Drawing insights from data law draft

The draft decree introduces regulations affecting organisations operating in Vietnam’s digital ecosystem, from data classification to cross-border transfers and government access requirements.

The decree applies to domestic agencies, organisations, and individuals, foreign equivalents in Vietnam, and those outside Vietnam engaged in or associated with digital data-related activities in this country.

Dang The Duc managing partner Indochine Counsel and Thai Gia Han senior associate Indochine Counsel

With this broad scope, local and international businesses will need to ensure their data governance frameworks align with the regulatory expectations in the new law and the draft decree.

The draft provides clear criteria for defining core and important data, which directly influences how organisations must manage, protect, and process such information. Key aspects include that core data encompasses national security-related data, strategic economic infrastructure, and sensitive information impacting public safety. Important data covers economic, social, and public health-related datasets.

Companies handling either category may face stricter compliance requirements, particularly in storage, access, and cross-border processing.

Vietnam has historically emphasised data localisation, particularly in the 2018 Cybersecurity Law and a 2023 decree on personal data protection. The draft decree continues this trend by mandating that businesses transferring core or important data outside Vietnam must conduct a risk assessment before cross-border transfer, submit an impact assessment dossier to the relevant government agency, and clearly identify obligations and responsibilities on data protection in legitimate agreements concluded with receivers offshore.

These obligations add a layer of bureaucratic oversight and may hinder seamless data flows for multinational businesses operating in Vietnam. Additionally, businesses are required to prepare and submit impact dossiers for transferring core and important data outside Vietnam, which may cause compliance overlap if lacking proper guidance.

The provision of data to government authorities is encouraged on a voluntary basis, with the consent of the subject required for the processing of personal data and the permission of the owner necessary for non-personal data.

However, the draft does not clearly state whether obtaining the subject’s consent or permission is mandatory when outlining obligations to provide data to government authorities under specific circumstances, such as national security threats, public health emergencies, disaster response efforts, or counter-terrorism and anti-riot operations.

The draft decree imposes formal requirements for government data requests, but these are not particularly stringent. Verbal requests are allowed in cases where a written request cannot be provided immediately, provided that a written confirmation follows.

Businesses handling large volumes of personal or corporate data should assess the impact of these obligations on their protection and compliance strategies.

The draft mandates the creation of a national data centre, which will serve as a centralised hub for government data collection, storage, and exchange. Companies storing or processing regulated data may be required to integrate their systems with this centre, raising concerns over operational flexibility and security.

With the Data Law and its draft decree set to reshape Vietnam’s digital landscape, businesses must prepare for significant regulatory changes. A key priority is assessing handling practices, identifying whether an organisation processes core or important data, and ensuring readiness for heightened compliance requirements.

Cross-border data transfers will also need careful re-evaluation. Companies must ensure that legal documentation and risk assessments align with new regulatory expectations to avoid potential disruptions. Given that the draft remains under consultation, businesses should engage in policy discussions and provide feedback to shape the final regulations in a way that balances compliance with operational feasibility.

At the same time, strengthening protection measures will be essential. Organisations should implement enhanced security controls and audit mechanisms to comply with potential government data access requirements.

The draft decree represents a pivotal shift in Vietnam’s data governance regime. While it provides greater clarity on compliance obligations, it also introduces more stringent regulations that businesses must navigate carefully. Given this evolving regulatory landscape, companies operating in Vietnam should take a proactive approach – adjusting policies, engaging with regulators, and ensuring robust security practices to meet new legal requirements.

National Assembly adopts Law on Data Vietnam’s National Assembly (NA) on November 30 officially adopted the Law on Data, expecting to accelerate digital transformation and digital economy development.