Legal Update on Vietnam’s Data Law

December 23, 2024 > Vietnam > Data

Lexcomm Vietnam LLC | View firm profile

In the digital transformation era, the governance of digital data has become a cornerstone for developing a robust digital economy and society.Recognising data’s critical role in national security and economy, the National Assembly of Vietnam has made significant strides in strengthening Vietnam’s legal framework on data by passing the Data Law No. 60/2024/QH15 (Data Law) on 30 November 2024, which shall come into force from 01 July 2025. The Data Law aims to establish comprehensive guidelines for data governance, strengthen the data-based economy, as well as promote the development of data-related products and services. Furthermore, the Law aims to align Vietnam with the international data protection standards, and address both domestic and global concerns about data privacy and security.

The Data Law is set to provide the fundamental principles, policies, and regulations governing digital data. It establishes the roles and responsibilities of various stakeholders, including government agencies, private organisations, and individuals. The Data Law also sets out the structure and functions of the National Data Centre and the National Integrated Database, which are pivotal for centralising and standardising data management across the country.

In this legal update, we will highlight some key provisions under the Data Law that, from our point of view, impact various stakeholders.

  1. Establishment of the National General Database and National Data Centre

(a) The cornerstone of the Data Law is the creation of a National General Database, a centralised database aimed at facilitating data sharing, analysis, and utilisation across governmental bodies and beyond. The Law provides the following tasks:

    1. Integrate, synchronise, store, analyse, and utilise government data to create and manage the national comprehensive database;
    2. Manage and operate IT infrastructure and data platforms at the National Data Centre; provide these to government and socio-political organisations as needed;
    3. Operate and coordinate the national database for government and socio-political organisations based on legal and data owner requirements;
    4. Monitor data quality and coordination; develop performance metrics for data management;
    5. Implement data protection measures;
    6. Conduct data science research, apply technology in data processing, support innovation centres, and develop data-driven ecosystems; and
    7. Engage in international data cooperation.

The National General Database is envisioned as a key component in Vietnam’s digital transformation strategy, contributing to developing a digital government, economy, and society.

(b) The National Data Centre serves as the central hub for data integration, storage, and management in Vietnam. It houses the National General Database and provides various government agencies with the necessary information technology infrastructure. The National Data Centre plays a significant role in:

    1. Conducting data analysis, coordinating data, and ensuring data quality across government agencies;
    2. Contributing to the advancement of research and development in data science and fostering innovation in the field;
    3. Offering technical support and training to organisations and individuals involved in data processing, promoting collaboration, and helping to establish a strong data science ecosystem.

The National Data Centre is expected to be operational by the fourth quarter of 2025.[1]

  1. Management, handling and use of data

The Data Law introduces some new concepts on data, including:

    1. Digital Data” refers to data about objects, phenomena, and events, including one or a combination of sound, image, numbers, written words, and symbols presented in a digital format;
    2. Shared Data” refers to data that is accessed, shared, exploited, and used jointly within the government and socio-political organisations;
    3. Private Data” refers to data that is accessed, shared, exploited, and used within the internal scope of government and socio-political organisations;
    4. Open Data” refers to data that can be accessed, shared, exploited, and used by all agencies, organisations, and individuals;
    5. Original Data” refers to data created in the course of operations of agencies, organisations, or individuals or collected and created through digitisation of original documents, materials, and other physical forms;
    6. Important Data” refers to data that can impact national defence, security, foreign affairs, macroeconomics, social stability, health and public safety under the lists issued by the prime minister; and
    7. Core Data” refers to important data that directly impact national defence, security, foreign affairs, macroeconomics, social stability, health and public safety under the lists issued by the prime minister.

The Data Law mandates the implementation of governance policies to ensure data quality, integrity, and availability, including activities like classification, quality assurance, access control, and risk management to manage the abovementioned data. These policies are essential for proper data handling, which covers data collection, storage, processing, sharing, and deletion, all of which must comply with legal requirements for accuracy, security, and lawful processing. Additionally, data usage must align with legal regulations and respect the rights of data subjects, allowing for legitimate uses such as public services, research, and development, while prohibiting any usage that threatens national security, public order, or individual rights.

  1. Data Protection and Publication

Data protection is a paramount concern in the Data Law. The law mandates that data protection measures be implemented throughout the entire data processing lifecycle, encompassing all stages from collection and storage to usage and deletion.  These measures include:

    1. Formulation and implementation of data protection policies and regulations;
    2. Management of data processing activities to ensure compliance with data protection regulations;
    3. Development and implementation of technical solutions to safeguard data against unauthorised access, use, disclosure, disruption, modification, or destruction;
    4. Training, fostering, developing, and managing human resources involved in data processing activities to ensure they possess the necessary knowledge and skills for data protection; and
    5. Implementation of other data protection measures following legal regulations.

