You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

Search
Close this search box.
January 24, 2025

Draft Guidance on Vietnam’s New Data Law Open for Public Consultation

Subscribe to Updates

Following Vietnam’s adoption of the new Law on Data (“Data Law”) on November 30, 2024, there remained uncertainty as to what impact the new framework would have on businesses in Vietnam and abroad. The government has now released a package of four draft legal documents aimed at guiding the implementation of the Data Law: (1) a decree on the National Data Development Fund (“NDDF Decree”), (2) a decree related to regulations on scientific, technological, and innovation activities and data products and services (“Decree on Specific Activities”), (3) a decree detailing a number of articles and measures to implement the Data Law (“Implementation Decree”), and (4) a decision on the lists of important data and core data. This article will provide an overview of the draft legislation.

1. NDDF Decree

The draft NDDF Decree relates to the establishment, management and use of a National Data Development Fund (“NDDF”), which is a non-profit and non-budgetary state financial fund established and managed by the Minister of the Ministry of Public Security (MPS). The NDDF has legal personality and is fully state owned, operating similarly to a single-member limited liability company. Its main objectives are to support, promote, and invest in artificial intelligence (AI), the Internet of Things (IoT), and other new technologies and innovation.

The NDDF may lend to, invest in, or otherwise support eligible organizations. The draft NDDF Decree also proposes a series of regulations on donations to the NDDF and from the NDDF (through expense support), the lending activities of the NDDF to commercial banks, which will in turn lend to eligible organizations, the investment activities in data products and services innovative start-ups, and other kinds of support.

The government commits to provide VND 1 trillion (approx. USD 40 million) to the NDDF, evidencing the importance the government places on fostering a thriving ecosystem for data product and service development, and its wish to position Vietnam as a center of innovation. However, the NDDF also intends to rely on donations. It remains to be seen whether the NDDF will operate effectively to boost the technology and data-related developments.

2. Decree on Specific Activities

The Decree on Specific Activities focuses on two main matters: regulations related to data products and services, and the creation of a regulatory sandbox to foster innovation.

Data Products and Services

The chapter on data intermediary products and services of the draft Data Law had been stripped down before enactment. The details are now prescribed in this draft decree under Chapter III, covering (i) data intermediary products and services, (ii) data analysis and aggregation services, and (iii) data marketplaces.

Data intermediary activities have now been clarified and include, among others, activities of representing data subjects and data owners to connect, share, exchange, and access data with service users; data management services; data cooperation and sharing services; etc.

Providers of data intermediary products and services between the service users and the state agencies must be fully registered and licensed, while other service providers can request the MPS to appraise them to unlock the same benefits as enterprises operating in high-tech, innovative, creative start-ups and the digital technology industry.

Further, the draft Decree on Specific Activities creates new personal data protection obligations for providers of data intermediary products and services, while personal data is not the main object of the Data Law. Among the new requirements, the obligation to limit the transfer of personal data abroad and ensure that the standard of protection is equivalent to the standard required by relevant laws has been inserted. As the government is currently developing the Personal Data Protection Law (more details here), it is unclear why it is also inserting such provision under the Data Law framework.

Businesses engaged in data intermediary products and services or data analysis and aggregation will need to take into account the personnel requirements that are reinserted in the draft Decree on Specific Activities. The head of the organization must be a Vietnamese citizen and permanent resident, with a university degree, who has directly managed a large scale data center and has at least three years of experience related to data management. This poses a significant issue for industry players, considering talent is scarce on the global scene, and in Vietnam. Further, the requirement for a minimum charter capital has been replaced by a mandatory deposit in a commercial bank operating in Vietnam of VND 5 billion (approx. USD 200,000). It is still unclear whether the cross-border provision of such products and services is possible and whether foreign businesses would be subject to the same requirements. The same requirements will apply to data marketplace service providers, but this is likely to pose lesser problems considering this business activity is restricted to non-business units or state-owned enterprises.

Data analysis and aggregation services are now categorized into four levels depending on the level of human supervision and the role of the products and services in the decision-making process. Licensing requirements will apply to automated decision-making, with or without human supervision, and to products and services using data from national databases. Here again, to unlock incentives, an organization that is not subject to the licensing requirements can request the MPS to conduct an appraisal. Biannual or annual reports on service provision must be sent to the management agency, based on a statutory form.

