29 sierpnia 2024 Alex Roberts - Adrian Fisher - Alaister Johnson DigiLinks

Vietnam’s Draft Data Law: Key Takeaways for Multinational Companies

Vietnam is refining its data management and security regulatory landscape with the introduction by the Ministry of Public Security (MPS) of a proposed new Data Law.

Now out for public comment, if enacted in its current form, the Data Law will significantly impact multinational companies operating in or with Vietnam. We have provided an overview of some of the key points below.

What is the purpose of the Draft Data Law?

Ultimately, the purpose of the Data Law is to foster innovation and growth of Vietnam’s data economy. The main goals of the new law include:

Establishing a National Data Centre: This move will create a national database under the government’s management. This database will be accessible to both the public and private sectors under specific conditions, including the National Data Centre’s approval and/or consent of the data subject.
Better regulating data intermediary services and the data market: Data intermediary services have been lightly regulated in Vietnam for a long time. The proposed Data Law is considered to be a solution towards tackling the illegal sale of personal information in the country.

However, various obligations (e.g. those related to data management and security for entities and individuals) are also included in the current draft. Some of these may be covered by existing Vietnamese laws. These requirements, if included in the final version of the Data Law, will duplicate existing rules and cause confusion for multinationals’ compliance efforts.

What are the in-scope data processing activities?

Definition of “data”: The draft Data Law defines “data” as the digital representation of behaviours, objects, events and information, including sounds, images, numbers, writing, symbols, or similar forms. This definition creates uncertainty about whether the Data Law pertains solely to digital activities or also extends to offline data (i.e. data in a physical scenario).
Definition of “data processing activities”: Compared to previous Vietnamese regulations (e.g. Law on Cybersecurity and the Personal Data Protection Decree), the draft Data Law introduces a broad range of definitions for various data processing activities. These activities include data sharing, coordination, analysis, verification, authentication, disclosure, access, retrieval, encryption, decryption, copying, transmission, transfer, withdrawal, deletion, and destruction. While removing ambiguity on one hand, on the other hand, the breadth of these definitions shows the intent of the MPS to regulate widely the use of data in business, government and beyond.

Extraterritorial application

The proposed Data Law applies to agencies, organisations and individuals involved in data activities in Vietnam. The drafting does not expressly extend the application of the Draft Data Law to organisations outside of Vietnam, but that is the market’s expectation based on the country’s legislative trend. Multinationals are known to be pressing the MPS for clarity.

Mainland China

The draft Data Law includes several clauses that are heavily influenced by recent data regulations released in mainland China.

Specifically, the proposed security assessment and approval process for data exports from Vietnam has similar requirements to those under China’s Measures for Security Assessment for Outbound Data Transfer. If retained, these terms – as we discuss below – will present a burdensome process for both organisations and regulators. Indeed, if commentary from many international business stakeholders in mainland China is believed, these regulatory playbooks may impede development of Vietnam’s digital economy.

Other articles of the draft Data Law provide a supervisory hierarchy similar to that formulated under China’s data laws: multiple authorities are challenged to find a balance between national security and economic considerations. Multinationals’ experience tends to be that a multi-authority approach poses a challenge for sustaining a business-friendly environment, particularly in already heavily regulated sectors like financial services.

Cross-border data transfers

Core data and important data

Cross-border data transfers are subject to stricter regulation under the proposed Data Law, particularly for two newly-formed categories of “core data” and “important data”.

Core data is defined as data with extensive coverage across various sectors, groups, and regions that can directly impact political security if misused. This encompasses data related to national security, crucial economic activities, essential public services, and other sensitive areas specified by national agencies.
Important data includes information that, if compromised, can endanger national security, economic operations, social stability, and public health.

These concepts will be exceptionally familiar to businesses tracking the evolution of China’s Data Security Law. However, extrapolating from learnings in other jurisdictions, these concepts are exceptionally difficult to define. In the worst case, formulating appropriate catalogues of data may – even if only a matter of perception and not the reality – lead to a subjective or politicised classification as opposed to one that is made objectively by industry-experts from (for instance) the relevant industry regulators. The uncertainty that will inevitably arise will affect investors’ investment strategies.

Data export requirements

Exporting core data or important data requires approval from the relevant authorities (such as the Prime Minister's Office or the MPS), and either passing a government-led security assessment or signing a prescribed standard contract. None of these requirements are clearly or fully set out in the proposed law and businesses await implementation rules to clarify each of these frameworks:

Security assessment: Drawn from a precedent framework under the Measures for Security Assessment for Outbound Data Transfer in Mainland China, the resulting provisions do not clearly define how to assess “the risks that data provision and transfer activities may bring to national security, public interests…”. This ambiguity could impose significant compliance burden on multinational companies, potentially disrupting business operations if not managed efficiently. For instance, since the security assessment framework has come into effect on 1 September 2022 in China, until 8 May 2024, only 206 out of 262 submitted security assessments have been fully or partially approved.
Standard contracts: Though the standard contract is listed as one means of legitimating data exports, currently the Draft Data Law does not provide any details on the necessary contractual terms. Operators of cross-border businesses cannot yet assess, or plan for, the impact on their existing intragroup and third-party transnational contracts.

Government data requests

The draft Data Law grants government entities the power to request data from entities and individuals in “special cases”, such as public emergencies or when data is crucial for fulfilling specific public tasks but not otherwise available. It also sets the responsibilities of government agencies in handling such data, including only using the data for the stated purpose, implementing necessary technical and organisational measures, and destroying it when no longer needed.

The ambiguity of the scope of “special cases” and the other parameters to this government power could leave Vietman in the situation were its laws are found under the EU's General Data Protection Regulation and other regimes to lack sufficient precision and proportionality to allow organisations to export personal data to Vietnam. If left unremedied, multinationals may struggle to legally share data between global and Vietnamese operations; similarly, Vietnamese domestic champions looking to expand abroad may face regulatory barriers or even investigations where they seek to transfer personal information back to Vietnam in breach of overseas data principles (in the manner beset Uber in the Netherlands in the last few days).

Conclusion

Set to take effect from 1 January 2026 without any transition period, the proposed Data Law marks a significant milestone in establishing a comprehensive legal framework for data activities in Vietnam. In some ways, the legislation reflects wider regional trends toward more robust data governance frameworks, such as the recent development in Thailand.

However, the draft Data Law’s broad requirements and approval processes could cause substantial compliance burden and operational disruption to multinationals. Companies should leverage their and their legal advisors’ experiences in similar jurisdictions, and closely monitor the development of the forthcoming implementation rules and guidelines, to ensure thorough preparation and compliance.

We are already working with our colleagues at Allens to help multinationals get ahead in preparation for these key developments, in particular collating industry comments on the law for a large Asia-based trade association to submit to the MPS. More information about the data protection laws in Vietnam is available here. Please contact to us if you have any questions or need advice.

Stay tuned for further updates as we see them.

Our lawyers are enthusiastic, committed people who relish the challenges and opportunities that they encounter every day.

Search for a lawyer by name or use one of the filters.

Our business team members are enthusiastic, committed people who relish the challenges and opportunities that they encounter every day.

Search for a business team member by name or use one of the filters.