Vietnam Adds Fourth Data Law, Banning Export of Core Data Before October Vote
5 hour ago / Read about 40 minute
Source:TechTimes

Moj.gov.vn

Vietnam's Ministry of Justice released an assessment Monday of a proposed Law on Data Security that would prohibit the cross-border export of so-called "core" data entirely and require prior approval from the Ministry of Public Security before companies can move "important" data or large volumes of personal data outside the country — a proposal that, if passed in the October National Assembly session, would add a fourth statutory layer to Vietnam's already demanding data governance architecture and place foreign companies on the wrong side of an MPS approval gate before any data leaves the country.

The assessment's release is a significant regulatory signal for every multinational cloud provider, e-commerce platform, financial institution, and technology company routing Vietnamese user data through servers in Singapore, the United States, or anywhere else outside Vietnam's borders. Companies that are not already mapping their data flows against a four-tier classification system — ordinary, internal, important, and core — have, as of today, a clear legislative deadline: the government is targeting October.

Vietnam's Data Law Stack Now Has Four Layers

To understand what the proposed Law on Data Security adds, it helps to understand what is already in force.

Vietnam's existing data governance framework rests on three statutes enacted in rapid succession between 2024 and early 2026. The Vietnam's Law on Data (Law No. 60/2024/QH15), effective July 1, 2025, was the first to introduce the tiered data classification concept, distinguishing "important" and "core" data categories and restricting their cross-border transfer based on national defense and security considerations. The Personal Data Protection Law (PDPL, Law No. 91/2025/QH15), passed in June 2025 and effective January 1, 2026, established the personal data protection framework proper — introducing revenue-based penalties, requiring Cross-Border Transfer Impact Assessments (CBTIAs), and designating the Ministry of Public Security as the supervisory authority. Its implementing Decree No. 356/2025/ND-CP took effect on the same date. The Cybersecurity Law 2025 (Law No. 116/2025/QH15), effective July 1, 2026 — thirteen days ago — consolidated Vietnam's cybersecurity framework and expanded MPS powers further.

The proposed Law on Data Security would sit atop all three, adding a fifth-tier statutory mechanism: a hard prohibition on transferring core data abroad at all, and a formal MPS prior-approval requirement for important data and large-volume personal data transfers. Draft assessors have already flagged the risk of overlap and called for harmonization with existing frameworks, but the government's legislative target — October's National Assembly session — has not shifted.

What Triggers the Core Data Ban

The four-tier classification system is the architecture that determines which data a company can freely transfer, which it must assess, which it must obtain approval for, and which it simply cannot move at all.

Under the Law on Data framework already in force, "core" and "important" data are not defined purely by content type. They are defined by volume thresholds and by impact risk. Non-governmental data classified as "important" includes the basic citizen data of 100,000 or more Vietnamese citizens, the sensitive citizen data of 10,000 or more Vietnamese citizens, and the bank account and payment history data of 10,000 or more enterprises. "Core" data is a subset that additionally captures state-linked and critical national infrastructure data. Most large-scale foreign platforms operating in Vietnam — social media companies, cloud service providers, e-commerce platforms, financial institutions, HR software vendors — will find themselves holding what the law classifies as important or core data.

The proposed Law on Data Security's innovation is not the classification itself, which already exists under the Law on Data. It is the addition of a formal statutory ban on exporting core data and a formal approval mechanism for important data — requirements that would exist in parallel to, and above, the CBTIA regime already established under the PDPL. Reviewers of the draft outline have noted the deconfliction problem: companies will need to know whether submitting a CBTIA under the PDPL exempts them from a separate approval filing under the new Law on Data Security, or whether both apply. That question has not yet been resolved in the draft.

Why Multinationals Cannot Afford to Wait for Harmonization

Companies currently routing Vietnamese user data to AWS Singapore, Google Cloud US, or European headquarters for analytics and HR processing are already subject to the CBTIA requirement under Decree 356. That obligation has been active since January 1, 2026. The MPS's A05 department — the Department of Cybersecurity and High-Tech Crime Prevention — has confirmed that transfers to overseas parent companies for personnel management or talent development qualify as cross-border transfers subject to assessment. Internal cloud routing for "purely internal management" may be exempt under Article 20 of the PDPL, but the line is contested.

