Follow us on Facebook → fresh APAC stories, daily

Tech & AI

Vietnam’s new data law bans exports, defying its own trade deal

The Ministry of Public Security's proposed Law on Data Security would require prior approval for transfers of 'important' data and ban 'core' data exports entirely, stacking atop three existing regulations with no deconfliction mechanism specified.

Vietnam’s Ministry of Justice released an assessment on July 13, 2026 for a proposed Law on Data Security that would ban the export of “core” data and require Ministry of Public Security approval for “important” data transfers. The draft law, set for an October National Assembly vote, becomes the fourth statutory layer in Vietnam’s data governance framework.

The hard ban and prior-approval mechanism stack atop existing laws that already mandate cross-border impact assessments. No deconfliction mechanism between the overlapping regulations has been specified, leaving foreign companies facing duplicative compliance burdens and potential penalties reaching 5% of Vietnamese revenue.

The trade agreement says one thing. The police ministry drafting Vietnam’s newest data law says another. And the gap between them is where Western companies operating in one of Asia’s fastest-growing economies now have to place their compliance budgets, their infrastructure decisions, and their assumptions about where their data can safely sit.

The Comprehensive and Progressive Agreement for Trans-Pacific Partnership — the CPTPP — prohibits data localization. Vietnam signed it. The proposed Law on Data Security, assessed by the Ministry of Justice on July 13, would ban the export of “core” data outright and require Ministry of Public Security sign-off before “important” data leaves the country. The National Assembly votes in October. The contradiction is not a drafting oversight. It is the design.

The security stack gets a fourth layer

The draft law does not arrive into a regulatory vacuum. It lands on top of three existing statutes: the Law on Data, effective July 1, 2025; the Personal Data Protection Law, effective January 1, 2026; and the Cybersecurity Law 2025, effective July 1, 2026. Each already demands some form of data localization, impact assessment, or government notification. The new proposal adds an absolute prohibition and a gatekeeper approval that none of the others contain.

Under the existing regime, companies must file Cross-Border Transfer Impact Assessments within 60 days of a first transfer. The Ministry of Public Security’s A05 department reviews them in 15 days. The department has already confirmed that routine transfers — personnel records sent to an overseas parent company — qualify as cross-border transfers requiring assessment. The new law would layer a separate approval process on top of that, for any dataset classified as “important.”

The definitions matter because the thresholds are specific. Under the existing Law on Data (effective July 1, 2025), “important” non-governmental data includes basic citizen data on 100,000 or more Vietnamese citizens, sensitive citizen data on 10,000 or more, and bank account or payment histories of 10,000 or more enterprises. “Core” data covers state-linked and critical infrastructure information. The proposed law offers no exceptions for core data exports. None.

According to the Ministry of Public Security’s June 26, 2026 Penal Code policy dossier, the ministry proposes adding ten new criminal offenses to the Penal Code, including standalone crimes for personal data infringement, illegal data trading, and obstructing data protection activities. The ministry argues current law cannot adequately capture deepfakes, crypto-based money laundering, and social-media data manipulation. The new offenses would sit atop existing administrative fines that can reach 5% of prior-year Vietnamese revenue for unauthorized transfers.

Vietnam’s proposed data law versus existing obligations
CountryCurrent ruleNew rule (proposed)Effective date
VietnamCross-Border Transfer Impact Assessments required for personal data; MPS reviews in 15 daysPrior MPS approval for “important” data transfers; absolute ban on “core” data exportsOctober 2026 (if passed)
VietnamAdministrative fines up to 5% of prior-year revenue for unauthorized transfersNew criminal offenses for data infringement, illegal trading, and obstructing protection activitiesPending Penal Code amendment
VietnamData transfers to overseas parent companies for personnel management qualify as cross-border transfersSame transfers may require additional MPS approval if data meets “important” thresholdsOctober 2026 (if passed)

The US Chamber of Commerce, AmCham Hanoi, and the Asia Internet Coalition jointly wrote to Vietnam’s Prime Minister arguing the regulations would significantly affect investment. Jared Ragland, Asia-Pacific policy senior director at BSA, told Nikkei Asia that data localization puts companies at a competitive disadvantage. He added that companies will shift to other regional markets with more welcoming policies. Japan’s Ministry of Economy, Trade and Industry has noted the CPTPP prohibits data localization and is monitoring the consistency of Vietnam’s laws with its trade obligations.

