Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Vietnam recently drew international attention because of its strategic position in the China-U.S. trade war and U.S. President Donald Trump's tariff policies. At the same time, the country is rapidly undergoing major internal changes from the top down, with mergers of major ministries and municipalities nationwide.
With President Lương Cường's military and public security background, the government is moving at an unprecedentedly fast pace to develop and enact new regulations. Several big data protection regulations have passed in the last three years, and at least five more are anticipated in 2025.
Both multinational companies and local privacy experts are scrambling to keep up and make sure they're following all the new regulations.
Laws abound, regulators around
Navigating Vietnam's data protection legal framework is no easy task since the requirements are scattered in several legislations. Vietnam did not have its own comprehensive set of rules to regulate data protection until 2023's Decree 13 on Personal Data Protection. Given its status as a government's decree, previous National Assembly's laws still prevail over it, causing some confusion and inconsistency in the framework.
Unlike the EU and many other countries, Vietnam does not have any independent data protection authority. Instead, the power to enforce data protection laws is currently divided among different authorities via different legislations.
The Personal Data Protection Decree, 2024 Data Law and 2018 Cybersecurity Law are enforced by the Department of Cybersecurity and High-tech Crime Prevention within the Ministry of Public Security and the Ministry of National Defense.
The 2023 Law on Protection of Consumer's Rights is enforced by the Vietnam Competition Commission, governed by the Ministry of Industry and Trade.
The Ministry of Information and Communications enforces the Information Technology Law and the Law on Cyber Information Security. However, given the recent merger of the MIC into the Ministry of Science and Technology, the MIC's functions — with the exception of data protection — have been absorbed by the latter. The data protection requirements under these laws now have no clear enforcement authority.
Other industry-specific regulations include the Law on Telecommunications under the purview of the Vietnam Telecommunications Authority and bank secrecy standards overseen by the State Bank of Vietnam.
Global ties, local vibes
Local lawmakers have consistently maintained a good habit of referencing other countries' data regulations, usually those of the European Union, China, the U.S., and South Korea. Global concepts and requirements have been adopted, but never fully since lawmakers need to ensure harmony with domestic settings. The finished products give a telltale international vibe with various local twists.
IT Law, 2006, and LOCIS, 2015. These laws were enacted before the EU General Data Protection Regulation set a global standard in 2018, so nothing locally unique should be expected here. Issued in 2006, the IT Law marked the country's first milestone in data protection with two provisions dealing with collection of personal information in cyberspace, bases for processing and information subject's rights.
About 10 years after the IT Law, the LOCIS was issued to address various growing issues, including more detailed requirements for personal information processing and protection of information systems.
Together these two laws provide a general framework for Vietnam to regulate "personal information," laying the foundation for later data protection rules. However, these pre-GDPR laws should be rendered obsolete soon given the upcoming changes. The MIC — the main enforcer of both laws — has effectively ceased to exist;and the MPS recently announced its plan to merge the Cybersecurity Law and LOCIS into one unifying law, solidifying its position as the key cybersecurity regulator.
2018 Cybersecurity Law. Enacted just one year after China's Cybersecurity law rolled out, Vietnam's Cybersecurity Law shares several similarities with its counterpart. Banned activities — such as posting fake news or content harmful to the national security — critical infrastructure, data localization, data protection and data breaches are covered under this law.
The law is well known for its broad data localization requirement, applicable to virtually any domestic or foreign online service providers operating in Vietnam. Needless to say, this requirement was unwelcome to almost all foreign businesses in Vietnam, causing various industries and even the U.S. to heavily oppose it. The local government later conceded and issued a decree to narrow the requirement's scope to offshore providers of 10 specific types of service that meet a list of conditions.
PDPD, 2023. As Vietnam's first comprehensive personal data regulation, the PDPD substantively mirrors the GDPR, with highly similar data protection principles, classification of relevant entities — controller, processor and third party — and data subject rights.
However, the PDPD contains numerous local elements. Unlike the GDPR, the PDPD does not recognize the "legitimate interest" basis, but sets out limited legal bases for processing data without consent. It also stipulates troublesome consent requirements, namely granularity — data subjects can consent to specific uses of their data separately — potential partial consent by data subjects and a long list of mandatory information to be provided to the data subjects when obtaining consent.
