Key Highlights Of Vietnam New Data Law

A new Data Law, passed in late November 2024 and set to take effect on 1 July 2025, focuses primarily on establishing a national general database and data centre for state use. However, it also introduces rules on digital data (data in the rest of this article) that concerns the private sector, such as, data products and services. The Government is also drafting three draft decrees detailing key issues under the Data Law, including Data-Related Products & Services Draft Decree, Core & Important Data Draft Decree and a Master Draft Decree.

This blog will discuss several key points under the Data Law and related draft decrees. This post is written by Ha Thanh Phuc and Trinh Phuong Thao.

1)          The police will review and supervise your data activities

The Ministry of Public Security (MPS) again is authorized to regulate all activities relating to data except for data under the Ministry of Defence. Accordingly, it seems that Vietnam considers data as security issue and violation of data activities could result in significant liabilities. This could raise significant compliance costs for businesses and companies in Vietnam if they want to be fully comply with unclear rules (see discussion below).

1)          Conditional Business Lines

Amendments to the Investment Law 2020 in late 2024 now require businesses involved in (i) data intermediary products and services, (ii) data analysis and synthesis, or (iii) data platform services to meet certain conditions. The Data Law suggests that:

a. data platform services may be restricted to state enterprises and public providers, potentially excluding private companies; and

b. only providers of data analysis and synthesis services that potentially harm national defence, national security, social order, safety, social ethics, or public health, which have been detailed under the Data-Related Products & Services Draft Decree, will be subject to these conditions.

Under the Data-Related Products & Services Draft Decree, businesses in these sectors are subject to strict requirements. Notably, all such businesses must maintain an escrow of at least 5 billion VND at a Vietnamese commercial bank to cover compensation and expenses in the event their licenses are revoked.

2)          Core data and important data

Transferring "core data" (i.e. data directly affect national defence and security, foreign affairs, macroeconomic situations, social stabilization, community health and safety) and “important data” (i.e. data potentially affect those areas) overseas will require compliance with regulations designed to protect national security, public interest, and the legitimate rights and benefits of data subjects. The recent draft decrees of the Government introduce several critical provisions related to core data and important data, including:

  • Broad scope of core and important data: A wide range of data falls under this classification, including basic personal data of 1 million people or more (as important data);

  • Non-exhaustive list of core data: The Core & Important Data Draft Decree seems to not provide a definitive list of core data. Instead, it includes a catch-all category for “other unpublished data in state management activities,” leaving substantial discretion to the competent authority.

3)          Strict requirements for cross-border data transfers

Enterprises transferring core and important data (including personal data) across borders must (i) conduct a self-assessed risk evaluation; and (ii) submit a cross-border data transfer impact assessment report. Unlike Decree 13/2023 and Draft PDPL, where submitting an impact assessment report is merely procedural, the Master Draft Decree imposes a stricter approval mechanism, specifically:

  • Core data can only be transferred if the enterprise receives a “pass” result from the competent authority after submission; and

  • Important data may be transferred only if the competent authority does not issue a rejection within five days of submission.

Furthermore, data owners of core or important data and data administrator will have to comply with regulations on protecting those data to be issued by the Government.

4)          Confusing concept of data owner

The Data Law introduces the concept of data owner, which is a person who has the rights to decide on the construction, development, protection, administration, processing, use, and exchange of the value of data such person owns (such rights, Data Owner Rights). It is unclear that to be a data owner whether (i) one will have to have both ownership of and also the Data Owner Rights over the data or (ii) simply having the Data Owner Rights makes one the owner of the data.

The second interpretation seems to be the reasonable reading of the law. This is because ownership of data is a problematic concept that, if applied, will raises practical and legal problems. Both Decree 13/2023 and the Draft PDPL do not recognize the ownership right of data subject toward its personal data. Under the Civil Code 2015, if one owns a thing, one can possess, use, and dispose of it to the exclusion of others. Accordingly, if a person "owns" a list of names under the Data Law, would that affect the rights of individuals on the list to use their own names?

That said, the second interpretation is not without problem as it is still not clear on what basis one can have or originate the Data Owner Rights.

5)          Unclear if trading of personal data is permitted

Under the Data Law, data prohibited from trading includes (i) data that poses a threat to national defense, security, foreign affairs, or cryptographic operations; (ii) data without the consent of data subject, unless otherwise prescribed by laws; and (iii) other data prohibited from transactions as stipulated by law. Based on this wording, it seems that personal data trading is prohibited since both Decree 13/2023 and the Draft PDPL expressly prohibit trading of personal data in any form, (placing it under category (iii)). The MPS, in a conference, further confirmed that the data subject’s consent does not serve as a legal basis for personal data trading.

However, in a recent public statement concerning data platforms, the MPS seems to take a different view, suggesting that personal data may be traded on data trading platforms if the data subject consents. This position seems to contradict existing regulations, creating uncertainty over the legal framework for personal data transactions.

6)          Potential overlaps with other laws

Given its broad scope, the Data Law governs nearly all activities related to digital data, including personal data, leading to potential overlaps with other laws, particularly those regulating personal data. While the Data Law attempts to address these overlaps, its provisions on this matter remain unclear:

  • For laws enacted before the Data Law: If their provisions do not conflict with the “principles” of the Data Law, they will prevail. However, it is unclear whether “principles” refer specifically to those principles outlined in Article 5 of the Data Law or if the term refers broadly to any provision of the Data Law.

  • For laws enacted after the Data Law: If inconsistencies arise, it must be explicitly determined which provisions will apply under the Data Law and which will follow the new law. This principle raises concerns about potential power conflicts among competent authorities, as different interpretations may lead to disputes over which regulations take precedence.

Info
Written by Nguyen Quang Vu On In ,