Vietnam: Fast-tracked Data Law sets out new data regime

19 Dec 2024    4 minute read
Data Law

In brief

On 30 November 2024, the National Assembly officially passed the Law on Data ("Data Law"). The primary purpose of this legislation is to systematically develop national data governance and establish a cohesive regulation framework for Vietnam's digital advancement. 

The new Data Law will take effect on 1 July 2025.

Contents

Key takeaways

The Data Law was officially released for public comments in July 2024, and it was fast-tracked to be issued in less than six months. The previous public versions of the Data Law contain a number of issues that overlapped or were inconsistent with existing laws. Compared to those versions, the newly approved version has been updated substantially. Given the short timeline for the issuance of this law, many issues are assigned to the government for further clarification and guidance.

1. Scope of application

  • The Data Law regulates: digital data; the National Data Center; the National Comprehensive Database; digital data products and services; digital data management; and the rights, obligations and responsibilities concerning digital data of relevant agencies, organizations and individuals.
  • "Digital data" is a new concept, defined as "data about objects, phenomena, or events, comprising one or a combination of audio, visual, numerical, written, or symbolic forms expressed in digital format" (hereinafter referred to as "Data"). 

Under this definition, Data may broadly encompass both personal and non-personal data.

2. Data-related entities

  • The Data Law introduces several new concepts: 
    • "Data subjects" are agencies, organizations or individuals that are reflected by data. 
    • "Data owners" are entities with decision-making authority regarding the development, protection, governance, processing, usage and value exchange of their owned data. 
    • "Data administrators" are agencies, organizations or individuals that conduct data development, management, operation and/or exploitation activities as required by data owners.

3. State agencies' power concerning Data

  • Organizations and individuals must provide data to state agencies upon authorized request, even without the data subject's consent, in the following specific circumstances: emergency response; threats to national security that are yet to be a state of emergency; disasters; and prevention and control of riots and terrorism.
  • Competent state agencies may apply measures to decrypt data without the consent of the data owner or data administrator in special cases such as states of emergency; responding to threats to national security that are yet to be a state of emergency; disasters; and for anti-riot and anti-terrorism purposes upon requests from competent authorities. Further details will be provided by the government.

4. Requirements concerning important data and core data

  • The Data Law introduces two new concepts:
    • "Important data" is data that can impact national defense, security, foreign affairs, macroeconomics, social stability, and health and public safety under the lists issued by the prime minister. 
    • "Core data" is defined as important data that directly impacts national defense, security, foreign affairs, macroeconomics, social stability, health, and community safety under the lists issued by the prime minister.
  • The Data Law regulates the following types of transfers of important data and core data:
    • Transfer of data stored in Vietnam to storage systems outside Vietnamese territory.
    • Transfer of data from Vietnamese entities/organizations/individuals to foreign entities.
    • Use of overseas platforms by Vietnamese entities/organizations/individuals for data processing.
  • The law establishes general principles requiring cross-border data transfers to ensure national defense, security, national interests, public interests, and legitimate rights of data subjects and owners. The government will formulate detailed regulations regarding this matter.
  • Data administrators of important data and core data must periodically conduct risk assessments for such data processing activities and notify specialized units on network security and information security of the Ministry of Public Security and/or Ministry of National Defense, to coordinate in implementing data safety and security protection.

5. Data-related products and services

  • Data intermediary products and services: Data intermediary services will be subject to registration requirements per investment laws. This will be regulated in the government's further guidance of the law.
  • Data analysis and synthesis products and services: Providers of data analysis and synthesis products and services that may harm national defense, national security, social order and safety, social ethics and public health must be registered per investment laws. If such services are connected to national databases and sector-specific databases, they will also be subject to further regulations. This will be regulated in the government's further guidance of the law.
  • Data exchange: The Data Law provides a legal basis for the establishment of data exchanges by eligible public units or state enterprises.

Conclusion

The swift issuance of the Data Law has demonstrated the new administration's active legislative approach. Given that the effective date of 1 July 2025 is fast approaching, the government will soon start drafting the decree(s) guiding the Data Law. Companies should be on the lookout for these drafts and provide comments to advocate for sound policies where appropriate.

* * * * *

Tuan Linh Nguyen, Government Affairs Manager contributed to this legal update.

Contact Information
ManhHung Tran
Partner
Hanoi
tmh@bmvn.com.vn
Huu Tuan Nguyen
Special Counsel
Hanoi
Read my Bio
huutuan.nguyen@bmvn.com.vn
Huyen Minh Nguyen
Associate
Hanoi
Read my Bio
huyenminh.nguyen@bmvn.com.vn
Thu Minh Le
Associate
Ho Chi Minh City
Read my Bio
thuminh.le@bakermckenzie.com

Copyright © 2025 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.