You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

Search
Close this search box.
December 24, 2024

Vietnam’s Data Revolution: Law on Data

Subscribe to Updates

On November 30, 2024, the Data Law was officially promulgated after an accelerated preparation process that began in February 2024. The Data Law is set to take effect on July 1, 2025. Having extraterritorial effect, the Data Law will impact both local and foreign individuals and enterprises.

As noted in our previous legal update, the Data Law governs digital data, the National Data Center, the National General Database, digital data products and services, digital data management, and the rights, obligations, and responsibilities of agencies, organizations, and individuals related to digital data activities.

This legal update provides an overview of the Data Law, with a deep focus on the key provisions likely to impact businesses operating or offering services in Vietnam.

New Data Definition and Classification

The Data Law broadly defines “digital data” as data about objects, phenomena, and events, which can include one or a combination of audio, images, numbers, text, or symbols represented in digital format (hereinafter referred to as “data”). This definition is very broad and potentially covers any information recorded or represented in digital forms, including personal and nonpersonal data (such as business data, transactional data, trade secrets, etc.). Data is further categorized into different types that can be used by public bodies. However, the rights and obligations associated with each type of data are not clearly addressed. The data classification criteria include:

  • The nature of data sharing (shared data, private data, open data);
  • The importance of data (core data, important data, and other data);
  • Any other criteria to meet the requirements of data administration, processing, and protection, as determined by the data owner.

While the Data Law requires private organizations to categorize data based on its level of importance, it still grants these organizations the right to categorize data based on other criteria.

Cross-Border Data Transfers and Processing

Under the Data Law, agencies, organizations, and individuals can freely transfer and process offshore data in Vietnam, with the state protecting their lawful rights and interests.

For core and important data, the law regulates cases deemed as cross-border data transfers, including the transfer of data to foreign organizations and individuals, which was not mentioned in the Personal Data Protection Decree or the publicized version of the draft Personal Data Protection Law. Currently, the Data Law imposes no specific restrictions on cross-border data transfers, but these activities must comply with national defense, security, public interests, and international treaties. Further guidance is expected in a future government decree, which enterprises will also need to keep an eye on.

Under the Data Law, “important data” refers to data that may impact national defense, security, foreign affairs, macroeconomics, social stability, health, and public safety, while “core data” means important data that directly affects national defense, security, foreign affairs, macroeconomics, social stability, health, and public safety. More detailed lists of important data and core data will be issued by the prime minister.

National Comprehensive Database

The government will establish and manage a National Comprehensive Database, consolidating open, shared, and private data, as well as other data from various sources, including state and party agencies. This database will include data from administrative procedures and public services, though it is unclear whether it will include data submitted by private organizations during administrative filing processes. Once the National Comprehensive Database is created, it is possible that various authorities may have easy access to the data, which will strongly facilitate their supervision and enforcement activities.

Organizations and individuals can voluntarily contribute data, and in certain cases, may be requested to do so, as further explained below.

Access Rights of Competent Agencies

The Data Law sets out the conditions under which state agencies can access data from organizations and individuals. These access rights have been limited and are more restricted than the typical access rights that the government tends to reserve for itself. Under the Data Law, the request to access can be made under four special cases: (1) in response to a state of emergency; (2) upon a threat to national security, but not to the extent of declaring a state of emergency; (3) upon disasters; or (4) for the prevention of riots or terrorism. Consent from relevant data subjects is not required for data sharing in this case. If the data is encrypted, the state agencies also have the right to decrypt data for their access and usage.

The Data Law also prescribes certain responsibilities for state agencies when receiving data, which is a welcome development. Further regulations on the authorities access rights and the data provision obligations of private organizations and individuals are expected to be encompassed in the decree guiding this Data Law.

These new developments and limitations to access powers were among the requests the business community made following the first draft Data Law (circulated in March 2024), aiming to safeguard the attractiveness of the Vietnamese market and protect proprietary data.

