Key Data & Cybersecurity Laws
Jump to
Key Data & Cybersecurity Laws Start Comparison
How are data and cybersecurity laws/regulations implemented?

Last review date: 2 January 2025

☒  omnibus – all personal data

☒  sector-specific

e.g., banking, consumer protection, healthcare, telecommunications

  constitutional

What are the key data privacy laws and regulations?

Last review date: 2 January 2025

What are the key laws and regulations relating to non-personal data?

Last review date: 2 January 2025

Are new or material changes to those key data and cybersecurity laws anticipated in the near future?

Last review date: 2 January 2025

Yes.

To enforce new privacy requirements under the PDPD, the Government has been working on a draft decree on administrative sanctions in the field of cybersecurity ("CASD"). The latest version of the draft CASD, submitted to the Ministry of Justice for appraisal in May 2024, maintained the previously proposed GDPR-type fine of 5% of the offender's total revenue of the preceding fiscal year in Vietnam. Additional sanctions and remedial measures under the draft CASD remain substantially unchanged, including license revocation, confiscation of the means used to process personal data, and mandatory cessation of data processing for 1-3 months. The issuance schedule of the CASD remains to be seen.

The Data Law, which will take effect on 1 July 2025, seeks to regulate digital data in general, which can encompass personal and non-personal data. The Law introduces new requirements regarding different forms of data processing, such as overseas transfer of important data and core data, and data disclosure to State authorities. Data-related products and services such as data intermediary, data analysis and synthesis, and data exchange are also captured. The Law delegates the Government to provide detailed regulations for guidance purposes.

Vietnam is also drafting a Personal Data Protection Law (PDPL), which is aimed at providing a comprehensive legal framework on personal data protection with a higher legal effect than the current PDPD. Under the latest version released for public consultation, the draft PDPL proposed to regulate personal data processing in specific contexts such as marketing, behavioral and targeted advertising, big data processing, AI, cloud computing, recruitment and employment monitoring, banking and finance, social networks, and media services. It also addresses specific categories of personal data, including health and insurance data, location data, biometric data, credit data, and children's data. The draft PDPL is expected to be enacted in May 2025 and take effect on 1 January 2026.