December 24, 2024
Vietnam’s Data Revolution: Law on Data

On November 30, 2024, the Data Law was officially promulgated after an accelerated preparation process that began in February 2024. The Data Law is set to take effect on July 1, 2025. Having extraterritorial effect, the Data Law will impact both local and foreign individuals and enterprises.

As noted in our previous legal update, the Data Law governs digital data, the National Data Center, the National General Database, digital data products and services, digital data management, and the rights, obligations, and responsibilities of agencies, organizations, and individuals related to digital data activities.

This legal update provides an overview of the Data Law, with a deep focus on the key provisions likely to impact businesses operating or offering services in Vietnam.

New Data Definition and Classification

The Data Law broadly defines “digital data” as data about objects, phenomena, and events, which can include one or a combination of audio, images, numbers, text, or symbols represented in digital format (hereinafter referred to as “data”). This definition is very broad and potentially covers any information recorded or represented in digital forms, including personal and nonpersonal data (such as business data, transactional data, trade secrets, etc.). Data is further categorized into different types that can be used by public bodies. However, the rights and obligations associated with each type of data are not clearly addressed. The data classification criteria include:

  • The nature of data sharing (shared data, private data, open data);
  • The importance of data (core data, important data, and other data);
  • Any other criteria to meet the requirements of data administration, processing, and protection, as determined by the data owner.

While the Data Law requires private organizations to categorize data based on its level of importance, it still grants these organizations the right to categorize data based on other criteria.

Cross-Border Data Transfers and Processing

Under the Data Law, agencies, organizations, and individuals can freely transfer and process offshore data in Vietnam, with the state protecting their lawful rights and interests.

For core and important data, the law regulates cases deemed as cross-border data transfers, including the transfer of data to foreign organizations and individuals, which was not mentioned in the Personal Data Protection Decree or the publicized version of the draft Personal Data Protection Law. Currently, the Data Law imposes no specific restrictions on cross-border data transfers, but these activities must comply with national defense, security, public interests, and international treaties. Further guidance is expected in a future government decree, which enterprises will also need to keep an eye on.

Under the Data Law, “important data” refers to data that may impact national defense, security, foreign affairs, macroeconomics, social stability, health, and public safety, while “core data” means important data that directly affects national defense, security, foreign affairs, macroeconomics, social stability, health, and public safety. More detailed lists of important data and core data will be issued by the prime minister.

National Comprehensive Database

The government will establish and manage a National Comprehensive Database, consolidating open, shared, and private data, as well as other data from various sources, including state and party agencies. This database will include data from administrative procedures and public services, though it is unclear whether it will include data submitted by private organizations during administrative filing processes. Once the National Comprehensive Database is created, it is possible that various authorities may have easy access to the data, which will strongly facilitate their supervision and enforcement activities.

Organizations and individuals can voluntarily contribute data, and in certain cases, may be requested to do so, as further explained below.

Access Rights of Competent Agencies

The Data Law sets out the conditions under which state agencies can access data from organizations and individuals. These access rights have been limited and are more restricted than the typical access rights that the government tends to reserve for itself. Under the Data Law, the request to access can be made under four special cases: (1) in response to a state of emergency; (2) upon a threat to national security, but not to the extent of declaring a state of emergency; (3) upon disasters; or (4) for the prevention of riots or terrorism. Consent from relevant data subjects is not required for data sharing in this case. If the data is encrypted, the state agencies also have the right to decrypt data for their access and usage.

The Data Law also prescribes certain responsibilities for state agencies when receiving data, which is a welcome development. Further regulations on the authorities access rights and the data provision obligations of private organizations and individuals are expected to be encompassed in the decree guiding this Data Law.

These new developments and limitations to access powers were among the requests the business community made following the first draft Data Law (circulated in March 2024), aiming to safeguard the attractiveness of the Vietnamese market and protect proprietary data.

New Data-Related Products and Services

Recognizing new data-related products and services, the Data Law opens the market to new opportunities for local players. However, the Data Law has yet to provide any definition of “data-related products and services” in general, and these products and services could be broadly interpreted to encompass any services related to data processing.

The Data Law clearly indicates that its provisions apply to data intermediary products and services, data analysis and aggregation, and data platforms. Accordingly, depending on the specific nature of the products or services, they may be subject to registration or licensing requirements as stipulated under the Data Law and its forthcoming guiding decree.

Applicability of the Data Law

To address the risk of contradiction or conflict in the patchwork of regulations related to data, the Data Law stipulates that where other laws issued before its effective date (July 1, 2025) contain regulations on key data-related activities (such as building, developing, protecting, managing, processing, and using data) that do not contradict the principles of the Data Law, the provisions of those laws shall still apply. The Data Law is silent on the consequences if the provisions of existing laws contradict the Data Law.

Furthermore, the Data Law requires new laws issued after its effective date to clarify how they comply with or deviate from the Data Law, ensuring a clear understanding of implementation requirements.

Looking Ahead

The Data Law explicitly recognizes that data is a resource that state policies will mobilize and develop into assets. This has the potential to pave the way for many data-related businesses in the future and offers promising opportunities for tech companies with a strong focus on data.

The Data Law recognizes the importance of data in the digital age and highlights Vietnam’s commitment to fostering a secure and innovative data environment. However, the scope and applicability of the Data Law, especially those overlapping with other existing laws or regulations, are still ambiguous, as discussed above. Thus, it remains to be seen how legislators will address these issues in the future.


Related Professionals
Hien Thi Thu Nguyen
+84 24 3772 5594
Quang Minh Vu
+84 28 6284 5661
Tram Ngoc Bich Nguyen
+84 28 6284 5668