Data marketplace service providers include providers of data auction services, but also services to provide an environment for data trading and exchange and data-related product and services, and other services related to bidding, offering, introducing, representing, supporting and other activities related to data trading. Such data marketplace service providers must ensure that the channels to receive information and the use of the services are continuous 24/7, and publicly display service charges, prices, terms of use, and applicable conditions. They must also report biannually or annually to the management agency. All data products on the data marketplace must be authenticated with data origins. Organizations and individuals are responsible for the contents they post on data marketplaces and cannot auction at a price lower than the input fee for data products and services, ensuring fair competition. It is still unclear how private organizations will be able to leverage their data with these new marketplaces.

Regulatory Sandbox

Th draft Decree on Specific Activities also suggests the establishment of the necessary regulatory framework for a sandbox for research and application of science, technology, and innovation in the construction, development, protection, administration, processing and use of data as foreshadowed by Article 24.4 of the Data Law. This sandbox would be created to promote research and create a testing environment to assess the risks, costs and benefits of innovative products and services while limiting the risk to users of such products and services.

Participating in the sandbox is subject to being granted a certificate of testing activities – details of the application procedure being further described in the draft decree. The right to participate in the sandbox does not equal the right to provide the innovative products and services on the market. For any organization that is not allowed to participate in the sandbox, they are still encouraged to innovate but must do so within the applicable regulations at the time.

The draft Decree on Specific Activities sets out the obligations and the rights of the participating organizations, but also creates exemptions from liability with the aim to encourage innovation and creativity. The Ministry of Science and Technology is notably tasked to formulate detailed regulations on such exceptions, and other mechanisms and policies to foster innovation in Vietnam.

The government’s intention appears to be giving priority to innovative solutions in AI, cloud computing, blockchain, data communication, IoT, big data and other modern technologies. The draft decree notably suggests incentives to attract talent and FDI in these sectors.

3. Implementation Decree

The draft Implementation Decree provides clarification on many outstanding issues pursuant to the Data Law, notably (i) the mandatory provision of data to state agencies upon request, (ii) the cross-border transfer of data, and (iii) data protection measures.

Mandatory Provision of Data to State Agencies

The procedure applicable to the provision of data to state agencies upon request has been clarified to a certain extent. The draft Implementation Decree sets out that ministers, heads of ministerial level agencies, and presidents of provincial-level People’s Committees are competent to request data from organizations, ensuring such requests are emanating from a high-level rank. Such requests must be made in writing, unless it is impossible, and must specify the data requested, the purpose, the processing period, the legal basis for the request, the time limit to provide the data and the sanction for not providing such data. The data handover must be recorded in minutes. However, the organization receiving the request has the right to request amendment or withdrawal of the request. The extent of the data that can be requested has not been further limited or clarified, but the requesting agencies must respect the lawful purpose of the data manager and data owner and must protect business secrets and personal secrets.

Cross-Border Transfer of Data

With an aim to clarify what is included in the definition of “core” and “important” data, the Implementation Decree provides criteria to determine the category of the data, based on its degree of impact on a specific field, group, or region that may have an impact on national defense, security, foreign affairs, macroeconomics, social stability, or public health and safety (excluding trade secrets).

“Core data” will notably comprise some sensitive governmental information like guidelines and policies of the Vietnamese Communist Party and the state on domestic and external relations; strategies and plans to protect the fatherland; organization and operations of the armed forces; data on plans for collection, exchange, and issuance of money; data on natural resources and the environment, and newly discovered microbial strains and varieties related to human health and life; processes to produce medicinal herbs and rare biological drugs; and data on inspection, examination, denunciation and prevention of corruption.

“Important data” will notably comprise information that may affect national security, the Vietnamese Communist Party, the state and the socialist regime, major overseas projects, safety of overseas energy sources, security of international cooperation, infrastructure of important economy sectors; and the life, health, honor, dignity, property, and legitimate rights of organizations and individuals. The latter being very broad, as further discussed in section (4) regarding the Decision below. Due attention should be paid to the development of the Implementation Decree and the Decision to ensure that it does not impede the free flow of data, considering Vietnam’s commitment not to restrict data flows under numerous international treaties and agreements.

The transfer of core and important data outside of Vietnam is subject to additional requirements, notably the data owner must conduct a risk assessment and establish an impact assessment dossier. For core data, the transfer can only be made once the “satisfactory assessment results” have been obtained from the MPS or the Ministry of National Defense, as the case may be. For important data, the transfer can be made when the assessment is submitted and the transferor has not received objection from the authorities within the regulated timeline, but the MPS and the Ministry of National Defense can request the data transferor to stop the transfer if the impact assessment is not sufficiently supplemented following such request from the authorities. An important point to note is that the draft Implementation Decree also restricts the disclosure of data domestically by imposing other impact assessment requirements, with stricter regulations being proposed for the sharing of core and important data.

