Vietnam's cross-border data transfer legal framework: Perspectives from the Data Law 2024 and the Personal Data Protection Law 2025

In the era of digital transformation and international integration, cross-border data transfer, including personal data, is becoming increasingly essential, playing an important role in the economy, trade and management. Vietnam has developed two important legal documents to regulate this activity: the Data Law 2024 passed by the National Assembly on November 30, 2024, effective from July 1, 2025) and the Law on Personal Data Protection 2025 adopted on June 26, 2025, which will take effect from January 1, 2026. While both laws are intended to govern and protect data, their scope and focus differ. If the Data Law 2024 regulates all digital data, treating data as a national asset, while the Personal Data Protection Law 2025 focuses on protecting personal privacy.

1. Scope of regulation and management agencies

The Data Law 2024 has a wide scope of regulation, covering all digital data, which is defined as information about things, phenomena, and events in digital form. This includes public data (managed by state agencies), business data, personal data, etc  and especially the "important" and "core" data. Critical data is data that can affect defense, security, macroeconomics, or social safety, while core data is a subset that has a more direct and profound impact. This law is not only aimed at data protection but also towards the development of the digital economy through the data market, such as data exchanges. The management is assigned to the Ministry of Public Security (except for defense data in charge of the Ministry of National Defense), with the support of the National Data Center to coordinate data sharing and operation of the aggregate database. This approach reflects the view of treating data as a national security issue, similar to cyber security management, with the Ministry of Public Security playing the main supervisory role and handling strict breaches.

The Law on Personal Data Protection 2025 (the Law on Personal Data Protection) narrows the scope to personal data, i.e. information associated with a specific or identifiable individual, divided into basic and sensitive data. Non-personal data, such as aggregated non-personally identifiable data, is not subject to regulation. The main goal of the law is to protect privacy and prevent personal data breaches. A  specialized agency  for personal data protection (expected to be under the Ministry of Public Security) was established to monitor, receive records, and handle violations. Localities and the Ministry of Science and Technology coordinate in education and management of digital platforms. This approach emphasizes human rights, which is similar to international norms such as the EU's GDPR.

The Data Law 2024 has a broad scope, treating data as a strategic asset, prioritizing national security and economic development. In contrast, the Law on Environmental Protection 2025 focuses on personal privacy, with clear concepts such as "data controller/processor" to attribute responsibility. In terms of management agencies, both are chaired by the Ministry of Public Security, but the Law on Environmental Protection has its own specialized agency, ensuring specialization in personal data management. This difference reflects a dual goal: the Data Law promotes data exploitation, and the Law on Environmental Protection protects individual rights.

2. Legal conditions for cross-border data transfers

The Data Law 2024 allows the free transfer of data into Vietnam or the processing of foreign data in Vietnam, protecting the legitimate interests of the parties. However, when transferring data abroad, specifically for critical data and core data, the law imposes strict conditions: national defense, national security, public interest, and the rights of the data subject must be ensured. Article 23 stipulates three forms of data transfer abroad: (1) transfer of data stored in Vietnam to foreign systems; (2) providing data from Vietnam to foreign organizations/individuals; (3) using a foreign platform to process data collected in Vietnam. Businesses must assess the impact of transferring this data across borders before doing so. This impact assessment will be carried out 01 time for the entire operation period of the organization or enterprise and will be updated and supplemented according to regulations. The impact assessment report according to the instructions for enterprises to carry out the assessment includes (1) the legality, necessity, scope, method of data transmission and data processing of the data recipient; (2) Risks that the transfer of data may cause to national defense, security, economic activities, external relations, social stability, public interest, or the legitimate rights and interests of individuals or organizations; the risk of data being tampered with, destroyed, leaked, lost or used illegally; (3) Responsibilities and obligations, management and technical measures of the data recipient; and other related issues. 

