Welcome to the AI & data matrix – Vietnam reloaded

Welcome to the AI & data matrix – Vietnam reloaded

Artificial intelligence (AI) and data governance have rapidly become central issues worldwide, with governments introducing new frameworks to balance innovation, security, sovereignty and individual rights.

In Asia, several countries, including Singapore, China, and Japan, have established comprehensive strategies to regulate AI and strengthen data protection, setting benchmarks for this digital transformation. Against this backdrop, Vietnam is introducing rules to regulate both AI and the use of personal data.

Vietnam’s Digital Governance Architecture: Three Pillars

Vietnam’s National Assembly has established a three‑pillar legal architecture to regulate data, personal information, and artificial intelligence. Each law builds upon the other, creating a layered framework that balances innovation with accountability.

Foundational Layer – Law on Data (Law No. 60/2024/QH15)

Effective from July 2025, the Law on Data provides the broadest framework for digital governance. It regulates the collection, storage, transfer, and management of both personal and non‑personal data. Companies and private organizations must ensure lawful processing, contribute accurate information to the National General Database, and avoid creating barriers to data portability. The law also embeds obligations around environmental responsibility and ethical use of data, positioning data governance as a cornerstone of Vietnam’s digital economy.

This law provides the foundational layer of Vietnam’s governance system, setting the stage for more specialized regulations on personal data and AI.

Specialized Layer – Personal Data Protection Law (PDPL – Law No. 91/2025/QH15)

Adopted in June 2025 and effective from January 2026, the PDPL replaces Decree No. 13/2023/ND‑CP and introduces a comprehensive framework for safeguarding personal data.

The PDPL narrows the focus to personal data rights and protections. It requires explicit, informed consent for data processing, imposes strict safeguards for sensitive categories (biometrics, health, financial records), and mandates Data Protection Impact Assessments (DPIAs) for all personal data processing activities. Organizations must designate compliance officers, maintain transparency, and adhere to sector‑specific rules in finance, healthcare, and telecommunications.

The PDPL also extends extraterritorial reach, requiring foreign companies handling Vietnamese citizens’ data to comply.

Advanced Layer – Law on Digital Technology Industry (DTI Law – Law No. 71/2025/QH15)

Also effective from January 2026, the DTI Law represents Vietnam’s first AI‑specific regulatory framework.

It adopts a broad definition of AI systems (Art. 3(9)), covering any machine‑based system that generates predictions, content, recommendations, or decisions. Companies deploying AI must comply with cybersecurity and data protection laws (Art. 10), ensure transparency in AI‑driven processes, and avoid prohibited acts such as misuse of AI to infringe on national security, human rights, or social ethics. The law also introduces obligations around controlled testing, environmental sustainability, and contributions to national digital technology databases.

This layered approach ensures that Vietnam’s digital transformation is governed at every level—from general data management, to personal data protection, to advanced AI oversight. It positions Vietnam as a regional leader in building a trusted, secure, and innovation‑friendly digital economy.

In addition to the three pillars outlined above, Vietnam has established a complementary legal framework to safeguard its digital environment. Law No. 24/2018/QH14 on Cybersecurity sets out a comprehensive “security frame” designed to protect critical information systems, user data, and the integrity of Vietnam’s cyberspace. It empowers the State to regulate online content, ensuring national security and mitigating risks of cyber‑attacks. Meanwhile, Law No. 86/2015/QH13 on Cyber information Security provides the technical standards and specifications necessary to implement robust cyber information safeguards. Recognizing the overlap between these two regimes, the legislature has announced that they will be consolidated into a single, unified law, thereby streamlining Vietnam’s approach to cybersecurity and information protection.

AI and Data Processing Definitions under Vietnam’s PDPL and DTI Law

Broad Definition of AI

The DTI Law adopts a deliberately expansive definition of artificial intelligence. Its Article 3(9) covers any machine‑based system that generates predictions, content, recommendations, or decisions. This formulation is not limited to advanced machine learning or neural networks; it also captures:

• Traditional statistical models used for forecasting or risk assessment.
• Non‑ML data analysis tools, such as rule‑based systems or regression models.
• Algorithmic computation that produces automated outputs.
• Decision‑support and automated decision‑making systems, even if relatively simple.

