You are using an outdated browser and your browsing experience will not be optimal. Please update to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox. Install Microsoft Edge

May 3, 2024

Vietnam’s Draft Law on Data Takes Shape

Subscribe to Updates

Vietnam’s Ministry of Public Security (MPS) recently published on its website a dossier of the Draft Law on Data (the “Draft Law”) for public feedback, initiating a consultation period from February 26 to March 26, 2024. The dossier comprises a Policy Impact Assessment Report and a Summary Report on the implementation of existing legal documents governing data. An outline of the Draft Law was later circulated to relevant organizations for their input and commentary.

The MPS drafted this legislation with several objectives, including bolstering national data infrastructure, advancing digital government while streamlining administrative procedures, fostering growth in the digital economy and building a digital society, and establishing a National Data Center. Comprising 65 articles across 6 chapters, the Draft Law is slated for implementation on January 1, 2026.

The Draft Law currently is very preliminary, resembling a framework document. It features numerous provisions akin to policy mandates, yet only presents introductory concepts without further elaboration.

Scope of Application

The Draft Law applies to agencies, organizations, and individuals involved in data activities in Vietnam. This scope of application appears excessively broad and ambiguous, without a clear definition of “data activities”, leaving uncertainty regarding the breadth of this term’s coverage.

Key Policy Groups

The Draft Law focuses on four key policy groups:

  1. 1. Regulations on development, processing, and management of data

This policy group focuses on matters relating to the collection, digitalization, and creation of data; assurance of data quality; data classification; data storage; data combination, adjustment, and updating; data strategy; data management; data sharing; provision of data to state agencies; data analysis and synthesis; data verification and authentication; data disclosure; access and retrieval of data; data encryption and decryption; data copying, transmission, and transfer; data revocation, deletion, and destruction; application of science and technology in data processing; identification and management of risks in data processing; the National Data Development Fund; data protection; and international cooperation on data.

Article 8 of the Draft Law provides seven classifications of data: shared data, private-use data, open data, static data, dynamic data, analytical and statistical data, and master data. However, it does not address personal data and its classification into basic and sensitive personal data as outlined in Decree No. 13/2023/ND-CP on Personal Data Protection (“PDPD”). Consequently, it remains unclear how personal data fits within these classifications.

Article 14 of the Draft Law requires organizations and individuals to provide and disclose information and data to state agencies when requested, according to the provisions of law. A broad provision such as this could pose challenges in its application and increase the risk of misuse and abuse of authority.

  1. Regulations on National General Database

This policy group focuses on matters relating to synchronizing all information and data from national databases and specialized databases to a to-be-created National General Database; processing, administration, and sharing of data of the National General Database; responsibility for providing information and data of state agencies, political organizations, socio-political organizations, and other individuals and organizations; the relationship between the National General Database and national databases, specialized databases, national public service portals, and other databases and information systems; synchronization of databases of businesses, organizations, and individuals that voluntarily provide or are required to provide data to the National General Database in case of emergency response; and fees for the use of information in the National General Database.

Article 30 of the Draft Law sets out the obligation of Vietnamese and foreign individuals, organizations, and businesses operating in Vietnam to promptly provide, share, synchronize, and update data to the National General Database for general purposes upon receiving a written request. Again, this very broad provision will pose difficulties and challenges for businesses in implementation.

  1. Regulations on National Data Center

This policy group focuses on matters relating to the position and role of the National Data Center; registration and provision of National Data Center infrastructure resources to serve database management activities; administration, operation, and use of National Data Center infrastructure resources; upgrading, maintaining, and repairing National Data Center infrastructure; allocation of capital sources to build, develop, upgrade and prioritize investment in modern equipment for the National Data Center; the use of data sharing and coordination platform of the National Data Center to serve data sharing between the National Data Center and agencies and organizations; data protection at the National Data Center; and ensuring operational resources of the National Data Center.

  1. Regulations on data products and services

“Data products and services” are defined as products and services related to data processing activities for commercial purposes. The Draft Law lists various types, including data products and services in e-transactions, telecommunications, network security, and network information security, which will adhere to the respective laws governing these domains; data products and services in other specialized sectors, which will be subject to corresponding specialized laws and regulations; and data products and services subject to the regulations of the Draft Law, which include data products and services in data intermediary activities, data analysis and synthesis, data trading floors, and electronic authentication of data not linked to an electronic identity.