Under Decree 356, the CBTIA dossier must document the purpose, methodology, and scope of the transfer; the storage location and duration offshore; the data return obligations imposed on the recipient; and security measures in place at the recipient organization. Companies have 60 days from the date of the first transfer to file. The MPS reviews within 15 days and may demand revisions, with a 30-day remediation window before penalties attach. The online submission portal through the National Public Service Portal is still under development; filings go directly to MPS.

The penalty for noncompliance is denominated in revenue, not in flat fees. Unauthorized cross-border transfers under the PDPL carry fines of up to 5 percent of the organization's prior-year Vietnamese revenue. Illegal trading in personal data carries penalties of up to ten times the illegally gained amount. Vietnam demonstrated that it will enforce: in May 2025, the government blocked Telegram nationwide after the platform failed to comply with data sharing requests — the most visible example of a policy the Information Technology and Innovation Foundation has described as "complete market exclusion" for noncompliant platforms operating in a market of approximately 79.8 million internet users.

Vietnam's Architecture Mirrors Beijing, Not Brussels

The structural choice embedded in Vietnam's data governance stack carries implications that go beyond the compliance overhead. The Ministry of Public Security — not an independent Data Protection Authority, not a privacy commission insulated from government — is the single approval authority, supervisory body, and enforcement agency for all data law compliance in Vietnam. When an organization files a CBTIA or seeks approval to transfer important data abroad, the reviewer is a national security ministry. When transfers are suspended for national security reasons, the decision is made by the same ministry.

This design mirrors China's data governance structure more closely than it mirrors the EU's General Data Protection Regulation. China's Data Security Law and Personal Information Protection Law also use a four-tier classification model, also restrict cross-border transfers of "important" data through a security assessment mechanism, and also vest approval authority in state security apparatus rather than an independent privacy regulator. The GDPR, by contrast, requires that national Data Protection Authorities be structurally independent from government — the independence requirement is a constitutional guarantee in the EU system. The Vietnam PDPL explicitly places the MPS, a government ministry, at the center of the regime.

Several law firms analyzing the framework have noted that Vietnam "takes a similar approach to China." That framing understates the structural significance. Vietnam is not simply tightening a privacy law in the GDPR tradition; it is constructing a national security-centric data sovereignty architecture in which the government retains audit and approval authority over all significant cross-border data flows. Whether the proposed Law on Data Security represents the end of Vietnam's localization acceleration cycle or the beginning of a longer trajectory toward a China-style regime is a question that multinationals need to factor into their long-term Southeast Asia infrastructure planning, not just their immediate compliance roadmap.

Who Is Exposed and What They Need to Do Now

The practical compliance impact falls hardest on technology companies and cloud service providers, e-commerce platforms, multinational corporations with shared-service centers routing HR and financial data, financial institutions processing Vietnamese customer payment and credit data, and any platform with 100,000 or more monthly active users in Vietnam.

The US Chamber of Commerce, the American Chamber of Commerce Hanoi, and the Asia Internet Coalition have jointly written to Vietnam's Prime Minister arguing the regulations impose a "considerable impact" on investment. Jared Ragland, Asia-Pacific policy senior director at BSA — a software trade organization whose members include Amazon Web Services and Siemens — told Nikkei Asia that data localization requirements "put companies at a competitive disadvantage" and that "companies will shift to other regional markets with more welcoming policies." Japan's Ministry of Economy, Trade and Industry has raised the CPTPP tension directly, noting that the Comprehensive and Progressive Agreement for Trans-Pacific Partnership — to which Vietnam is a signatory — prohibits data localization and that Japan was monitoring the "consistency between the Law on Cybersecurity and Vietnam's obligations under relevant international agreements."

The Vietnamese government has not signaled any intent to alter the core framework in response to these objections. Vietnam's GDP growth forecast was revised upward to 7.5 percent in January 2026, and FDI inflows remain strong, reducing the leverage foreign business advocacy carries.