The breadth of this definition means that any automated system deployed in Vietnam, from HR recruitment algorithms to financial risk scoring tools, falls within the regulatory perimeter. This ensures that oversight is not confined to “cutting‑edge AI” but extends to the full spectrum of automated technologies influencing human or organizational decisions.

Wide Scope of Personal Data Processing

The PDPL complements this by adopting an equally wide formulation of “personal data processing.” Article 2(6) defines processing as any activity impacting personal data, explicitly listing:

• Collection, analysis, and summary.
• Encryption and decryption.
• Modification, deletion, destruction, and de‑identification.
• Provision, disclosure, and transfer.
• Other activities impacting personal data (a catch‑all clause ensuring no loopholes).

This definition is intentionally comprehensive, covering the entire lifecycle of data—from initial acquisition to final disposal. It also extends to both manual and automated operations, meaning that even routine administrative handling of personal data is subject to PDPL obligations.

Special Safeguards for Emerging Technologies

Article 30 of the PDPL introduces a technology‑specific safeguard, recognizing that environments such as big data, AI, block chain, virtual space, and cloud computing pose heightened risks. It requires that personal data in these contexts be:

• Processed properly within a scope of necessity, limiting data use to what is strictly required for the stated purpose.
• Handled in a way that ensures the legitimate rights and benefits of data subjects – embedding fairness, transparency, and accountability into digital ecosystems.

This provision effectively creates a principle of proportionality: organizations must demonstrate that their use of advanced technologies does not exceed what is necessary, and that individuals’ rights remain protected even in complex, decentralized, or opaque systems.

Obligations for companies and organisations

Under the Law on Data

The Law on Data establishes a comprehensive framework for the management, protection, and use of digital data in Vietnam. It applies broadly to state agencies, private enterprises, and foreign‑invested organizations engaged in data activities.

Anticipating the PDPL, organizations must ensure that data collection and processing activities are lawful, transparent, and limited to the scope of necessity. They are required to respect the rights of data subjects, including the right to be informed, the right to access, and the right to request correction or deletion of inaccurate data.

Companies must adopt technical and organizational measures to safeguard data against unauthorized access, loss, or misuse. This includes secure storage systems, encryption, and regular audits to ensure compliance with cybersecurity standards.

Under the DTI Law

Under the DTI Law, private organizations face a series of structured obligations designed to ensure accountability, transparency, and trust in Vietnam’s digital economy.

First, companies must comply with the state’s management regulations governing the digital technology industry. This includes adherence to technical standards, regulatory requirements, and quality norms for all digital technology products and services. Beyond compliance with standards, firms are also required to guarantee cyber safety and security in their operations, aligning their practices with Vietnam’s broader laws on cybersecurity, data protection, and personal data management.

The law also provides a framework for controlled testing of digital technology products and services. Organizations may conduct such testing to innovate and validate new solutions, but only within the boundaries of the DTI Law and related legislation on science, technology, and innovation. While liability exemptions are granted during controlled testing, these protections are conditional—fraudulent use of the mechanism or attempts to exploit exemptions unlawfully are strictly prohibited.

In addition, the DTI Law imposes significant data obligations on enterprises. Companies must not create commercial or technical barriers that prevent clients from storing or transferring their digital data. They are encouraged to self‑assess and publicly announce the quality of their digital data before releasing products to the market, thereby promoting transparency and consumer confidence. Furthermore, organizations are required to provide, collect, and update information into the national digital technology industry database accurately and promptly, ensuring that regulators and stakeholders have reliable data to support oversight and policy development.

Under the PDPL

Under the PDPL, organizations face a comprehensive set of obligations designed to safeguard individual rights and ensure responsible data governance.

At the heart of these requirements lies the principle of user consent. Companies must obtain clear, informed, and explicit consent before collecting or processing personal data. Consent must be tied to a specific purpose, properly documented, and revocable at any time. When dealing with sensitive categories of information—such as biometric identifiers, health records, or financial data—the law imposes an even higher threshold, requiring enhanced disclosure and stronger safeguards to protect individuals.

Beyond consent, the PDPL establishes strict rules for data protection. Firms are required to implement both technical and organizational measures to secure personal information. This includes encryption, secure servers, access controls, and audit trails. Special emphasis is placed on sensitive data, with mandatory risk assessments and confidentiality protocols for systems that rely on artificial intelligence. These measures are intended to prevent unauthorized access, misuse, or breaches that could undermine public trust.