Observations

In other countries, the majority of regulations on data tend to focus on a number of fundamental issues aiming at fostering the growth of digital governance, digital societies, and digital economies. These include safeguarding personal data; enhancing network security; ensuring consumer protection in e-transactions; establishing e-government regulations; implementing electronic/digital authentication for secure online transactions and interactions; managing cross-border data flow/transfer; regulating content and social networks; promoting open data policies to enable public access to government data for fostering innovation and economic development; instituting regulations for national databases or data centers to uphold system security, confidentiality, and data integrity, and establishing regulatory frameworks or guidelines for emerging technologies such as artificial intelligence, blockchain, and the Internet of Things to ensure responsible and ethical development and usage.

In addition to its ongoing efforts to develop regulatory frameworks or guidelines for emerging technologies, Vietnam already has comprehensive legislation in place to address nearly all of these significant aspects of data regulations, which are covered by the PDPD, the Law on Cybersecurity, the Law on Network Information Security, the Law on Consumer Protection, the Law on E-Transactions, Decree No. 59/2022/ND-CP on electronic identification and authentication, and other legislative documents. Drafting a Law on Data that aligns with these current data regulations, including sector-specific regulations, presents a formidable task that demands meticulous attention to prevent duplication, overlap, inconsistency, and the imposition of additional burdens. It is thus essential for stakeholders to closely follow the drafting process and actively engage by providing feedback and comments on the Draft Law.