The enforcement track record gives those warnings weight. In May 2025, Vietnam blocked Telegram nationwide for failing data-sharing requests, affecting a market of approximately 79.8 million internet users. The Information Technology and Innovation Foundation described the move as “complete market exclusion” for noncompliant platforms. The signal to foreign firms is unambiguous: noncompliance can mean losing the market entirely.

A model built on security, not privacy

Vietnam’s data regime concentrates drafting, approval, infrastructure operation, and criminal enforcement inside a single institution — the Ministry of Public Security. The same agency that writes the laws runs the servers that store the data and prosecutes the companies that violate the rules. This differs fundamentally from the EU’s General Data Protection Regulation, where independent data protection authorities are constitutionally insulated from government and balance fundamental rights with business needs.

That concentration is deliberate. A 100-working-day digital transformation plan running from July 10 to November 30, 2026 requires agencies across Vietnam’s political system to clean, standardize, connect, and exploit data as part of a broader digitization initiative, with critical systems undergoing independent security testing and maintaining contingency, backup, and recovery plans before full operation. Central Party directives mandate connecting specialized databases to a planned National Data Center, embedding data sovereignty and cybersecurity requirements from the design stage. The Central Steering Committee on Science, Technology, Innovation and Digital Transformation has framed data as a strategic resource, insisting that “absolutely no national or citizen data be leaked, traded, or exploited illegally.”

The Personal Data Protection Law already permits the Ministry of Public Security and other state agencies to process personal data without consent for national security, social order, and safety purposes. It also allows state agencies to use personal data for analysis and synthesis to serve leadership and state management. These are not loopholes. They are the operating system.

China’s Data Security Law and Personal Information Protection Law employ a similar four-tier classification model, restrict cross-border transfers of “important” data through a security assessment mechanism, and vest approval authority in state security apparatus rather than an independent privacy regulator. Vietnam’s deliberate choice of this model over the GDPR’s independent-authority approach reflects a broader regional trend toward security-centric data governance.

Draft assessors have flagged the risk of regulatory overlap and called for harmonization. No deconfliction mechanism has been specified. The compliance burden falls on technology companies, cloud providers, e-commerce platforms, financial institutions, and any platform with over 100,000 monthly active users. Whether the CPTPP’s dispute mechanisms get triggered may depend on how Japan and other partners read the October vote. For now, the gap between the trade text and the police ministry’s draft remains unresolved — and entirely intentional.

Beyond the headline

The power behind it

Vietnam’s data regime ultimately answers to the Ministry of Public Security, which drafts the laws, runs the infrastructure, approves cross-border transfers, and now proposes new criminal offenses. That concentration means decisions about what counts as “core” or “important” data are political-security judgments, not technocratic regulatory rulings. Foreign firms expecting GDPR-style oversight from an independent authority will find a different system entirely — one where the same institution writes the rules, enforces them, and decides which transfers threaten national security.

The bigger picture

The proposed Law on Data Security is less an isolated bill than the culmination of Vietnam’s shift to treating data as a strategic security resource, interwoven with digital-transformation and cultural-sovereignty agendas. Rather than harmonizing overlapping statutes for business clarity, the trend is toward a dense, security-tiered stack that gives authorities multiple levers to constrain data movement. This reflects broader regional currents on data sovereignty but with unusually strong police control at the center.

The reach

Vietnam’s fused security-and-data model could become a template for other politically centralized systems seeking to combine AI-driven analytics with tight information control. If that happens, multi-region cloud architectures built around free data movement may face a patchwork of security-gatekeeper approvals, forcing providers to redesign offerings around national silos rather than global platforms. The October vote is a Vietnamese legislative event. Its implications travel much further.

The compliance window is closing

With the National Assembly vote expected in October 2026, Western companies operating in Vietnam face a narrow window to assess their exposure and restructure data flows before the new requirements take effect.