To ensure accountability, organizations must also fulfil specific responsibilities. They are required to designate responsible DPOs tasked with overseeing adherence to the law.

Companies must maintain compliance records, conduct regular internal audits, and ensure transparency in how data is collected, processed, and shared. Public disclosure of data handling practices, through privacy notices and reporting, is a key element of this accountability framework.

The PDPL further recognizes that certain industries handle data of heightened sensitivity and therefore imposes sector‑specific rules. In finance, stricter requirements apply to customer profiling, credit scoring, and cross‑border transfers. In healthcare, enhanced safeguards are mandated for medical records, genetic data, and patient confidentiality. In telecommunications, obligations extend to metadata, geolocation, and surveillance risks. These tailored rules reflect the government’s recognition that misuse in these areas could have systemic or life‑critical consequences.

Companies that fail to meet PDPL requirements may face administrative fines, suspension of operations, or even revocation of business licenses. Beyond legal penalties, reputational damage is a serious risk, particularly in industries where consumer trust is paramount. While the PDPL narrows the extraterritorial scope compared to earlier rules, foreign companies processing the personal data of Vietnamese citizens must still comply. This includes cloud providers, multinational corporations, and offshore service centres handling HR or customer data.

Recommended Best Practices for Companies

• Conduct Comprehensive Data Audits
  • Map out all categories of data collected (personal and non‑personal).
  • Identify where data is stored, how it flows across systems, and who has access.
  • Classify data according to sensitivity to align with PDPL and Law on Data requirements.
  • Regularly update records to ensure compliance with obligations to contribute accurate information to national databases.
• Strengthen Consent and Transparency Mechanisms
  • Ensure user agreements are clear, accessible, and purpose‑specific, meeting PDPL standards for explicit consent.
  • Provide mechanisms for users to withdraw consent easily.
  • For sensitive data, implement enhanced disclosure and safeguards.
  • Publish transparent privacy notices and data handling policies to meet accountability obligations under both PDPL and Law on Data.
• Establish a compliance Infrastructure
  • Appoint Data Protection Officers (DPOs) or compliance managers to oversee adherence.
  • Establish monitoring systems, audit trails, and incident response protocols.
  • Train staff regularly on data protection, cybersecurity, and AI ethics.
  • Integrate compliance with environmental obligations under the DTI Law (e.g., sustainable disposal of digital products).
• Prepare for AI Oversight and Governance
  • Document AI models, algorithms, and decision‑making processes in line with DTI Law requirements.
  • Conduct AI risk assessments and Data Protection Impact Assessments (DPIAs) for automated decision‑making systems.
  • Ensure AI systems comply with cybersecurity and data protection laws, and avoid prohibited uses (e.g., misuse of biometric recognition).
• Engage Regulators
  • Maintain proactive dialogue with regulators to clarify obligations and reduce compliance risks.
  • Ensure timely submissions of DPIAs.
  • ensure compliance with PDPL’s extraterritorial provisions.

Toward a Fourth Pillar: the draft law on AI

While Vietnam’s digital governance architecture is currently anchored in the Law on Data, the PDPL, and the DTI Law, a forthcoming Artificial Intelligence Bill is beginning to take shape. Still in draft form, this proposed legislation reflects Vietnam’s intent to align with global trends in regulating high-risk AI systems.

The draft AI Bill introduces a principle of compliance, requiring all AI systems to adhere to existing data protection laws. It also identifies unacceptable risk categories, notably:

• The use of real-time remote biometric recognition in public spaces.
• The creation or exploitation of large-scale facial recognition databases through untargeted image collection from the internet or surveillance cameras.

Although detailed provisions are still pending, the draft highlights several regulatory gaps that future decrees and technical guidelines are expected to address, including:

• Algorithmic control and auditability;
• Transparency in AI decision-making;
• Legal liability of autonomous systems; and
• Access rights to training datasets.

This emerging legislation signals Vietnam’s ambition to move beyond foundational data and AI governance toward a risk-based, principle-driven AI regulatory framework, echoing developments in the EU, Singapore, and other jurisdictions.

Together, these four components, Data Law, PDPL, DTI Law, and the Law on AI in development will form a progressively layered and responsive legal ecosystem, positioning Vietnam as a proactive regulator in the age of digital transformation.

Disclaimer: This newsletter and its content are for informational purposes only and do not constitute legal advice. Readers should seek legal or professional advice before taking or refraining from any action.