Vietnam's data protection laws: The basics and beyond

Vietnam recently drew international attention because of its strategic position in the China-U.S. trade war and U.S. President Donald Trump's tariff policies. At the same time, the country is rapidly undergoing major internal changes from the top down, with mergers of major ministries and municipalities nationwide.

With President Lương Cường's military and public security background, the government is moving at an unprecedentedly fast pace to develop and enact new regulations. Several big data protection regulations have passed in the last three years, and at least five more are anticipated in 2025.

Both multinational companies and local privacy experts are scrambling to keep up and make sure they're following all the new regulations.

Laws abound, regulators around

Navigating Vietnam's data protection legal framework is no easy task since the requirements are scattered in several legislations. Vietnam did not have its own comprehensive set of rules to regulate data protection until 2023's Decree 13 on Personal Data Protection. Given its status as a government's decree, previous National Assembly's laws still prevail over it, causing some confusion and inconsistency in the framework.

Unlike the EU and many other countries, Vietnam does not have any independent data protection authority. Instead, the power to enforce data protection laws is currently divided among different authorities via different legislations.

The Personal Data Protection Decree, 2024 Data Law and 2018 Cybersecurity Law are enforced by the Department of Cybersecurity and High-tech Crime Prevention within the Ministry of Public Security and the Ministry of National Defense.