The Law on Personal Data Protection 2025 applies a more flexible "post-check" mechanism. Enterprises are free to transfer personal data abroad if they meet the following conditions: (1) prepare a Data Transfer Impact Assessment (DPIA), including the type of data, recipient country, protection measures, and risks; (2) submit the DPIA to the specialized authority within 60 days of the first transfer; (3) ensure that the transfer is suitable for the purpose agreed by the subject. The law removes the complicated "pre-inspection" mechanism, reduces the burden of procedures, but requires businesses to be responsible for compliance. Some cases are exempt from DPIA, such as transferring official data, storing employee data in the cloud, or individuals transferring data themselves.

It can be seen that the Data Law 2024 strictly controls important/core data with a potential "pre-check" mechanism, reflecting national security priorities. The Law on Child Protection 2025 is more flexible with "post-inspection", focusing on individual rights and transparency. The common point is that both require ensuring national security and data subject rights, but the Law on Environmental Protection is more specific about the process (DPIA) and emphasizes the consent of the individual.

3. Obligations of enterprises

The Data Law 2024 sets the following obligations for businesses:

Data classification: Businesses must identify data as core, important, or routine to apply appropriate measures. Core/critical data is subject to strict restrictions when transferred abroad.

Risk assessment: The owner of core/critical data must periodically assess risks (cybersecurity, data breaches) and report to the cybersecurity agency of the Ministry of Public Security/Ministry of National Defense. The draft decree requires the submission of an impact assessment report for core/critical data.

Data security: Businesses must apply safeguards (encryption, firewalls, access management) throughout the data lifecycle. State secret data is required to be encrypted with essential cryptography when transferred abroad.

Respect for data subject rights: Personal data may only be traded with the consent of the subject, unless permitted by law. Businesses must have a data deletion/destruction process as required.

The Law on Personal Data Protection 2025 requires businesses to fulfill the following obligations:

DPIA: Businesses must assess the impact before transferring personal data, storing the DPIA, and sending the original for 60 days. DPIA needs to be updated when there is a major change.

Comply with 6 principles: Legal, Purposeful, Accurate, Security, Harmony and Responsibility. This ensures that data is transferred only for the agreed purpose and is protected safely.

Technical security: Adopt encryption, anonymization, and data sterilization to control access and protect data. Digital platforms must make their privacy policies public and provide privacy options.

Cooperate with authorities: Provide DPIAs, report leaks, and stop data transfer if required by the agency.

Both laws require businesses to proactively assess risk and data security, but the Data Law emphasizes national security, focusing on critical/core data, with specific key encryption requirements. The law focuses on individual rights, requires specific DPIAs, and adheres to the principle of privacy. Businesses that process personal data must meet both laws, ensuring data security and protecting privacy.

4. Mechanism for inspection, supervision and handling of violations

The Data Law 2024 assigns the Ministry of Public Security to supervise and approve:

• Risk reporting: Enterprises transferring important/core data must send risk reports to cybersecurity agencies, helping the State grasp the flow of sensitive data.
• Inspection and examination: The Ministry of Public Security has the right to inspect enterprises, coordinate with the Ministry of National Defense and the Departments of Science and Technology of each locality in conducting inspection and inspection activities. The guiding decrees have also stipulated the process of periodic inspection and reporting.
• Emergency intervention: If a data transfer is detected that harms national security, the authorities can request to stop the transfer or revoke the data, based on the Law on Cybersecurity 2018.

The Law on Personal Data Protection 2025 has a more specific monitoring mechanism:

• Periodic inspection: The specialized agency inspects at least 1 time per year[1], focusing on DPIA and protection measures.
• Unexpected inspection: When there are signs of violation or leakage incidents, the agency can immediately check, request to provide documents and contracts with the data recipient.
• Stop data transfer: The agency has the right to request that the transfer be stopped if a national security risk is detected, with an expedited processing mechanism.
• International cooperation: Specialized agencies act as focal points in coordinating with foreign countries to handle cross-border violations.

