Vietnam Enacts Its First-Ever Data Law

Vietnam’s first Law on Data (Law No. 60/2024/QH15) was passed by the National Assembly on November 30, 2024, and will come into effect on July 1, 2025

Vietnam’s first Law on Data was passed by the National Assembly on November 30, 2024

17 December 2024

3 min read

Xem bản Tiếng Việt

GOVERNING SCOPE

REGULATED DATA

The law governs digital data, defined as "information about objects, phenomena, and events—represented in digital form—encompassing sound, images, numbers, text, symbols, or their combinations." This includes both personal and non-personal data, such as business information and aggregated, non-identifiable data.

Detailed data privacy regulations are excluded, as these will be addressed under a separate Personal Data Protection Law currently being developed by the Government.

Businessman checking the steps through document with a list of checkboxes , regulations,Concepts of practices and policies ,Rules and policies ,Terms and conditions ,corporate governance documents

REGULATED ACTIVITIES

The law regulates the entire data lifecycle—collection, storage, sharing, analysis, encryption, cross-border transfers, and government access—while overseeing key state initiatives like the National Data Center, National Integrated Databases, and Data Sharing Platforms. For the first time, it extends to data-related products and services, including Intermediary Data Products and Services (facilitating data exchange agreements), Data Analysis and Aggregation Products and Services (providing actionable insights), and Data Platform Services (supporting research, innovation, and data trading).

NCCS Discover Supercomputer. Original from NASA. Digitally enhan

REGULATED SUBJECTS

The law applies to Vietnamese individuals, organizations, and authorities, as well as foreign entities engaged in digital data activities related to Vietnam. For the first time, it recognizes "data ownership" as a property right under civil law, granting data owners (entities with the authority to develop, manage, protect, process, use, and exchange the value of their data) full control and exchange rights. It also introduces the role of "data manager", tasked with handling and operating data on behalf of owners. The law imposes certain obligations on data owners, managers, and entities providing data-related products and services.

CRITICAL REQUIREMENTS

Data Classification (Article 13)

The data owner and manager must classify data into three categories based on criticality: Core Data, directly impacting national defense, security, foreign affairs, macroeconomics, social stability, public health, and safety, as defined by the Prime Minister; Important Data, potentially influencing these areas, also categorized by the Prime Minister; and Other Data, governed but not in the first two categories.

Risk Management (Article 25)

Data managers must identify and mitigate risks, including privacy, cybersecurity, and access management issues, and promptly address incidents while notifying affected parties. Critical data managers must conduct regular risk assessments and report to cybersecurity authorities to ensure data security.

Products and Services Licensing (Article 40, 41 and 42)

Providers of Intermediary Data Products and Services are required to register, except for internal use. Providers of Data Analysis and Aggregation Products and Services must register if their activities pose potential risks to national security, public order, ethics, or public health. Notably, Data Platform Services can only be offered by public institutions or state-owned enterprises that meet service conditions and possess establishment permits.

Operation of Data Products and Services (Article 43)

Providers of Providers of Intermediary Data Products and Services and Data Platform Services must operate under service agreements, ensure uninterrupted service availability, regularly monitor and manage data security, and proactively prevent and address risks. They must comply with laws on cybersecurity, information safety, electronic transactions, and related regulations. Prohibited data transactions include data that affect national security, lack the data subject's consent, or are prohibited by law.

Government Lawful Access (Article 18)

Organizations and individuals are encouraged to provide data to state agencies and must comply with data provision requests during emergencies, security threats, disasters, or to prevent riots and terrorism. State agencies must ensure proper use, security, and confidentiality of the data and delete it when no longer needed. Detailed regulations are provided by the Government.

Cross-border Data Transfer (Article 23)

The Government is expected to issue detailed guidelines. Cross-border data transfer and processing are allowed, but transferring core or important data abroad must comply with regulations ensuring security, public interests, and data rights, likely under stricter oversight.

Download to your devices here

Legal Alert - Vietnam Data Law 2024 (English)

Legal Alert - Vietnam Data Law 2024 (Vietnamese)