In the digital transformation era, the governance of digital data has become a cornerstone for developing a robust digital economy and society. Recognising data's critical role in national security and economy, the National Assembly of Vietnam has made significant strides in strengthening Vietnam's legal framework on data by passing the Data Law No. 60/2024/QH15 (Data Law) on 30 November 2024, which shall come into force from 01 July 2025. The Data Law aims to establish comprehensive guidelines for data governance, strengthen the data-based economy, as well as promote the development of data-related products and services. Furthermore, the Law aims to align Vietnam with the international data protection standards, and address both domestic and global concerns about data privacy and security.

The Data Law is set to provide the fundamental principles, policies, and regulations governing digital data. It establishes the roles and responsibilities of various stakeholders, including government agencies, private organisations, and individuals. The Data Law also sets out the structure and functions of the National Data Centre and the National Integrated Database, which are pivotal for centralising and standardising data management across the country.

In this legal update, we will highlight some key provisions under the Data Law that, from our point of view, impact various stakeholders.

(a) The cornerstone of the Data Law is the creation of a National General Database, a centralised database aimed at facilitating data sharing, analysis, and utilisation across governmental bodies and beyond. The Law provides the following tasks:

The National General Database is envisioned as a key component in Vietnam's digital transformation strategy, contributing to developing a digital government, economy, and society.

(b) The National Data Centre serves as the central hub for data integration, storage, and management in Vietnam. It houses the National General Database and provides various government agencies with the necessary information technology infrastructure. The National Data Centre plays a significant role in:

The National Data Centre is expected to be operational by the fourth quarter of 2025.[1]

The Data Law introduces some new concepts on data, including:

The Data Law mandates the implementation of governance policies to ensure data quality, integrity, and availability, including activities like classification, quality assurance, access control, and risk management to manage the abovementioned data. These policies are essential for proper data handling, which covers data collection, storage, processing, sharing, and deletion, all of which must comply with legal requirements for accuracy, security, and lawful processing. Additionally, data usage must align with legal regulations and respect the rights of data subjects, allowing for legitimate uses such as public services, research, and development, while prohibiting any usage that threatens national security, public order, or individual rights.

Data protection is a paramount concern in the Data Law. The law mandates that data protection measures be implemented throughout the entire data processing lifecycle, encompassing all stages from collection and storage to usage and deletion.  These measures include:

Government agencies are required to establish a unified data protection system to assess data security risks, conduct surveillance, and provide early warnings for possible data breaches. The Data Law emphasises the protection of Core Data and Important Data, requiring strict compliance with specific regulations to ensure their confidentiality, integrity, and availability.

Data publication is also regulated, with the Data Law requiring government agencies to proactively disclose open data to promote transparency and accessibility. Data impacting national defence, security, foreign affairs, macroeconomics, social stability, public health, and safety is considered important and requires more stringent security and protection measures.

The Data Law permits the transfer of data from foreign countries into Vietnam and the processing of foreign data within Vietnam. The Vietnamese government aims to create a favourable environment for international data exchange and cooperation, fostering innovation and economic growth. However, the transfer and processing of core and important data across national borders are subject to specific regulations, which shall be further guided by the Government.

The cross-border transfer and processing of core and important data encompass several scenarios, including:

These cross-border data-related activities must comply with Vietnamese law and international treaties to which Vietnam is a signatory. They must not compromise national defence, security, national interests, public interests, or the legal rights and interests of data subjects and owners.

The Data Law of Vietnam addresses various data-related services, including:

(a) Data Intermediation Services refer to services that establish a commercial relationship between data subjects, data owners, and service users through agreements. These services aim to facilitate data exchange, sharing, and access and exercise the rights of data subjects, owners, and users.

Organisations providing data intermediary services must register their operations and comply with investment laws, except for cases where services are provided internally within an organisation.

(b) Data Analysis and Synthesis Services involve analysing and synthesising data as requested by product users. These services produce Data Analysis Products, the results of processing data into useful insights at various levels.

Organisations providing data analysis and synthesis services that may pose risks to national defence, security, social order, morality, or public health must register their operations and comply with investment laws. These services must comply with relevant regulations if they connect or share data with national or specialised databases.

(c) Data Platforms are platforms that provide data-related resources to support research, startup development, and innovation. These platforms offer data products and services to promote socioeconomic development and serve as environment for data exchange and transactions.

Organisations providing data platform services are limited to public service units and state-owned enterprises that meet service provision conditions and are licensed to operate. Data that is harmful to national defence, security, or foreign affairs, data without the data subject's consent (unless otherwise specified by law), and other data prohibited from trading are not allowed to be transacted on these platforms.

The Data Law of Vietnam provides a comprehensive framework for data management, protection, and utilisation in the digital era. It aims to promote data sharing, innovation, and economic development while ensuring national security and protecting individuals’ rights. The law's emphasis on the establishment of the National General Database and the National Data Centre underscores the government's commitment to building a robust and secure data infrastructure for the country.

As the law is set to take effect on 01 July 2025, the development of related decrees will play a vital role in defining its practical implementation. Businesses should closely follow these drafts and provide feedback to influence the creation of well-balanced and clear policies. Involvement in this process will help ensure that the regulations foster innovation while ensuring the data protection and risk-control rules.

Footnotes

[1] Resolution No. 175/NQ-CP on approving the National Data Center project on October 30, 2023.