On 30 November 2024, the Data Law was officially passed and will come into effect on 01 July 2025. To concretise the provisions of the Data Law,the Ministry of Public Security (MPS) released the first draft of the Decree guiding the implementation of the Data Law (Draft Decree) on 17 January 2025 for public consultation. The first version of the Draft Decree consists of 30 articles divided into 05 chapters.

In this legal update, we will highlight some major points under the Draft Decree that, from our point of view, guide the provisions of the Data Law that impact various stakeholders.

  1. The National General Database and National Data Centre
    • The Draft Decree outlines the technical, security, and operational requirements for the National Data Centre’s infrastructure, its key IT components, and the procedures for state agencies and socio-political organisations to utilise or integrate with the Centre.
    • The National Data Centre is responsible for integrating, storing, and managing data from government, Party, and socio-political organisations to establish and govern the National Integrated Database, ensuring secure operations and efficient use of IT infrastructure.
    • It coordinates the analysis, management, and sharing of data for state governance, policy development, and research while overseeing IT infrastructure upgrades, maintenance, and repairs under its investment.
    • The Centre develops standards for data quality, monitors data synchronisation across agencies, and manages processes for sharing and coordinating data between the National Integrated Database and sector-specific databases.
    • Measures for data protection are implemented, including management policies, technical safeguards, human resource training, and legal compliance, with provisions for cross-border data sharing and international collaboration.
    • The Centre supports national governance by enabling data sharing across public and private stakeholders, providing analysis tools, and ensuring the reliability and legal validity of shared and original data.
  1. Data Protection and Processing
    • The Draft Decree sets out criteria for identifying critical data, which are assessed based on their potential impact on sectors, groups, or regions, particularly in relation to national defence, security, foreign relations, macroeconomic stability, social order, public health, and safety. Additionally, it defines core data as that which has a direct link to critical areas like national security and economic stability, while excluding state secrets.
    • The Draft introduces a detailed framework regulating data disclosure. It prohibits the disclosure of personal data, state secrets, or information that could endanger national interests or public health unless specific conditions or consent are met. Data related to private affairs, business operations, or family matters can only be disclosed with consent, except when legal requirements or public interests apply. Open data disclosures are controlled via national or local data portals and must adhere to prescribed guidelines.
    • The Draft Decree also requires adherence to existing data protection laws, integrates data security into national defence strategies, and prescribes detailed measures—including management, technical, human resource, and state-level actions—to safeguard data while fostering its lawful and efficient use to support the development of the digital economy.
  1. Cross-border Data Transfer and Processing
    • The Data Law requires that cross-border data transfers protect data subjects’ rights, national security, public interests, and defence. Data controllers must assess risks for transferring core or important data, conducting impact assessments covering data protection, risks, foreign recipients’ responsibilities, and security contracts.
    • The assessment evaluates legal, security, and technical safeguards and risks of data loss or misuse and must be submitted to relevant authorities like the Ministries of Public Security or Defence. Specific procedures apply to core and important data, with mandatory updates for changes in processing or security, and authorities may suspend transfers if risks to national security or public interests arise.
  1. Conclusion

Regulated under the broader Data Law, the Draft Decree will provide essential guidelines for various stakeholders, from government agencies to private sector organisations, to comply with best practices and regulations. The Draft is open for public consultation from 17 January to 17 March 2025 and is scheduled to take effect on 1 July 2025. During this consultation period, organisations and stakeholders engaged in data-related activities are encouraged to carefully review the document to assess its impact on their operations. This will enable them to ensure full compliance with the new regulations and take the necessary steps to prepare for its implementation.

 

More from Lexcomm Vietnam LLC