Xem bản Tiếng Việt
GOVERNING SCOPE
The law governs digital data, defined as "information about objects, phenomena, and events—represented in digital form—encompassing sound, images, numbers, text, symbols, or their combinations." This includes both personal and non-personal data, such as business information and aggregated, non-identifiable data.
Detailed data privacy regulations are excluded, as these will be addressed under a separate Personal Data Protection Law currently being developed by the Government.
The law regulates the entire data lifecycle—collection, storage, sharing, analysis, encryption, cross-border transfers, and government access—while overseeing key state initiatives like the National Data Center, National Integrated Databases, and Data Sharing Platforms. For the first time, it extends to data-related products and services, including Intermediary Data Products and Services (facilitating data exchange agreements), Data Analysis and Aggregation Products and Services (providing actionable insights), and Data Platform Services (supporting research, innovation, and data trading).
The law applies to Vietnamese individuals, organizations, and authorities, as well as foreign entities engaged in digital data activities related to Vietnam. For the first time, it recognizes "data ownership" as a property right under civil law, granting data owners (entities with the authority to develop, manage, protect, process, use, and exchange the value of their data) full control and exchange rights. It also introduces the role of "data manager", tasked with handling and operating data on behalf of owners. The law imposes certain obligations on data owners, managers, and entities providing data-related products and services.
CRITICAL REQUIREMENTS
The data owner and manager must classify data into three categories based on criticality: Core Data, directly impacting national defense, security, foreign affairs, macroeconomics, social stability, public health, and safety, as defined by the Prime Minister; Important Data, potentially influencing these areas, also categorized by the Prime Minister; and Other Data, governed but not in the first two categories.
Data managers must identify and mitigate risks, including privacy, cybersecurity, and access management issues, and promptly address incidents while notifying affected parties. Critical data managers must conduct regular risk assessments and report to cybersecurity authorities to ensure data security.
Providers of Intermediary Data Products and Services are required to register, except for internal use. Providers of Data Analysis and Aggregation Products and Services must register if their activities pose potential risks to national security, public order, ethics, or public health. Notably, Data Platform Services can only be offered by public institutions or state-owned enterprises that meet service conditions and possess establishment permits.
Providers of Providers of Intermediary Data Products and Services and Data Platform Services must operate under service agreements, ensure uninterrupted service availability, regularly monitor and manage data security, and proactively prevent and address risks. They must comply with laws on cybersecurity, information safety, electronic transactions, and related regulations. Prohibited data transactions include data that affect national security, lack the data subject's consent, or are prohibited by law.
Organizations and individuals are encouraged to provide data to state agencies and must comply with data provision requests during emergencies, security threats, disasters, or to prevent riots and terrorism. State agencies must ensure proper use, security, and confidentiality of the data and delete it when no longer needed. Detailed regulations are provided by the Government.
The Government is expected to issue detailed guidelines. Cross-border data transfer and processing are allowed, but transferring core or important data abroad must comply with regulations ensuring security, public interests, and data rights, likely under stricter oversight.