Related Professionals

Industries

Technology

Location

RELATED INSIGHTS​

May 15, 2024
On May 1, 2024, Thailand’s National Cyber Security Committee (NCSC) published the draft NCSC Notification Re: Cloud Cybersecurity Standards for a public hearing period, which was open until May 14, 2024. These standards have been drafted to drive the country’s cloud-first policy with the aim of minimizing risks from cyber threats to cloud services utilized by government agencies, supervising or regulating organizations, and critical information infrastructure (CII) organizations. The key points of the draft Cloud Cybersecurity Standards are below. Scope The standards apply to government agencies, supervising or regulating organizations, and CII organizations under the Cybersecurity Act B.E. 2562 (2019), as well as cloud service providers (defined below). The standards prescribe cloud system cybersecurity measures for cloud service customers (defined below) and providers only to the extent that the service is provided to the in-scope organizations outlined above. Definitions Cloud service customers (CSCs): In-scope organizations that have a formal contractual agreement to use cloud services provided by a cloud service provider. Cloud service providers (CSPs): Persons who enable cloud services to be used by a cloud service customer, responsible for maintaining infrastructure, platforms, and software that enable provision of the cloud services and for managing these resources to ensure their accessibility, security, and scalability for their cloud service customers. Application In-scope organizations that will use or have been using cloud services must comply with the Cloud Cybersecurity Standards by taking into account their data or technology information systems’ level of impact, as specified in the previously issued Notification of the NCSC Re: Standards for Defining the Security Category for Data and Information Systems B.E. 2566 (2023). The impact level related to personal data is to be rated as being at least at the medium level, and the minimum standards for that level specified in the draft Cloud Cybersecurity Standards
Read More
May 13, 2024
On May 2, 2024, Vietnam’s Ministry of Justice published on its online platform the most recent version of the draft decree on administrative sanctions for violations in the field of cybersecurity (“Draft Sanction Decree”) to gather feedback and contributions from the community and stakeholders. After receiving the Ministry of Justice’s assessment, the Ministry of Public Security (“MPS”), in charge of drafting the Draft Sanction Decree, may make further revisions before submitting it to the government for review and final decision on enactment. The decree is expected to have an effective date of June 1, 2024. The stringent penalties for infringements involving personal data of the previous draft version remain in this Draft Sanction Decree—a sign of the proactive stance of the MPS in enforcing the Personal Data Protection Decree (“PDPD”). Effective Date and Transitional Provisions It is important to note that the Draft Sanction Decree does not impose any new obligations on organizations or individuals, and only sets out the administrative sanctions that could be imposed on violators as soon as June 1, 2024, which is indicated as the effective date in Article 49. This signals the MPS’s eagerness to begin taking enforcement actions against recalcitrant organizations and individuals that have not complied with the various obligations imposed on them under the Law on Network Information Security (enacted in 2015), the Law on Cybersecurity (enacted in 2018) and its guiding decree (Decree 53 – enacted in 2022), and the most recent PDPD (enacted in 2023). Article 50.1 of the Draft Sanction Decree outlines the transitional provisions regarding administrative violations in the cybersecurity field. It clarifies that the decree does not have retroactive effect, by stating that violations occurring before its effective date, but discovered or under review after such effective date will be subject to the regulations on administrative
Read More
May 9, 2024
As non-cash payments continue to surge in Vietnam, the requirement for strong security standards and a clear legislative framework for intermediary payment services (“IPS”) is becoming more and more critical. Recognizing this, the State Bank of Vietnam (“SBV”) has been working on a draft decree to supersede the outdated Decree No. 101/2012/ND-CP dated November 22, 2012, on non-cash payments (“Draft Non-Cash Payment Decree”), which will lay the groundwork for non-cash payments in general and the provision of IPS in particular. Building upon this, the SBV recently issued a draft circular to replace Circular No. 39/2014/TT-NHNN dated December 11, 2014, on IPS (“Circular 39”) (“Draft IPS Circular”), which will offer more detailed guidance on the provision of IPS in Vietnam on top of the Draft Non-Cash Payment Decree. The Draft IPS Circular will be applicable to (i) IPS providers; (ii) foreign organizations providing IPS in Vietnam; and (iii) organizations and individuals involved in the provision of IPS. Some key updates regarding the Draft IPS Circular are as follows: Scope of Application The Draft IPS Circular sets out further guidance for the provision of IPS as listed under the Draft Non-Cash Payment Decree, including: (i) electronic clearing services; (ii) electronic wallet (“e-wallet”) services; (iii) collection and payment support services; (iv) financial switching services; (v) international financial switching services; and (vi) electronic payment gateway services. Notably, the Draft IPS Circular has explicitly excluded from its scope of application the provision of accounts by goods/service providers to their customers solely for the purpose of payment within the systems of such providers (e.g., cards/coupons or service/transaction accounts of online game service providers, transportation service providers, or securities companies, etc.). Requirements on the Provision of IPS Electronic Clearing Services: The Draft IPS Circular introduces regulations to cover certain elements of electronic clearing services that have
Read More
May 9, 2024
On April 29, 2024, Thailand’s Office of the Personal Data Protection Committee (PDPC) issued the master plan for personal data protection, which outlines the PDPC’s strategies for developing and enhancing the data protection framework in Thailand from 2024 to 2027. A draft of this four-year plan had previously been released for a public hearing on November 27, 2023. Overview The master plan sets out the long-term direction for the protection of personal data in Thailand, analyzing the current landscape, challenges, and obstacles encountered since the full enactment of the Personal Data Protection Act B.E. 2562 (2019) (PDPA). It aims to align with Thailand’s National Security Policy and Plan for 2024–2027 and focuses on key sectors in its initial two years. These sectors are: Public security and key government services; Retail and e-commerce; Information and communication technology and telecommunications; Finance, investment, and insurance; Public health; Tourism; and Education. Objectives The master plan’s goals include increasing organizational compliance with the PDPA, reducing data breaches, updating the PDPA to reflect current circumstances, introducing various PDPC e-services, and enhancing Thailand’s global competitiveness in data privacy and personal data protection. It sets targets and indicators of the plan’s success, such as achieving a 100% PDPA compliance rate across all sectors in Thailand and raising Thailand’s digital competitiveness to at least 30th in the World Digital Competitiveness Rankings from the IMD World Competitiveness Center. Strategic Initiatives To achieve these objectives, the master plan introduces four strategic initiatives: Effective and balanced PDPA enforcement: Develop standards, principles, criteria, tools, indicators, and data privacy governance, including law enhancements. A recent example of this is the PDPC’s launch of the Personal Data Protection Surveillance Centre (PDPC Eagle Eye) to monitor data breaches. Knowledge and trust enhancement: Build human capacity and trust by enhancing knowledge through initiatives like the forthcoming
Read More

Contact

We have seven offices in six countries
across Southeast Asia.

Contact Us

Careers

We are always seeking great people to grow
our amazing team.

Join Us

Networks

© 2023 Tilleke & Gibbins International Ltd. All rights reserved.

© 2020 Tilleke & Gibbins International Ltd. All rights reserved.

Privacy Policy

| Legal Notice