For compliance teams, the actionable steps ahead of October are: conducting data classification exercises to identify flows that would be classified as important or core under both the existing Law on Data framework and the proposed Law on Data Security; engaging Vietnamese legal counsel to assess whether CBTIAs already filed under the PDPL will satisfy any new approval requirement or whether a parallel process will be required; reviewing offshore cloud routing arrangements with providers like AWS, Google Cloud, and Azure to understand what data categories are traveling to which jurisdictions; and monitoring the Ministry of Justice's finalization of the draft outline and any public comment period before the bill is submitted to the National Assembly.

Deconflicting Four Laws Is the Real Compliance Problem

Regulators reviewing the draft outline have themselves flagged the overlap risk. The Law on Data Security, as currently drafted, would operate alongside — not instead of — the Law on Data's classification regime, the PDPL's CBTIA requirement, and the Cybersecurity Law's data localization obligations. Each law has its own definitions, thresholds, approval processes, and enforcement channels. The PDPL is supervised by MPS through A05; the Law on Data's implementing decrees run through a separate channel; the Cybersecurity Law's data localization requirements are enforced through the Ministry of Information and Communications alongside MPS.

For a multinational company managing data flows across multiple jurisdictions simultaneously, this multi-law compliance matrix is the core operational problem. A data flow from a Vietnamese e-commerce platform to a Singapore cloud might trigger: a localization review under Decree 53/2022 (valid through June 2026, now superseded); a CBTIA under Decree 356; a separate important-data assessment under Decree 165/2025/ND-CP implementing the Law on Data; and, if the proposed Law on Data Security passes in October, a prior MPS approval for any data classified as important or core under the new statute.

The government has signaled that the new law should "avoid overlapping" with existing frameworks, but the deconfliction mechanism has not been specified in the draft outline. How that gap is resolved before October will determine whether the new law doubles or eliminates compliance burdens for companies already operating under the existing stack.


Frequently Asked Questions

What data cannot leave Vietnam under the proposed Law on Data Security?

Under the draft outline, "core" data would be prohibited from crossing Vietnam's borders entirely — no transfer, no approval, no exception. "Important" data and large-volume personal data could still be transferred, but only after obtaining prior approval from Vietnam's Ministry of Public Security. These categories are defined by the existing Law on Data (effective July 2025) and include, for non-governmental entities, the basic citizen data of 100,000 or more Vietnamese citizens, the sensitive citizen data of 10,000 or more Vietnamese citizens, and the bank account and payment history data of 10,000 or more enterprises. Most large-scale foreign platforms operating in Vietnam will hold data that meets these thresholds.

How does Vietnam's data governance structure differ from GDPR's?

The fundamental structural difference is who holds approval authority. Under the EU's GDPR, independent Data Protection Authorities — constitutionally insulated from government direction — supervise compliance. Under Vietnam's framework, the Ministry of Public Security, a national security ministry, is the single approval authority, supervisory body, and enforcement agency. This aligns Vietnam's approach more closely with China's Data Security Law structure than with the EU's independent DPA model. For a company evaluating long-term data infrastructure in Southeast Asia, that governance structure means that approval decisions on data transfers are made by the same ministry responsible for national security, not by a privacy-focused independent regulator.

What can a company do right now before the October vote?

The compliance window before the October National Assembly session is narrow but actionable. Companies should start by completing a data classification exercise mapping all Vietnamese user data against the existing Law on Data's four-tier framework — the categories that will matter under the new law already exist. Next, review all cross-border data flows to identify which would require MPS approval or be prohibited outright under the draft. Engage local Vietnamese legal counsel to assess whether existing Cross-Border Transfer Impact Assessments cover the new law's requirements or whether separate filings will be needed. Finally, monitor the Ministry of Justice's finalization of the draft outline and any public comment period before submission to the National Assembly — that process is the last opportunity to influence the law's deconfliction provisions before it is passed.

Does Vietnam's data law conflict with its trade treaty obligations?

Japan and Canada — both CPTPP members alongside Vietnam — have formally raised the question. The Comprehensive and Progressive Agreement for Trans-Pacific Partnership prohibits data localization requirements among signatory countries, and both governments have noted publicly that Vietnam's evolving framework risks conflicting with those commitments. No WTO or CPTPP dispute mechanism has been formally triggered as of the date of this article, and Vietnam's continued strong FDI inflows have reduced the immediate political pressure on Hanoi to alter course.