intermediary products and services, which facilitate commercial relationships for data exchange and access, as well as on data analysis and aggregation products and services.

Implications for Businesses

The Data Law is vital for Vietnam's digital transformation, enhancing data protection and public services. Centralised data management will boost productivity, reduce costs, and improve decision-making. Businesses must adapt to new legal requirements, especially for cross-border data transfers and compliance with core and important data regulations. As additional guidance is expected soon, businesses should assess the sensitivity of their data and the services they provide.

The information provided above does not, and is not intended to, constitute legal advice pertaining to the Data Law; information, content, and materials stipulated above is based on our reading of the amendments and are for general informational purposes only.

This article was written with insights and contributions from Tilleke & Gibbins Vietnam (Tram Ngoc Bich Nguyen and Mélynda Maheux). 

 

[1] Organisations or individuals that develop, manage, operate, and exploit data at the request of the data owner