Skip to Content

Draft Law on Data


The Ministry of Public Security (“MPS”) has proposed the promulgation of the Law on Data. In line with this proposition, the MPS has released a draft of the Law on Data (“Draft Law”) and is in the process of soliciting opinions from entities that would be subjected to the Draft Law. The Draft Law stipulates principles for data collection, storage, protection; cases of providing data to state agencies; national comprehensive databases; management of electronic authentication services, data intermediaries, and data exchange platforms. The proposals align with the Prime Minister’s Directive No. 04/CT-TTg dated 11 February 2024, which aims to promote the implementation of the project for residential data application and electronic identification and authentication to serve the national digital transformation for 2022 – 2025 (with a vision up to 2030).

The Ministry of Public Security in Vietnam has proposed the Draft Law on Data to address several critical issues:[1]

  • Infrastructure: Address the lack of sufficient infrastructure for deploying core IT systems among a number of ministries and departments.
  • Data Management: Resolve issues with data duplication and overlap in data collection and storage, and the absence of standardization and unification in data management.
  • Data Centers: Tackle the inadequate investment in data centers and their maintenance.
  • IT Infrastructure Services: Mitigate the risks associated with hiring IT infrastructure services among a number of ministries and departments.
  • Human Resources: Address the shortage of skilled human resources for managing information systems.
  • National Databases: Complete the construction of national databases.
  • Security: Enhance information security and address vulnerabilities in information systems.
  • Legal Framework: Unify regulations related to the collection and use of information in national and specialized databases.

The proposal of this Draft Law is a strategic move by the Ministry of Public Security to streamline data management, enhance information security, and support the nation’s digital transformation. The proposed legislation is expected to significantly impact enterprises that are engaged in data processing and the provision of data products and services.


  1. Scope and purpose: The Draft Law regulates the construction, development, processing and governance of data in Vietnam, as well as the application of science and technology in data processing, the provision of data products and services, and the responsibilities of agencies, organizations and individuals involved in data activities.
  2. General principles and prohibited acts in data processing: Data processing must comply with the Constitution and laws, ensure human rights and citizens’ rights, information security and personal data protection, and serve the public interest and socio-economic development. Data processing is prohibited from infringing on national interests, security, social order and safety, and the legitimate rights and interests of data subjects and owners.
  3. Data classification: Data is classified into shared data, private-use data, and open data, according to the scope of access, exploitation and use. Data is also classified into static data, dynamic data, analytical and statistical data, and master data, according to the characteristics and use value of data.
  4. Data sharing and data provision to state authorities: Data sharing is defined as the activity of providing the same data resources to multiple applications, users, or organizations. Data sharing of the National Data Center is carried out through the data sharing and coordination platform of the Government. Organizations and individuals will be required to provide data and information to state authorities as requested in accordance with the law. Organizations and individuals may voluntarily provide its data to state authorities for purposes of public interests, scientific research or public emergencies.
  5. Data processing activities: The Draft Law provides definitions and regulations related to various data processing activities, including analyzing, synthesizing, authenticating, verifying, publicizing, accessing, retrieving, encrypting, decrypting, copying, transmitting, transferring, withdrawal, deletion, destruction of data.
  6. Data strategy and governance: The Government is responsible for promulgating National Data Strategies. The Prime Minister is responsible for promulgating data strategies for national databases. Ministries, ministry-level agencies, agencies under the Government, and provincial-level People’s Committees will promulgate strategies for specialized databases under their management. Data governance is the activity of organizing the implementation of data policies and strategies, and data management and processing measures that ensures the completeness, accuracy and timeliness of data. Data governance requires synchronization, continuity and timeliness.
  7. National Comprehensive Database: The Draft Law sets out the creation of a National Comprehensive Database. The National Comprehensive Database is a database synthesized from various data sources of state agencies, organizations and individuals. It will serve the administration and activities of state agencies, and political and socio-political organizations in relation to policy making and other data exploitation. Organizations and individuals will have the responsibility to contribute their data to the National Comprehensive Database when requested for public purposes. The Draft Law also notes that there may be cases of compulsory collection of data, though these are not specifically included.
  8. National data center: To house the National Comprehensive Database, the Draft Law includes the establishment of a National Data Center to be built and managed by the Government. The National Data Center will be used to store, share, analyze and coordinate data of state agencies and other national databases. Data at the National Data Center will be the core platform for providing data-related services, supporting policy making, development, digital transformation, and national defense and security. Overseen by the Minister of Public Security, the National Data Center is intended to provide information technology infrastructure for socio-political organizations, national database systems, and agencies.
  9. Data products and services: Under the Draft Law, data products and services are defined as products and services related to data processing for commercial purposes. These may include data intermediary services, data analysis and synthesis services, electronic authentication services, and data exchange services, among others. Depending on the type of data products and services, the Draft Law makes reference to additional applicable laws and regulations, as well as relevant operational conditions and licensing requirements. The extent and details of these conditions and requirements is not included in the Draft Law at this stage, and still requires further clarification and explanation.

The Ministry of Public Security will collect feedback from agencies, organizations, and individuals for further revisions to the Draft Law.

III. Initial Analysis & Implications for Enterprises

In its current form, the primary focus of the Draft Law appears to be government agencies. The Draft Law imposes limited responsibilities on businesses and individuals. Typical of Vietnam’s legislative process, this Draft Law will likely be subject to significant revisions prior to finalization. The date of promulgation set out in the Draft Law is 01 January 2026, suggesting a preparatory period of at least another year and half. In subsequent drafts, we hope to see additional content and details to fill in regulatory gaps in the current Draft Law. In addition to gaps noted above, the current Draft Law is characteristically broad and lacking in specifics.

The provision of additional details, including well-thought-out exceptions and implementable parameters are especially important for regulations related to data and data protection since compliance with regulations in this field often has implications to businesses core operations. As an example, broad language and ambiguities in Decree No. 13/2023/ND-CP on the Protection of Personal Data, which was promulgated on 17 April 2023 last year, created confusion for many businesses attempting to comply with its requirements. In some cases, strict interpretation of Decree 13’s wording would have proven so burdensome to businesses that it would have caused serious disruption to operations. Hopefully, by the time the Draft Law is in its final form, these considerations will have received careful review.

VILAF will continue to monitor and publish updates on this important issue as they become available. In the meantime, please contact Tung Ngo if you have any questions related to the Draft Law or Vietnam’s digital policies.


Download the full copy of the Draft Law on Data.