Vietnam's new Law on Data

This client alert provides an overview of the Law on Data, focusing on the key provisions that may affect local and foreign businesses offering data services, or otherwise involved in data-related activities, in Vietnam.

Key takeaways

1. Scope of application

The Law on Data governs digital data-related activities with the focus on:

• digital data management;
• construction, management and operation of the National Data Centre and the National General Database;
• digital data products and services; and
• the rights, obligations and responsibilities of relevant agencies, organizations and individuals regarding digital data.¹

The Law on Data applies to:

• Vietnamese agencies, organizations, and individuals;
• foreign agencies, organizations, and individuals in Vietnam; and
• foreign agencies, organizations, and individuals directly participating or otherwise involved in digital data activities in Vietnam.²

      2. Broad definition of “digital data”

"Digital data" is defined under the new Law as "data about objects, phenomena, or events, comprising one or a combination of audio, visual, numerical, written, or symbolic forms expressed in digital format."³ This broad definition covers any information recorded or represented in digital format, including personal and non-personal data, such as business data.

The Law on Data will complement, and apply in conjunction with, the Personal Data Protection Decree and other data privacy related rules that may be enacted subsequently.

3. Recognition of “property rights” of data owners

The Law on Data establishes for the first time, an express “property right” of data owners over their data, with broad consequences resulting from generally applicable provisions of the Civil Code which apply to property rights.⁴ For example, Articles 105 and 115 of the Civil Code provide that property rights are a type of asset having monetary value. Article 450 of the Civil Code allows for the purchase, sale, and transfer of ownership of property rights. Accordingly, data owners will have the right to sell, transfer, or otherwise commercially use their data and take anti-infringement measures to legally protect their data. Pending further guidance on the Law on Data to be provided in an implementation decree, a draft of which was made publicly available on 16 January 2025, there is still significant ambiguity regarding the precise scope and limitations of the property rights of data owners. For example, it is unclear how the Law on Data will apply to emerging AI technologies which use and incorporate data without permission from data owners.

4. Cross-border transfer and processing of “important data” and “core data”

The Law on Data introduces two new legal concepts for classifying data:

• "Important data" is defined as data that can potentially impact national defence, security, foreign affairs, macroeconomics, social stability, and health and public safety pursuant to lists to be promulgated by the Prime Minister;⁵ and
• "Core data" is defined as important data that directly impacts national defence, security, foreign affairs, macroeconomics, social stability, health, and community safety pursuant to lists to be promulgated by the Prime Minister.⁶

The Law on Data regulates cross-border transfer and processing of important and core data in the following circumstances:⁷

• transfer of such data stored in Vietnam to storage systems outside Vietnamese territory;
• transfer of such data from Vietnamese agencies, organizations and individuals to foreign individuals and entities; and
• use of overseas platforms by Vietnamese agencies, organizations and individuals for processing such data.

In principle, cross-border data transfers and any processing of data from Vietnam must not affect the country’s national defence, security, national interests, public interests, or the legitimate rights of data subjects and owners. Further details and guidance on these requirements have yet to be determined by the Government.⁸

5. Mandatory risk assessments

Data administrators⁹ of important data and core data must periodically conduct risk assessments of their data processing activities, and notify specialized task units on cybersecurity and information security of the Ministry of Public Security, the Ministry of National Defence and other relevant authorities for coordinated implementation of data safety and security protection. Further details and guidance on these requirements have yet to be determined by the Government.¹⁰

6. Data-related products and services

The Law on Data does not provide any specific definition of “data-related products and services” , but recognizes the following as data-related products and services within its ambit:¹¹

• data intermediary products and services;
• data analysis and synthesis products and services; and
• data platforms provided by eligible public units or state enterprises.

Depending on the specific nature of the products or services in question therefore, they may be subject to registration or licensing requirements as stipulated under the Law on Data and its forthcoming guiding decree.

7. Establishment of the National General Database and the National Data Centre

The Law on Data provides the legal basis for the establishment of a National General Database under the management of the National Data Centre in Vietnam. The National Data Centre is scheduled to be launched by the end of 2025,¹² with the mission of managing data integration for the National General Database, ensuring data quality and protection, and facilitating international cooperation, with implementation details to be specified by the Government.¹³ Data derived from administrative procedures, public services, and other public databases will be collected, updated and integrated into the National General Database. Access to the National General Database is granted to government entities for their official duties, to data subjects for access to their own personal data, and to others for open data¹⁴ or with consent from the National Data Centre for other data types.

Conclusion

The Law on Data expands materially the scope of regulation of data in Vietnam. In particular, it introduces several important concepts and imposes new compliance obligations in respect of a broad domain of data, encompassing business, non-personal as well as personal data. While further guidance and clarification from the Government are still needed for its effective implementation, should you wish to discuss or understand more fully whether your business could be impacted by this new Law on Data, do reach out to any of the authors or Contacts.

Authored by Gaston P. Fernandez, Duong Pham, and Giang Nguyen.