On November 30, 2024, the Ministry of Public Security (MPS) announced the passage by the National Assembly, of the Data Law. This follows the request for feedback on the draft Data Law in June 2024. The Data Law applies to the use of digital data products and services, digital data management, and provides for the establishment of the National Data Center and the National General Database. The Data Law distinguishes between different types of data, providing definitions for 'non-personal data,' 'private data,' 'open data,' 'synthetic data,' 'critical data,' and 'core data.'

In particular, the Data Law outlines provisions related to, among other things:

• data classification;
• data quality assurance;
• providing data to government agencies;
• data encryption; and
• data destruction and deletion.

What measures need to be implemented for data transfers from Vietnam?

Notably, data classified as core and important data that must be provided and transferred outside Vietnam must be assessed and approved by relevant authorities. The Prime Minister is responsible for assessing the transfer of core data and the MPS is responsible for assessing the transfer of important data. To transfer data abroad, data owners must pass the data security assessment outlined under the Data Law.

The Data Law outlines that the data security assessment must consider:

• the legality, purpose, and necessity of the data transfer, the scope, method of data transfer, and processing of data by the recipient abroad;
• the size, scope, type, and sensitivity of the data to be exported and the risks that the export of the data may pose to national security, public interest, or the rights and legitimate interests of individuals or organizations;
• responsibilities and obligations that the foreign recipient has undertaken to fulfill;
• the risk that the data will be falsified, destroyed, leaked, lost, transferred, or illegally collected or used during or after the data is transferred and whether the channels for protecting the rights and interests of the data subject are obstructed;
• whether the contract or other legally valid documents drawn up with the overseas recipient contain a full agreement on the responsibilities and obligations for data security protection; and
• other issues that may affect the security of data transmission.

Data security assessments must be carried out before the provision and transfer of data overseas, with continuous monitoring and reassessment during cross-border transfers.

In addition, organizations processing core and important data must periodically carry out risk assessments in relation to such data. Measures to be adopted in relation to such risks include encryption, authentication, access management, and training employees on data security risks.

You can read the press release here and download the draft Data Law here, both only available in Vietnamese.