The First Data Law of Vietnam

On 30 November 2024, the National Assembly of Vietnam officially issued the country’s first Data Law (the Data Law), which will come into force on 1 July 2025. The Data Law governs, among others, digital data, data products and services. The Data Law applies to all Vietnamese agencies, organisations and individuals, and foreign agencies, organisations and individuals in Vietnam. It also extends its scope of application to offshore entities that are directly engaged in or related to digital data activities in Vietnam. Given its broad applicability, the Data Law is expected to have a significant impact on businesses involved in digital data activities in Vietnam. In this legal update, we would like to highlight key points under the Data Law. 

1. Provision of data to the State agencies

The Data Law encourages onshore and offshore organisations and individuals to provide data under their ownership to the State agencies. However, there are certain circumstances in which organisations and individuals must provide data upon request from relevant authorities without the consent of data subjects. These circumstances include:

(a) Responding to emergencies;

(b) When there is a threat to national security, but not to the extent of declaring a state of emergency;

(c) Disasters; and

(d) Preventing and combating riots and terrorism.

Upon receiving data, the relevant State agencies have the following responsibilities:

(a) To use data for the right purposes;

(b) To ensure data security, safety, data protection, and other legitimate interests of data subjects, organisations, and individuals providing data, in accordance with the laws;

(c) To destroy data immediately when it is no longer needed for the requested purpose and notify the data subject, organisation or individual that provided the data; and

(d) To notify the storage and use of data upon request of the organisation or individual that provided the data, except in cases of protecting state secrets or work-related secrets.

However, the Data Law currently lacks clarity on the scope of data that can be requested, leading to the potential interpretation that all digital data, including business secrets, may be subject to disclosure upon request. As a result, businesses may face a dilemma in balancing their legal obligations with the need to protect sensitive information. 

2. Cross-Border Data Transfer and Processing 

Under the Data Law, when transferring and processing important data and core data across borders, such transferring and processing must satisfy certain requirements, including ensuring national defence, security, and protecting national interests, public interests, as well as the rights and legitimate interests of data subjects and data owners in accordance with the laws and international treaties to which Vietnam is a signatory (Requirements for Cross-border Transferring and Processing). 

Transferring and processing important data and core data across borders can be done through any of the following methods:

(a) Transferring data stored in Vietnam to data storage systems located outside the territory of Vietnam;

(b) Vietnamese agencies, organisations and individuals transferring data to foreign organisations and individuals;

(c) Vietnamese agencies, organisations and individuals using platforms outside the territory of Vietnam to process data.

It should be noted that:

(a) Important data is defined as data that can impact national defence, security, foreign affairs, macroeconomics, social stability, health, and public safety on the list issued by the Prime Minister.

(b) Core data is defined as important data that directly impacts national defence, security, foreign affairs, macroeconomics, social stability, health and public safety on the list issued by the Prime Minister.

It remains unclear at this stage which specific data qualifies as important or core data, as the relevant list has yet to be issued by the Prime Minister. Additionally, businesses may find it challenging to determine how to comply with the Requirements for Cross-border Transferring and Processing, given the broad and undefined nature of these requirements.

3. Introduction of data products and services 

The Data Law introduces the following data-related products and services:

(a) Data intermediary products and services;

Data intermediary products and services mean products and services aimed at establishing a commercial relationship between data subjects, data owners and users of products and services through agreements for the purpose of exchanging, sharing, accessing data, and exercising the rights of data subjects, data owners and data users.

(b) Data analysis, synthesis products and services; 

Data analysis and synthesis products are the result of the process of analysing and synthesising data into useful in-depth information at different levels according to the requirements of the product users. Data analysis and synthesis services are the activities of analysing and synthesising data according to the requirements of the service users.

(c) Data trading floor; 

Data trading floor is a platform providing data-related resources to serve research, startup development, innovation; providing data-related products and services to serve socio-economic development; is an environment for trading and exchanging data and data-related products and services.

(d) Electronic authentication services. 

Electronic authentication service performs data authentication in national databases, specialised databases, and identification systems. 

While products and services specified in items (a) and (b) above may be provided by private entities, products and services outlined in items (c) and (d) can only be provided by public service units and state-owned enterprises. 

Organisations providing data intermediary products and services must be registered and managed in accordance with the law on investment, unless the provision is limited to internal use within the organisation. Organisations providing data analysis, synthesis products and services that may pose a threat to national defence, security, social order and safety, social ethics, or public health must be registered and managed in accordance with the law on investment. 

4. The Data Law and the Draft Personal Data Protection Law (PDPL)

The Data Law is distinct from the PDPL, which is still in its draft form. The PDPL primarily focuses on personal data, defined as data in the form of symbols, letters, numbers, images, sounds or a similar form in the electronic environment associated with a specific person or assisting in the identification of a specific person. Meanwhile, the Data Law regulates digital data, which is data about objects, phenomena, events, including one or a combination of sounds, images, numbers, writing, symbols expressed in digital form. Unlike the PDPL, the Data Law covers a broader range of data types, not limited to personal data.

Click here to download: Legal Update - The First Data Law of Vietnam

This material provides only a summary of the subject matter covered, without the assumption of a duty of care by Frasers Law Company.
The summary is not intended to be nor should be relied on as a substitute for legal or other professional advice.