New Data-Related Products and Services

Recognizing new data-related products and services, the Data Law opens the market to new opportunities for local players. However, the Data Law has yet to provide any definition of “data-related products and services” in general, and these products and services could be broadly interpreted to encompass any services related to data processing.

The Data Law clearly indicates that its provisions apply to data intermediary products and services, data analysis and aggregation, and data platforms. Accordingly, depending on the specific nature of the products or services, they may be subject to registration or licensing requirements as stipulated under the Data Law and its forthcoming guiding decree.

Applicability of the Data Law

To address the risk of contradiction or conflict in the patchwork of regulations related to data, the Data Law stipulates that where other laws issued before its effective date (July 1, 2025) contain regulations on key data-related activities (such as building, developing, protecting, managing, processing, and using data) that do not contradict the principles of the Data Law, the provisions of those laws shall still apply. The Data Law is silent on the consequences if the provisions of existing laws contradict the Data Law.

Furthermore, the Data Law requires new laws issued after its effective date to clarify how they comply with or deviate from the Data Law, ensuring a clear understanding of implementation requirements.

Looking Ahead

The Data Law explicitly recognizes that data is a resource that state policies will mobilize and develop into assets. This has the potential to pave the way for many data-related businesses in the future and offers promising opportunities for tech companies with a strong focus on data.

The Data Law recognizes the importance of data in the digital age and highlights Vietnam’s commitment to fostering a secure and innovative data environment. However, the scope and applicability of the Data Law, especially those overlapping with other existing laws or regulations, are still ambiguous, as discussed above. Thus, it remains to be seen how legislators will address these issues in the future.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

