In September, the Vietnamese government issued the first draft of a new law on Personal Data Protection (PDPL) for public feedback. The draft law has more stringent provisions than the Personal Data Protection Decree and is potentially set to take effect from Jan. 1, 2026.

Developed by the Ministry of Public Security (MPS), it covers a wide range of areas, including marketing services, behavioural advertising, big data processing, AI, cloud computing, employee monitoring and recruitment, financial and credit data, healthcare, insurance, and more.

When adopted, the legislation is expected to impact substantially the way all entities do their business in Vietnam as well as the society as a whole, according to lawyers in Vietnam.

HOW WILL THE NEW LAW AFFECT CROSS-BORDER DATA TRANSFERS?

This draft legislation builds upon the existing Decree on Personal Data Protection (PDP Decree) and introduces several new requirements and concepts. As such, the draft law maintains many of the requirements for cross-border data transfers set out in the current PDP Decree.

One of the most significant requirements is the need for data transferors to prepare, retain, and file Transfer Impact Assessments (TIAs). The draft PDPL also notably broadens the definition of cross-border data transfers.

“One remarkable activity captured by the draft is the publication of personal data on cyberspace which allows individuals outside of Vietnam to receive it,” says Logan Leung, deputy managing partner at Rajah & Tann LCT Lawyers in Vietnam.

“This activity (which is broadly couched) could open an interpretation in which data that is merely uploaded on the internet and accessible in a country outside of Vietnam could be captured as a cross-border data transfer,” he adds.

Lawyers from Vision & Associates (V&A) in Vietnam believe these new legal requirements on cross-border data transfers could challenge the economy by obstructing ordinary business activities including routine correspondence.

“Such requirements impose a huge paperwork and cost burden and prevent domestic businesses from approaching and taking full advantage of advanced technologies and services in the global market as they may have difficulty accessing such services, reducing their international competitiveness, and further exposing them to data and cyber security risks,” say Vuong Son Ha, senior associate, and Tran Tu Anh and Nguyen Thai Ha, associates at the firm.

In addition, requirements for preparation and submission of the DPIA and the TIA was also introduced, adding more complexities to an already “time-spending and costly job for all entities”, say Vuong, Tran and Nguyen.

“With a larger coverage and obligations to update and supplement the DPIA and the TIA as additionally required by the draft, this approach would further drain the resources of businesses conducting international trade, while providing little improvement in data protection in general,” they add.

Additional requirements for cross-border data transfers include sharing personal data at international conferences, seminars, meetings, or discussions; providing personal data to other entities for business activities; and providing personal data to fulfil legal obligations abroad or according to host country laws.A

WHAT ROLE WILL THE DATA PROTECTION OFFICER PLAY?

The draft PDPL requires almost all data controllers and processors to establish a "personal data protection organisation." The organisation must include at least one Data Protection Officer (DPO) with specific qualifications, Alternatively, two DPOs can be appointed: one certified in technology and another in legal matters.

Recruiting and hiring additional staff, training new employees, and implementing necessary systems can be costly. As such, outsourcing data protection functions to a specialised service provider is seen by lawyers as a more viable option. “This could help businesses meet compliance requirements without the need for internal resources,” says Quang Minh Vu, associate at Tilleke & Gibbins in Ho Chi Minh City.

However, small and medium-sized enterprises (SMEs) and startups may be exempt from this requirement for the first two years after establishment. Leung believes this exemption could be “counterintuitive” because “it does not apply to those that directly engage in personal data processing activities.”

For companies that currently rely on data monetisation, the PDPL’s prohibition on personal data sales could prove a hurdle. But lawyers point out that data monetisation comes in many flavours and forms and is not necessarily restricted under the draft law.

As such, there are an array of legal strategies to adapt to this requirement that may include exploring alternative data monetisation methods beyond direct data sales, considering data anonymisation techniques to remove personal identifiers, and developing alternative licensing models for data usage, according to lawyers.

HOW CAN FIRMS BEST HELP CLIENTS PREPARE?

To prepare for the implementation of the PDPL, Quang believes businesses should act quickly to comply with the applicable requirements and the wait-and-see approach is “not appropriate anymore”.

Leung notes that it’s important to understand that in developing the draft PDPL, lawmakers were influenced by similar laws of other jurisdictions, including Europe’s GDPR, that may not necessarily fit in Vietnam’s domestic legal framework. “Vietnamese law firms – particularly those with a grasp of international best practices – therefore play a crucial role in bridging these gaps,” he says.

Apart from helping clients build cost-effective compliance strategies, V&A is also drafting proposals for amendments to the draft law’s key provisions as the lawyers feel that “the worst part of these documents negatively affecting the business is not harmonising the business demands to exploit the data with the needs for state management.”