Government agencies are required to establish a unified data protection system to assess data security risks, conduct surveillance, and provide early warnings for possible data breaches. The Data Law emphasises the protection of Core Data and Important Data, requiring strict compliance with specific regulations to ensure their confidentiality, integrity, and availability.

Data publication is also regulated, with the Data Law requiring government agencies to proactively disclose open data to promote transparency and accessibility. Data impacting national defence, security, foreign affairs, macroeconomics, social stability, public health, and safety is considered important and requires more stringent security and protection measures.

  1. Cross-border Data Transfer and Processing

The Data Law permits the transfer of data from foreign countries into Vietnam and the processing of foreign data within Vietnam. The Vietnamese government aims to create a favourable environment for international data exchange and cooperation, fostering innovation and economic growth. However, the transfer and processing of core and important data across national borders are subject to specific regulations, which shall be further guided by the Government.

The cross-border transfer and processing of core and important data encompass several scenarios, including:

    1. Transferring data stored in Vietnam to data storage systems located outside the territory of Vietnam;
    2. Vietnamese agencies, organisations, or individuals transferring data to foreign organisations or individuals; and
    3. Vietnamese agencies, organisations, or individuals using platforms outside Vietnam’s territory for data processing.

These cross-border data-related activities must comply with Vietnamese law and international treaties to which Vietnam is a signatory. They must not compromise national defence, security, national interests, public interests, or the legal rights and interests of data subjects and owners.

  1. Data-related Services

The Data Law of Vietnam addresses various data-related services, including:

(a) Data Intermediation Services refer to services that establish a commercial relationship between data subjects, data owners, and service users through agreements. These services aim to facilitate data exchange, sharing, and access and exercise the rights of data subjects, owners, and users.

Organisations providing data intermediary services must register their operations and comply with investment laws, except for cases where services are provided internally within an organisation.

(b) Data Analysis and Synthesis Services involve analysing and synthesising data as requested by product users. These services produce Data Analysis Products, the results of processing data into useful insights at various levels.

Organisations providing data analysis and synthesis services that may pose risks to national defence, security, social order, morality, or public health must register their operations and comply with investment laws. These services must comply with relevant regulations if they connect or share data with national or specialised databases.

(c) Data Platforms are platforms that provide data-related resources to support research, startup development, and innovation. These platforms offer data products and services to promote socioeconomic development and serve as environment for data exchange and transactions.

Organisations providing data platform services are limited to public service units and state-owned enterprises that meet service provision conditions and are licensed to operate. Data that is harmful to national defence, security, or foreign affairs, data without the data subject’s consent (unless otherwise specified by law), and other data prohibited from trading are not allowed to be transacted on these platforms.

  1. Other highlights
    1. State Management of Data: The law designates the Ministry of Public Security as the primary agency responsible for the state’s data management. The Ministry of National Defence is tasked with managing data that falls under its jurisdiction, including classified data.
    2. National Data Development Fund: The establishment of a National Data Development Fund is stipulated to provide financial support for activities related to data development, exploitation, application, and management. This fund operates as an extra-budgetary state financial fund sourced from government support, voluntary contributions, and other legal sources.
    3. Technological Advancement: The law highlights the development and application of data-related technologies such as artificial intelligence, cloud computing, blockchain, data communication, the Internet of Things, and big data. These technologies are crucial for Vietnam’s digital transformation, national defence, and socioeconomic development.
  1. Conclusion

The Data Law of Vietnam provides a comprehensive framework for data management, protection, and utilisation in the digital era. It aims to promote data sharing, innovation, and economic development while ensuring national security and protecting individuals’ rights. The law’s emphasis on the establishment of the National General Database and the National Data Centre underscores the government’s commitment to building a robust and secure data infrastructure for the country.

As the law is set to take effect on 01 July 2025, the development of related decrees will play a vital role in defining its practical implementation. Businesses should closely follow these drafts and provide feedback to influence the creation of well-balanced and clear policies. Involvement in this process will help ensure that the regulations foster innovation while ensuring the data protection and risk-control rules.

Footnotes

[1] Resolution No. 175/NQ-CP on approving the National Data Center project on October 30, 2023.

More from Lexcomm Vietnam LLC