Further, notwithstanding the category of data being transferred abroad, the data transferor must ensure the protection of the legitimate rights and interest of the data subject, national defense and security, and national interests and public interests. It must also enter into an agreement with the recipient, in which mandatory content has finally been clarified.

Data Protection Measures

Additional guidance is also provided on the measures to implement risk management related to data processing with lists of technical and organizational measures being proposed. This has long been requested by the private sector to better understand the expectations of the authorities in terms of data protection. Consequently, core and important data are subject to additional security measures. This multi-layered approach to data protection aligns with international standards and ensures that measures are implemented in accordance with the sensitivity of the related data.

In addition, the draft Implementation Decree provides that, when the data owner needs to transfer data in the context of merger, reorganization, or bankruptcy, such data owner needs to prepare a plan for such transfer and to notify impacted users via phone call, text message, email, or notice.

It is worth noting that many of the measures being imposed are inspired by best practices in personal data protection (e.g., record of processing activities, access controls, training of employees, proper deletion and destruction procedures, etc.). Although one would understand why such measures would be relevant in the case of core and important data, the requirements would be very burdensome for “ordinary” data processing. The scope of application of the Data Law (and its future guiding decrees) will cover any organization participating in or related to digital data activities. As digital data is simply data in digital form, the application scope is very broad, and the obligations far-reaching.

4. Decision on Lists of Important Data and Core Data

The draft decision lists out types of important data and core data for the implementation of the Data Law, especially the regulations on cross-border data transfer discussed above. There are 24 types of core data and 18 types of important mentioned in the decision. Enterprises will need to pay special attention to the following types of important data, among others, to ensure future compliance:

  • Data in the field of healthcare (e.g., data on the health records and biometrics of Vietnamese citizens, if 10,000 or more people are involved);
  • Data in the field of finance and budget (e.g., data on insurance contracts, insurance amounts, insurance claim records, and insurance claim amounts for 10,000 or more customers);
  • Data in the field of information and communication (e.g., data that can be used for social mobilization, internet behavior data of more than 100,000 users, etc.);
  • Basic personal data of 1 million or more people, other sensitive personal data of 10,000 or more people.

Next Steps

The draft decrees are open for public consultation until March 17, 2025, while the timeline is unclear for the draft decision. This might be the last opportunity for the private sector to advocate for a more business-friendly regulatory framework, as the Data Law is entering into force on July 1, 2025, and the guiding decrees and decision are expected to follow the same timeline.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