The Law on Environmental Protection has a more proactive and transparent monitoring mechanism, with the right to periodic/irregular inspections and direct intervention. The Data Law relies on risk reporting and indirect inspection, pending a detailed decree. Both are intended to control the flow of data abroad, but the Law on Occupational Health and Hygiene is more specific in terms of process and powers.

For the handling of violations, the Data Law 2024 does not stipulate a specific fine, but emphasizes that violations related to important/core data can be strictly handled due to national security impacts. Currently, Decree 15/2020/ND-CP (amended and supplemented in 2022) applies a maximum fine of VND 100 million for information security violations[2]. It is expected that the new decree will increase the fine, especially for data service businesses (deposit requirements when conducting business activities). For serious violations such as the crime of revealing State secrets, criminal prosecution may be conducted.

The Law on Personal Data Protection 2025 clearly stipulates:

• Administrative fines: Violations of unauthorized transfer of personal data shall be fined up to 5% of the previous year's revenue or VND 3 billion (if the revenue is low or none). Other violations of personal data are fined up to VND 3 billion, especially for illegal data trading, the fine is up to 10 times the revenue.
• Remedial measures: Suspension of data processing, revocation of licenses, deletion of unauthorized data.
• Criminal liability: Serious violations such as large-scale data disclosure can be prosecuted under the Criminal Code[3].

5. Consent of the data subject and technical requirements

The Data Law 2024 indirectly requires consent when trading personal data, except where permitted by law (such as providing data to a state agency in an emergency). Subject rights are respected, but the law focuses on data ownership rights (businesses have the right to dispose of the data they own, as long as they do not violate the law).

The Personal Data Protection Law 2025 considers consent as a core principle. Therefore, businesses must collect clear, voluntary consent before transferring personal data abroad, notifying the purpose and recipient. At the same time, the subject can withdraw consent at any time, force the business to stop the transfer and delete the data if necessary. However, in some exceptional cases, businesses do not need to collect the consent of the data subject such as in accordance with official requests, emergency life protection, or public data.

The Law on Occupational Health and Hygiene puts consent at the center, with the requirement of transparency and a clear mechanism for withdrawing consent. The Data Law only deals indirectly, which applies to personal data in transactions. Businesses need to build a consent collection and management mechanism to comply with both laws.

Technically, the Data Law 2024 emphasizes data security:

• Cipher encryption: State secret data must be encrypted using the encryption system of the Government Cipher Board when transferred abroad.
• Security measures: Businesses choose encryption (AES, RSA), secure protocols (SSL/TLS), firewalls, or DLP to prevent data leakage. The law requires data protection throughout its lifecycle.
• Technical regulations: The government will issue regulations for the National Data Center and data connection, which indirectly affects cross-border data transfers.

Meanwhile, the Law on Personal Data Protection 2025 requires:

• Security guidelines: Businesses must apply encryption, anonymity, access control, and standard security measures (HTTPS, antivirus software).
• Privacy Policy: The digital platform must make the policy public, provide the option to "do not track" or refuse cookies.
• Technological flexibility: No domestic technology is required, allowing the use of cloud services from abroad if security standards are met.

The Data Law has specific requirements for confidential data (fundamental encryption) and lays the foundation for national standards. The Law on Environmental Protection is more flexible, encouraging practice according to international practices, but requires transparency and a convenient mechanism for users. Both prioritize data security, but the Data Law is more specific to Vietnam than the Law on Environmental Protection.

It can be seen that the Data Law 2024 and the Personal Data Protection Law 2025 together create a comprehensive legal framework for data governance activities in Vietnam in the coming time. While the Data Law 2024 promotes data circulation for the digital economy, but strictly controls important/core data to protect national security, the Law on Data Protection 2025 protects personal privacy, applies a flexible post-inspection mechanism but extremely strict sanctions to move towards a legal environment that is both constructive but healthy to help develop the economy in cyberspace in Vietnam.

Read more: Khung pháp lý chuyển dữ liệu xuyên biên giới của Việt Nam: Góc nhìn từ Luật Dữ liệu 2024 và Luật Bảo vệ dữ liệu cá nhân 2025