Most notably, many international companies struggle with the PDPD's unclear rules for preparing impact assessments of data processing and overseas data transfer, which are required to be submitted to the Department of Cybersecurity and High-tech Crime Prevention. The PDPD also introduces a new mechanism for data breach notification, which covers not only actual data breaches, but any violation of any requirements under the PDPD. The department serves as both the receiving authority of the data breach notifications, as well as the main enforcer of the PDPD.
Consumer Law, 2023. A few months after Vietnam's government issued the PDPD, the National Assembly issued the Consumer Law, introducing a protection regime for "consumer information" — a term that covers not only a consumer's personal information, but also nonpersonal information related to the transactions between consumers and traders.
What can be troublesome and confusing is that the Consumer Law contains numerous divergences from the PDPD, including:
- Providing customers with adifferent scope of mandatory information in the privacy notice.
- Requiring consumer consent when a trader engages with a third party to process consumer information without providing other legal bases for lawful processing without consent.
- Requiring traders to obtain consumers' consent at the same time as giving the privacy notice.
- Stipulating an unclear data breach notification regime that does not align with the existing framework.
- Omitting timeframe requirements for traders to comply with consumers' data requests.
The Consumer Law generally requires companies to apply the same personal data protection standards to nonpersonal data. It ranks higher than the PDPD in the legislative hierarchy, so it prevails over the decree in case of inconsistencies. This makes it challenging for consumer-facing companies, as they struggle to ensure compliance with both regulations simultaneously.
The scope of the Consumer Law is excessively broad. While the California Consumer Privacy Act's scope and applicability are limited to businesses meeting high thresholds, the Consumer Law applies to all and any companies that trade with consumers. This warrants local enforcers, notably the VCC and MOIT, the power to enforce the law against offshore service providers.
Data Law, 2024. This is Vietnam's most recent law on data protection; its legislation process must be one of the fastest in the past five years. It only took nine months — from February to November 2024 — to be enacted, marking the country's major shift in quickly making laws.
The Data Law appears to be Vietnam's direct and prompt reaction to the enactment of the EU Data Act. However, the Data Law and the EU Data Act differ in focus. Vietnam's lawcovers both personal and nonpersonal data and emphasizes the protection of national security, and interests and rules for unregulated services and products.
Particularly, it: recognizes ownership of data, for the first time ever; provides the basis for the government to impose a licensing mechanism when it comes to transferring "core data" and "important data" across Vietnam's borders' justifies governments' data requests in cases of emergency, threat to national security, etc.; and lays out the groundwork to regulate data-related services, namely data floor, data intermediary and data synthesis and analysis — artificial intelligence-related.
The law deals with basic issues of data protection, including access, collection, quality, classification, storage, management, publication and encryption. The Data Law's requirements are generic, as they are drafted in a way that gives the government and MPS ample flexibility to elaborate in subsequent guiding instruments. The law's key regulators are the MPS and MND.
On the lookout: More rules rolling out
Since last year, Vietnam lawmakers have been actively finalizing various data protection laws and are determined to meet the deadlines of their ambitious schedule.
Three regulations are on track to be enacted by the end of June.
Law on Personal Data Protection. The MPS has long planned for the development of the PDPL, which will serve as an upgraded version of the PDPD, and more importantly, takes precedence over existing legislation as a law. Compared to the PDPD, the PDPL introduces more requirements for certain sectors and a basis to apply GDPR-like fines against offenders.
Law on Digital Technology Industry. The DTI Law, for the first time, provides general rules for artificial intelligence and AI-related subjects. The law will also contain several requirements on digital data.
Guiding Instruments for Data Law. This law simply lays out a foundation without elaborating any substantive requirements. The MPS contemplated such elaborations to be provided under several decrees, notably a decree to guide important and core data issues, a decree to regulate data-related products and services, and a prime minister's decision on core and important data. All these instruments are set to be issued soon to meet the Data Law's effective date of 1 July 2025.
Alex Do is an IPTech executive cum patent coordinator at BMVN International, in alliance with Baker McKenzie Vietnam.