January 23, 2025
Thailand’s Ministry of Digital Economy and Society, through the Digital Economy Promotion Agency (DEPA), recently held a focus group hearing on the draft Gaming Industry Promotion Act. This legislation seeks to strike a balance by promoting the growth of the online game industry while safeguarding society, with a particular focus on protecting youth from potential negative impacts and enhancing a positive gaming environment. From the public releases, the draft act is expected to address several key aspects, including: Registration requirements for key industry players, such as developers and platform providers. It is also worth monitoring whether these requirements will also apply to offshore entities offering services to users in Thailand. Governance measures, such as game rating systems and measures to address online gambling and violence in games. Incentives, such as the establishment of a fund to support the gaming industry, and tax incentives to promote Thai gaming businesses. DEPA plans to incorporate feedback from the focus group hearing to refine the Draft Act. The legislation is expected to be submitted to the cabinet for approval by April 2025, with enactment expected by the end of 2025. As this draft law is still at an early stage, amendments may be introduced during the legislative process. Businesses and stakeholders in the gaming industry are encouraged to monitor the matter closely and assess how the developing legislation may impact their operations. For more details on the draft Gaming Industry Promotion Act, or on any aspect of the gaming industry in Thailand, please contact Athistha Chitranukroh at [email protected], Nopparat Lalitkomon at [email protected], Napassorn Lertussavavivat at [email protected], Sirirat Rinsiri [email protected], or Rada Lamsam at [email protected].
Read More
January 22, 2025
Tasked with implementing the Politburo’s policy outlined in Notice No. 47-TB/TW dated November 15, 2024, the prime minister of Vietnam issued Decision No. 1718/QD-TTg on December 31, 2024, appointing himself as the head of a steering committee dedicated to the establishment of an international financial center in Ho Chi Minh City and a regional financial center in Da Nang by 2025. The Ministry of Planning and Investment has subsequently drafted an outline for the National Assembly’s Resolution on the Establishment of Regional and International Financial Centers in Vietnam (“Draft Resolution”). This Draft Resolution introduces two key policy groups: (i) policies governing the quantity, location, structure, organization, functions, and responsibilities of the financial centers; and (ii) policies applicable to various areas and matters within the financial centers. Notably, under the Draft Resolution, fintech has been identified as a key sector, with a specific focus on the implementation of a “controlled sandbox” policy for business models involving virtual assets and cryptocurrencies. Under this framework, transactions related to virtual assets and cryptocurrencies will be permitted from July 1, 2026, subject to licensing, management, impact assessment, and risk oversight by the financial centers’ Management and Operations Committee. Scope of Application and Key Principles The Draft Resolution applies to a wide range of stakeholders, including investors, regulatory agencies, organizations, and individuals involved in the establishment, organization, and operation of regional and international financial centers in Vietnam. These financial centers will have clearly defined geographical boundaries and specific locations, which will be further specified and detailed by the People’s Committees of Ho Chi Minh City and Da Nang. Companies successfully registered as members of these financial centers will benefit from special investor-friendly policy principles, which may differ from the general legal and regulatory framework applicable in other parts of Vietnam. Most notably, the state will
Read More
January 21, 2025
Vietnam’s Ministry of Information and Communications has released the latest version of its draft Law on the Digital Technology Industry (DTI Law), marking a significant step toward comprehensive regulation of digital technologies, notably addressing artificial intelligence (AI). The draft law was deliberated in the National Assembly on January 6, 2025, and is expected to be adopted in May 2025. Once in effect, the law will modernize Vietnam’s existing information technology regulatory framework. Background Vietnam has been steadily building its regulatory framework for AI since January 2021, when the prime minister issued Decision No. 127/QD-TTg on the National Strategy for Research, Development, and Application of Artificial Intelligence until 2030. While various ministries have been tasked with issuing guidance documents and technical standards, Vietnam still lacks a comprehensive legal framework specifically addressing AI and digital technologies. The draft DTI Law aims to fill this gap by providing a structured approach to regulating the digital technology industry. Scope and Definitions The draft DTI Law establishes a broad framework governing digital technology industry activities, initiatives for developing the digital technology sector, and rights and obligations of organizations and individuals in the industry. The draft law also proposes the creation of various incentives, primarily in the form of tax benefits, for encouraging foreign direct investment, talent acquisition and development, and industry growth. The draft law introduces several important definitions, particularly around AI, which is defined as digital technology that simulates human intelligence to generate content, forecasts, suggestions, and decisions based on human-determined goals. The draft distinguishes between different categories of AI systems: High-risk AI systems: Those posing risks to health, safety, rights, and legitimate interests. High-impact AI systems: Distinguished by their broad scope, large user base, and significant computational resources for training. Standard AI systems: Basic systems that apply AI for automated analysis and
Read More
January 20, 2025
Thailand’s official draft Platform Economy Act (PEA) was released on January 15, 2025, for public comment until February 15, 2025. The draft PEA is positioned as a general or overarching law for digital intermediary services and digital platform service businesses. The official release of the draft came after the sharing of the set of principles that would form the basis for the official draft PEA in November 2024. The draft PEA incorporates those principles and adds more detailed provisions. Especially notable is that the draft PEA requires all intermediary service providers and online platform operators—both Thai and foreign—to appoint a point of contact to liaise with the Electronic Transactions Development Agency (ETDA) if they have any users in Thailand. However, the draft PEA does not mandate establishment of a local entity in Thailand. Types of Intermediary Services The draft PEA sets out a three-tiered classification system for different types of service providers, ordered from fewest obligations to most: Intermediary services. Intermediary services are further divided into three subcategories: mere conduit, caching, and hosting. Each type of intermediary service has different safe harbor provisions, which define their scope and limitations. Online platform services. Online platform services are defined as involving “the provision of intermediary services in the hosting category that involve facilitating the matching of various types of users to enable transactions or interactions, whether or not a fee is charged. Additionally, such services may include other provisions to facilitate these transactions or interactions.” Key obligations for online platform providers include: Informing users of their rights and duties under relevant laws Implementing a notice-and-action mechanism Disclosing advertising information Publishing T&Cs, including details such as service fees, algorithms, and complaint management mechanisms. Very large online platform services. Very large online platform services (VLOPs) have extra duties beyond regular online platform services,
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Fraudulent Communications

| Legal Notice