Tilleke & Gibbins has contributed the Vietnam chapter to Data Protection 2025, a comprehensive comparative guide in the Law Over Borders series from Global Legal Post. This Q&A-style resource offers detailed insights into data protection regulations across multiple jurisdictions, serving as an essential reference for organizations managing personal data in today’s global business environment. The Vietnam chapter examines the evolving data protection landscape in Vietnam, including analysis of relevant provisions in the Cybersecurity Law, the Law on Information Technology, and the upcoming Personal Data Protection Decree. The chapter addresses key aspects of data protection through the following topics: Regulatory framework: Analysis of national laws regulating personal data, jurisdictional scope, application to different entities, and regulated data processing activities. Data categories and processing: Overview of regulated personal data types, special categories requiring enhanced protection, and lawful processing requirements. Compliance requirements: Explanation of controller and processor obligations, technical and organizational measures, and data subject rights. Commercial communications and international transfers: Rules governing direct marketing and cross-border data flows. Regulatory oversight: Details on enforcement powers, investigation procedures, sanctions, and remedies for noncompliance. Tilleke & Gibbins also contributed the Thailand chapter to Data Protection 2025. Readers can access the complete Data Protection 2025 guide through Global Legal Post’s Law Over Borders platform.

Vietnam’s Decree No. 147/2024/ND-CP on the management, provision, and use of internet services and online information (Decree 147) was issued on November 9, 2024, and came into effect on December 25, 2024. Decree 147 represents a more stringently regulated digital landscape in Vietnam, creating challenges not only for offshore service providers offering cross-border services but also for onshore providers. As these new regulations impose stricter requirements, particularly in areas like content control, user authentication, data storage, and service license/notification, companies will need to adapt quickly to maintain compliance and minimize legal risks. The following are some of the key topics covered by Decree 147. [Note: Shortly after the issuance of Decree 147, Vietnam began a government restructuring process, with the aim of streamlining the government by consolidating and eliminating various ministries and agencies. Thus, the decree’s references to authorities such as the Authority of Broadcasting and Electronic Information (ABEI) and the Ministry of Information and Communications (MIC) are subject to change.] 1. Cross-Border Information Provision Cross-border information provision is defined broadly as the provision by overseas organizations and individuals of information and online information content services for service users in Vietnam to access or use. This wide-ranging definition encompasses various types of cross-border services, including social network services, online game services, and app store services. However, cross-border provision of online game services remains prohibited under Decree 147 (see further details below). Offshore providers of services on a cross-border basis who lease data storage in Vietnam or meet a threshold of 100,000 or more total visits per month from Vietnam for six consecutive months (“regulated cross-border providers”) must adhere to stricter requirements. Specifically, they are required to, among other requirements: Notify the relevant authority of their contact information, including the location of the main server providing the service, within 60

Thailand’s draft Emergency Decree on Technology Crimes Suppression, which we covered in a client alert in January 2025 primarily addressed to telecom operators and financial institutions, is expected to have significant implications for a wide range of business operators.  The draft emergency decree has already been approved by the cabinet but may undergo further developments as it continues in the legislative process. In this article, we will highlight the material impacts of the draft emergency decree on overseas and local fintech operators. Expanded Definition of “Technology Crimes” The definition of “technology crimes” now includes the following acts of forgery or alteration: Forging or altering the identity of individuals and biometric characteristics by utilizing computer or communication systems or other electronic means to commit offenses. Forging or altering symbols, trademarks, or seals of groups (e.g., foundations, community enterprises) or juristic persons, including acts by juristic persons using individuals or juristic persons as nominal directors or shareholders, regardless of whether such individuals or legal juristic persons reside in Thailand. Forging or altering digital or online platforms, regardless of the platform’s location or legal status. Individuals who conspire, utilize, assist, or support the commission of these offenses will face the same penalties as the principal offender. Business Operator Definition The scope of “business operators” is now expanded to cover various fintech and digital asset operators beyond those under the Payment Systems Act (PSA). The draft emergency decree now includes the following operators, whether they are legally authorized or not: Business operators under the PSA and business operators who operate “as if” they are payment system operators Business operators under the Royal Decree on Digital Asset Businesses or business operators who operate “as if” they are digital asset business operators. Foreign exchange business operators. Disclosure and Exchange of Information Business operators must disclose

Vietnam’s political system is currently undergoing a significant reorganization to streamline government operations and improve efficiency. In this regard, Plan 141/KH-BCDTKNQ18, issued on December 6, 2024, provided guidelines on the restructuring of existing ministries, ministerial-level agencies, and government-affiliated agencies. Accordingly, the number of ministries is being reduced from 18 to 14 through mergers and consolidations and the establishment of a new Ministry of Ethnic and Religious Affairs. The number of ministerial-level agencies is being reduced to three, and government-affiliated agencies to five. Similar streamlining is happening at provincial levels. The newly consolidated state agencies will assume all functions, rights, and responsibilities of the merged entities, and will continue handling all ongoing matters previously handled by the former agencies. Some examples of these changes include the following: The Ministry of Science and Technology (MOST) will oversee telecommunications, IT applications, cybersecurity, e-transactions, and national digital transformation, which had previously been managed by the Ministry of Information and Communications (MIC). MOST will also be responsible for issuing licenses related to these areas, such as licenses for G1 online game services and telecommunication services. The Ministry of Culture, Sports, and Tourism will assume the responsibility of press management, previously under the MIC. The Ministry of Finance will assume state management functions related to investment, previously handled by the Ministry of Planning and Investment. Provincial Departments of Finance will issue Investment Registration Certificates and Enterprise Registration Certificates, a responsibility previously held by the Departments of Planning and Investment. The Ministry of Home Affairs will oversee labor and employment matters. Provincial Departments of Home Affairs will be authorized to issue work permits and will be the designated authorities for companies to register their internal labor regulations. Official Letter No. 35/CV-BCDTKNQ18 dated January 23, 2025, mandated that all ministries submit their draft decrees outlining their functions,