On April 23, the National Cybersecurity Association (NCA) hosted a policy roundtable in Hanoi titled “Consultation on the Draft Law on Personal Data Protection.”

The forum provided an open policy dialogue between government regulators, businesses, and citizens, helping to refine the draft law before it is submitted to the National Assembly.

Legal foundation for data rights in the digital age

W-gop y luat bao ve du lieu ca nhan 5 1.jpg

Lieutenant Colonel Dao Duc Trieu, Deputy Secretary General of NCA, moderates the open discussion session. (Photo: C.H)

According to members of the drafting and editing committee, the proposed law is grounded in the 2013 Constitution and the 2022 Resolution No. 27 of the 13th Party Central Committee, which emphasizes “people-centered development” and links personal data protection to the broader goal of safeguarding human rights in the digital era.

Legally, the law aims to align domestic legislation with international commitments and ensure consistency across Vietnam’s legal system.

“The overarching goal is to establish a unified legal framework to strengthen domestic personal data protection, promote the digital economy, and safeguard national security and data sovereignty,” the drafting committee stated.

The Ministry of Public Security is expected to finalize the draft and submit it to the government for presentation at the 9th session of the 15th National Assembly in May 2025. If approved, the law would take effect in 2026.

Concerns about compliance and clarity

W-gop y luat bao ve du lieu ca nhan 0 1.jpg

Le Nguyen Thien Nga speaks on policy implications of the draft law. (Photo: C.H)

Speaking at the forum, Le Nguyen Thien Nga, Director of the Institute for Policy Governance and Development Strategy and lead researcher of the national data strategy workshop series, emphasized that the law will impact everyone operating in cyberspace.

From a policy oversight perspective, she highlighted several practical compliance challenges. For instance, Article 45 requires data processors to maintain and submit documentation on data processing impact assessments - potentially adding a significant compliance burden on organizations.

She also recommended amending Clause 3 of Article 47 to allow digital submissions via a national data protection portal, rather than requiring hard copies by mail or in-person delivery to the designated data protection authority.

Other concerns included Article 23, which obligates organizations to verify the age of children before processing their data - an impractical requirement, as it may involve collecting additional personal information. Article 26, which governs large-scale data processing, lacks clarity on permissible business activities and adds burdensome registration procedures for data processors.

Industry perspective: Definitions and technical clarity needed

W-gop y luat bao ve du lieu ca nhan 4 1.jpg
Bach Trong Duc of VNDS shares challenges in supporting businesses with compliance. (Photo: C.H)

W-gop y luat bao ve du lieu ca nhan 1 1.jpg
Lieutenant Colonel Nguyen Ba Son, Deputy Director of A05, delivers closing remarks. (Photo: C.H)

From the viewpoint of implementation, Bach Trong Duc, Head of Training and Compliance at Vietnam Data Security JSC (VNDS), pointed out that businesses face a host of challenges: understanding legal-technical intersections, adapting IT systems to fulfill individual data rights, and dealing with administrative hurdles.

He called for clearer legal definitions, particularly around the concept of “personal data anonymization,” which he argued is essential for transparency and practical enforcement.

VNDS proposed dividing anonymization into two levels:

True anonymization – where data is processed to the extent that even the most advanced technologies cannot re-identify the subject. This should be considered non-personal data.

Partial anonymization – where data alone does not identify a subject, but when combined with other data sets, re-identification is possible. This should still be classified as personal data due to the risk of re-identification.
This distinction, they argued, would help regulators and businesses understand legal obligations more accurately and apply appropriate safeguards depending on the data type.

Concluding the roundtable, Lieutenant Colonel Nguyen Ba Son, Deputy Director of A05 (Department of Cybersecurity and High-Tech Crime Prevention, Ministry of Public Security), welcomed the feedback and affirmed that all recommendations would be reviewed and considered in the drafting process.

He noted that the input from experts and business representatives was both specific and highly relevant, contributing significantly to refining the proposed Personal Data Protection Law.

Van Anh