Vietnam’s new Data Law to come into effect 1 July 2025: Allen & Gledhill

26 December 2024

On 30 November 2024, Vietnam’s National Assembly passed the Data Law, which will come into force on 1 July 2025. The Data Law aims to provide a regulatory framework for digital data-related business activities and to foster the growth of Vietnam’s digital data economy.

This article provides an overview of the Data Law.

Scope

The Data Law regulates the development, protection, processing, management, and use of digital data and the products and services of certain digital data-related business activities. It further provides for the establishment of the National General Database within the National Data Centre. The Data Law applies to agencies, organisations, and individuals involved in digital data activities in Vietnam, including foreign-invested enterprises. The Data Law is not expressed to have extraterritorial effect, but it remains to be seen how the authorities will construe the scope and application of its provisions extra-territorially.

The Data Law is intended to be read alongside (and does not supersede) other data-related laws, such as the Law on Cybersecurity, the Law on Electronic Transactions, and the Personal Data Protection Decree.

Digital data (or “Data”) under the Data Law is defined widely to mean the data of things, facts, and events, including a single form or a combination of sounds, images, numbers, writing, and symbols which are represented in digital form. This means that the scope of the “Data” under the Data Law covers not only personal data, but also other datasets such as business data.

A substantial portion of the Data Law relates to the responsibilities and rights of state agencies, ministries, and organisations, or the obligations arising in connection with the government-managed National Data Centre. This Alert will focus primarily on how the Data Law will affect private organisations.

Data processing and data-related activities

The Data Law defines “data processing” to mean the process of receiving, converting, structuring the data, and other data-related activities to serve the operation of organisations, entities, and individuals. The Data Law also sets out general principles in connection with certain data-related activities, such as data collection and creation, quality assurance, classification, storage, administration and management, access and retrieval, connection, sharing and allocation, analysis and synthesis, verification and authentication, disclosure, encryption and decryption, protection, and deletion and destruction. The Data Law further provides that the Government will be providing detailed guidance and regulations on such data-related activities in the future. The wide scope of the Data Law means that most actions taken in respect of digital data will fall within the purview of the Data Law. It remains to be seen how such activities will be regulated.

Regulation of prescribed data products and services

The Data Law also sets out certain principles and general requirements in relation to the provision and use of data products and services of data intermediary activities, data analysis and synthesis, certain forms of electronic authentication of data used in connection with the National General Database, and the operation of data exchanges. The Data Law further provides that the Government will, in due course, provide detailed guidance and regulations on the provision and use of these products and services, and these may include licensing, technical, and personnel requirements.

Government data requests

Under the Data Law, organisations and individuals are generally encouraged to provide data in their possession to government entities. Further, the Data Law provides for situations where organisations and individuals are required to provide data to government entities upon request, namely (i) to respond to a public emergency, (ii) to respond to a national security risk which does not require the declaration of a state of emergency, (iii) in the event of a disaster, and (iv) to prevent and/or combat acts of riot or terrorism. The Data Law imposes obligations on governmental entities in relation to the use, protection, and destruction of data received pursuant to such requests.

Cross-border transfer and processing of Important Data and Core Data

The Data Law provides for definitions of “Important Data” and “Core Data”.

The term “Important Data” is defined as “data that can affect national defence and security, foreign affairs, macroeconomics, social stability, and public health and safety in Vietnam, which will be prescribed in a list to be issued by the Prime Minister”.

The term “Core Data” is defined as “important data that can directly affect national defence and security, foreign affairs, macroeconomics, social stability, and public health and safety in Vietnam, which will be prescribed in a list to be issued by the Prime Minister”.

The Data Law regulates the “cross-border transfer and processing” of Core Data and/or Important Data. Under the Data Law, the “cross-border transfer and processing” of Core Data and/or Important Data includes:

transfer of data stored in Vietnam to a storing system located outside Vietnam;
transfer of data by Vietnamese organisations, entities, and individuals to foreign organisations, entities, and individuals; and
processing of data by Vietnamese organisations, entities, and individuals using platform outside Vietnam.

Entities undertaking such activities must ensure that safeguards are put in place to protect national security and defence, national and public interest, and the rights and interests of data subjects and owners. The Data Law also states that the Government will provide detailed guidance and regulations on these matters in the future.

Establishment of National General Database within the National Data Centre

The Data Law provides for the establishment of the National General Database under the auspices of the National Data Centre. The establishment of the National Data Centre was mandated by Resolution No. 175/NQ-CP, issued on 30 October 2023. The National Data Centre is expected to be operational in 2025.

The National General Database will integrate information from administrative procedures and public services and data synchronised from other databases, and will be accessible to both the private and public sectors.