  • Western Tech Company Operating in Vietnam

    Map every dataset that could meet the “important” threshold — 100,000 or more citizen records, 10,000 or more sensitive records, 10,000 or more enterprise payment histories. Segregate Vietnam-origin data from global flows now. Engage Vietnamese counsel to interpret classification thresholds before restructuring cloud or analytics workflows. The 60-day CBTIA filing clock under existing law is already running; the new law will add a separate approval layer on top.

  • Western Investor with Vietnam Market Exposure

    Re-evaluate portfolio companies’ data exposure. Any firm routing Vietnamese user data through Singapore, US, or EU servers faces potential fines reaching 5% of prior-year Vietnamese revenue and, in the worst case, market exclusion. The Telegram precedent from May 2025 shows the government will block noncompliant platforms entirely. Factor compliance costs and infrastructure restructuring into valuation models before the October vote.

  • Global Cloud Service Provider with Vietnam Clients

    Analyze the feasibility and cost of in-country hosting. The proposed ban on core data exports and prior-approval requirement for important data may force data localization that undermines multi-region service models. Prepare for service redesigns that isolate Vietnamese data into national silos. The 100-working-day government data plan running through November 30, 2026 signals that onshore infrastructure standards will tighten in parallel.

  • Western Trade Policy Analyst for CPTPP Nations

    Monitor the National Assembly’s October agenda — expected in late September — for whether the Law on Data Security is scheduled with expedited procedures. If Japan or other CPTPP partners issue formal demarches or consultation requests in the coming quarter, it signals growing diplomatic pressure. If concerns remain confined to quiet diplomacy, expect Vietnam to keep its security-centric approach while offering only technical clarifications.

FAQ

How does Vietnam define and enforce illegal personal data trading?

The Ministry of Public Security’s June 26, 2026 Penal Code policy dossier proposes new offenses for personal data infringement, illegal buying or selling of personal data, and obstructing data protection activities. These would criminalize behaviors currently handled under broader fraud or cybercrime provisions, allowing prosecutors to target data brokerage, unauthorized sale of customer lists, and interference with compliance programs directly.

What security exceptions exist under the Personal Data Protection Law?

The Personal Data Protection Law, effective January 1, 2026, allows the Ministry of Public Security and other state bodies to process personal data without consent where national security, social order, or safety are involved. It also permits state agencies to use personal data for analysis and synthesis to serve leadership and state management, creating broad carve-outs that businesses must factor into privacy notices, internal governance, and risk assessments.

What does the national data-governance campaign require from systems?

A 100-working-day plan from July 10 to November 30, 2026 requires agencies across Vietnam’s political system to clean, standardize, connect, and exploit data, with critical systems needing defined security levels, independent testing, contingency plans, backups, and recovery procedures before full operation. Enterprises connected to government platforms or handling state-linked data will face stricter scrutiny of their security architecture and incident-response capabilities.

Explainer

CPTPP
The Comprehensive and Progressive Agreement for Trans-Pacific Partnership is a trade pact among eleven Pacific-rim nations, including Japan, Australia, Canada, and Vietnam. Its e-commerce chapter explicitly prohibits data localization requirements that force companies to store data within a member country’s borders. Vietnam’s proposed data export ban creates a direct tension with these obligations, and Japan’s trade ministry is already monitoring the consistency of Vietnamese law with the agreement.
Ministry of Public Security
Vietnam’s interior security and policing ministry, which also serves as the lead data and cybersecurity regulator. Unlike independent data protection authorities in the EU, MPS drafts data laws, operates critical digital infrastructure, approves cross-border data transfers, and enforces criminal sanctions. Its A05 department specifically reviews cross-border transfer impact assessments filed by companies under existing law.
Cross-Border Transfer Impact Assessment
A mandatory filing required under Vietnam’s Personal Data Protection Law before companies transfer personal data outside the country. Companies must submit the assessment within 60 days of the first transfer, and the Ministry of Public Security has 15 days to review it. The proposed Law on Data Security would add a separate, prior-approval requirement on top of this existing process for datasets classified as important.

Covered in this article: Southeast Asia East Asia Japan Singapore Vietnam

Indoneo APAC Desk

The editorial operation behind Indoneo's breaking news and developing story coverage. The APAC Desk monitors primary sources across 75 countries and territories — governments, regulators, research institutions — and publishes verified updates as events develop.