November 13, 2024
Thailand’s Electronic Transactions Committee has publicized a new draft notification detailing additional duties for specific marketplace digital platform service operators under Section 18(2) of the Royal Decree on Operation of Digital Platform Service Businesses Subject to Prior Notification B.E. 2565 (2022). The draft notification, which is open for public comments until November 30, 2024, aims to provide enhanced protection for users of “specific marketplace platforms” (defined below). Some key points of the draft notification are detailed below. Scope The draft notification applies to “marketplace digital platform services,” which refers to digital platform services that serve as an intermediary for buying or exchanging goods and provide services to facilitate sale transactions, such as providing communication systems (e.g., chat features), shopping carts, delivery arrangements, and supplemental payment processing facilitation. “Specific marketplace platforms” refers to Section 18(2) of the Royal Decree on Digital Platform Services, which covers digital platform services that pose risks to financial and commercial security, the reliability and credibility of data messaging systems, or potential harm to the public, and that have a high level of potential impact based on the criteria for assessing the impact of digital platform service operations. Key Obligations Registration. The draft notification requires the marketplace operators mentioned above to be registered as legal entities in Thailand. Terms and conditions. The draft notification details additional obligations relating to marketplace operators’ terms and conditions: In addition to existing obligations prescribed in the Royal Decree and the relevant subordinate laws, the draft notification emphasizes that the terms and conditions must be in Thai, clear, accessible, and understandable, and may include graphical elements to aid explanation. The terms and conditions must prescribe conditions relating to the sale of products subject to specific standards, such as those restricted under the Food Act, the Drugs Act, and the Industrial Product
Read More
November 11, 2024
The Vietnamese government has demonstrated a strong commitment to building a digital government, digital economy, and digital society through its recently issued national strategy on digital infrastructure. Under Decision No. 1132/QD-TTg dated October 19, 2024, on “Digital Infrastructure Strategy to 2025 with Orientation to 2030,” the government will create supportive conditions for both domestic and international businesses to invest in digital infrastructure with cybersecurity as a priority. Recognized as vital to the economy, this digital infrastructure will consist of four main components: (i) telecommunications and internet infrastructure, (ii) data infrastructure, (iii) physical-digital infrastructure, and (iv) digital utility infrastructure, including digital technology as a service. Key goals for 2025 include universal fiber optic access for households, 100% 5G coverage across all provinces and cities, deployment of at least two new international undersea fiber optic cables, establishment of AI data centers, development of green-standard data centers, and platforms for IoT, AI, big data, blockchain, and cybersecurity. By 2030, goals include fiber access with speeds of at least 1 Gbps, 5G coverage for 99% of the population, readiness for 6G trials, six additional international undersea fiber optic cables, development of a hyperscale data center, and positioning Vietnam as a digital hub. To achieve these goals, the government has outlined some core tasks, creating significant opportunities for both foreign and domestic investors: Developing telecommunications and internet infrastructure for widespread fiber optic and 5G access, while preparing for emerging technologies like 6G, Open RAN, satellite, and IpV6. Telecommunication enterprises will jointly invest in and share the use of international fiber optic cable routes to ensure efficient capacity utilization and optimize investment capital. Attracting foreign and domestic investment to establish hyperscale data centers and cloud computing services that meet global standards. Creating physical-digital infrastructure by integrating technology across key sectors such as transportation, energy, healthcare,
Read More
November 8, 2024
On October 31, 2024, Thailand’s Office of the Personal Data Protection Committee (PDPC) opened a public consultation period on its draft notifications—one directed at data controllers and another at data processors—regarding exemptions from the requirement to create and maintain records of processing activities (ROPAs) under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). The draft notification for data controllers aims to amend and revoke certain aspects of the first ROPA exemption notification issued in June 2022 and outlines the criteria for data controllers to be exempted from the obligation to prepare and maintain such records. Although it is officially titled “Notification of the Personal Data Protection Committee on Exemption from Record-Keeping Requirements for Small Business Data Controllers,” this draft notification applies to all types of exempted data controllers (see list below), and not only small businesses. The draft notification for data processors is new and does not replace any prior notification. The criteria under both draft notifications exempt certain data controllers and data processors from the obligation to maintain ROPAs, but exempted data controllers are not free from the obligation to retain information on the rejection of data subjects’ requests to exercise certain rights under the PDPA. While these criteria remain consistent with the June 2022 ROPA exemption notification, there are a few key takeaways from the notifications, as detailed below. Types of Exempted Parties The draft notification on data controllers adds condominium and housing estate juristic persons, as well as individuals, to the list of parties eligible for an exemption, while removing internet cafes from the list. The new draft notification for data processors mirrors the corresponding list in the draft notification for data controllers. The complete list of parties eligible for ROPA exemptions under the draft notifications is as follows: SMEs according to the law on
Read More
October 8, 2024
On October 1, 2024, the Thai cabinet acknowledged the recommendations proposed by the National Anti-Corruption Commission (NACC) to prevent corruption related to online gambling. The Ministry of Digital Economy and Society (MDES) has been assigned as the lead agency to collaborate with various relevant agencies to reach a consensus on the necessary amendments and updates to laws related to online gambling. In assigning the MDES this role, the cabinet emphasized the importance of the following key items: Establishment of a national committee. The national committee will be chaired by a minister and will comprise relevant agencies, including policymaking bodies, technology agencies, frequency management agencies, law enforcement agencies, and other experts. The committee’s primary responsibility will be to consider amending and updating laws related to online gambling. Urgent action on online gambling. As online gambling has been deemed a serious issue requiring urgent action, joint policies will be developed among relevant agencies such as the Royal Thai Police, the Bank of Thailand, and the Anti-Money Laundering Office to elevate the importance of online gambling issues. Public awareness and law enforcement. Public awareness campaigns are to be conducted to educate the public about the risks and legal consequences of online gambling, and laws against online gambling and related financial crimes are to be strictly enforced. Compliance with the Cybersecurity Act. It is necessary to ensure strict compliance with the Cybersecurity Act B.E. 2562 (2019). At the same time, government data systems are to be moved to cloud computing for enhanced data security. Next Steps The MDES is tasked with summarizing the results of the related discussions, actions taken, and overall opinions and submitting the summary to the cabinet secretariat for further presentation to the cabinet. These measures aim to address and mitigate the risks associated with online gambling and related corruption.
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2024 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Fraudulent Communications

| Legal Notice