In January 2025, the Draft Decree detailing certain provisions and implementation measures of the Data Law (hereinafter referred to as the “Draft Decree”) was drafted by the Ministry of Public Security and published on the Government’s electronic portal to collect public comments.
We, ALTAS Law Firm Limited Liability Company (hereinafter referred to as “ALTAS”/“We”), would like to provide our comments on several important issues to contribute to the refinement of the Draft Decree, ensuring its effectiveness in practical implementation.
(4).png)
REGULATIONS ON APPLICABLE SUBJECTS
1.1.
Clause 1, Article 2 of the Draft Decree currently stipulates that the subjects of application include:
-
Vietnamese agencies, organizations, and individuals.
-
Foreign agencies, organizations, and individuals in Vietnam.
-
Foreign agencies, organizations, and individuals directly participating in or related to digital data activities in Vietnam.
According to ALTAS, the above clause aligns with the applicable subjects as defined in the Digital Data Law No. 60/2024/QH15, promulgated by the National Assembly on November 30, 2024, and effective from July 1, 2025 (hereinafter referred to as the “Data Law”).
1.2.
According to the 2015 Civil Code, an organization is recognized as a legal entity when it meets all conditions prescribed in Article 74 of the Code. Therefore, when a legal document states that applicable subjects include "Vietnamese agencies, organizations, and individuals," the term “organization” inherently includes legal entities. Thus, even if the term “legal entity” is not explicitly stated, the regulations still naturally apply to both commercial and non-commercial legal entities.
1.3.
Although the current wording is not legally incorrect, legal provisions should be universally clear and easy to understand to avoid multiple interpretations or misunderstandings in practical application. This is particularly crucial in the context of digital data regulations, which is a new field with broad implications for various entities, including domestic and international individuals and organizations, ranging from technology enterprises to government regulatory bodies.
1.4.
A clear and comprehensible provision ensures uniform and strict application, allowing individuals and organizations to fully understand their legal rights and obligations, thereby complying with regulations without difficulties in interpretation. In practice, many legal violations arise not from intentional misconduct but from ambiguous legal wording, leading to misinterpretation. A well-drafted regulation helps minimize unnecessary legal disputes and prevents different law enforcement agencies from interpreting and applying the law inconsistently, creating challenges for businesses and citizens in compliance.
1.5.
We suggest that the Drafting Committee consider refining the wording of Article 2 of the Draft Decree to be more specific and visually clear. Specifically, adding the term “Legal Entity” within the scope of application to avoid any misunderstanding regarding the subjects governed by the Draft Decree. Clarifying the applicable subjects will enhance the effectiveness of law enforcement, facilitate compliance for organizations, businesses, and individuals, and ensure consistency within the legal framework on digital data.
REGULATIONS ON DATA DISCLOSURE
2.1.
According to Point b, Clause 2, Article 10 of the Draft Decree, conditionally disclosed data includes:
2. Data disclosed with conditions include:
b) Data related to personal privacy and personal secrets may be disclosed only with the individual’s consent; family secret data may be disclosed only with the consent of family members.
This provision contains several unclear aspects, such as:
(i) The criteria for determining “family members,” and
(ii) The scope of consent required from family members when disclosing data related to family secrets.
2.2. Criteria for Determining "Family Members"
The term “family members” is currently referenced in the 2014 Law on Marriage and Family, which defines family members as:
"Family members include spouses; biological and adoptive parents; stepfather, stepmother; parents-in-law; biological, adoptive, and stepchildren; sons-in-law and daughters-in-law; full and half-siblings; brothers-in-law and sisters-in-law; grandparents; grandchildren; aunts, uncles, and cousins.” (Clause 16, Article 3 of the Law on Marriage and Family 2014)
Additionally, “family” is defined as:
"A family is a group of people connected by marriage, blood relations, or adoption, creating rights and obligations among them according to this Law.” (Clause 2, Article 3 of the Law on Marriage and Family 2014)
Thus, a family may include members beyond the listed categories.
For instance, in some practical cases, individuals with long-term close relationships but not legally recognized as family members might still be considered part of the family. This could include adopted children without formal legal recognition or individuals involved in caregiving relationships without legal kinship. Moreover, as society evolves, family structures have also changed, expanding the definition beyond the legally recognized list of family members.
Therefore, identifying “family members” should not only rely on legal listings but also consider the reality of familial relationships. This is crucial in implementing legal provisions concerning rights, obligations, and protective measures for individuals within a family.
2.3. Defining the Scope of Consent
Additionally, another critical question is whether unanimous consent from all family members is required or if a majority decision suffices. The absence of clear guidelines could lead to significant challenges in practical application, especially in disputes over family data disclosure, where different family members may have varying perspectives and interests.
2.4.
Without specific clarification, this regulation could cause conflicts among family members, prolong dispute resolution, and reduce the effectiveness of law enforcement. This could result in inconsistent disclosure of family data, affecting the privacy rights and legitimate interests of certain family members. Therefore, defining the scope and method of consent is essential for feasibility and transparency in application.
2.5. Recommended Amendments
To address this issue, we propose two possible amendments:
-
First, directly revise the provision in the Decree to clearly define the required consent ratio among family members. For example, the provision could be revised to:
“Family secret data may be disclosed with the consent of all family members or at least two-thirds of family members.”
This approach ensures transparency within the legal text, providing consistency in implementation.
-
Second, issue a Circular to guide the practical application of this provision. A guiding Circular could outline specific criteria for the required number of family members consenting in different cases, allowing flexibility while maintaining legal protection for all concerned parties.
Clarifying or providing guidance will help avoid varied interpretations by different authorities or individuals, ensure the rights of all family members, and make legal regulations more practical and enforceable. This not only enhances the efficiency of law enforcement but also helps protect personal privacy and legal interests within families.
REGULATIONS ON DATA TRANSFER ACTIVITIES
3.1. Alignment with the Civil Code 2015 on Property Rights
3.1.1.
According to the Data Law, data ownership rights are classified as property rights under civil law (Clause 15, Article 3 of the Data Law). This means data is legally recognized as an asset that can be bought, transferred, inherited, or mortgaged, similar to other assets under Vietnam’s civil law system.
3.1.2.
However, the Draft Decree currently uses the term “Data Transfer,” defined separately from ownership and usage rights. This approach may create inconsistencies with the existing civil law framework, as the 2015 Civil Code defines ownership rights as comprising possession, use, and disposition rights (Article 158 of the Civil Code). Therefore, under the Civil Code, when a subject is granted data ownership, they inherently have full rights to use and dispose of that data.
3.1.3.
Separating these concepts in the Draft Decree may lead to misunderstandings about the scope of rights, potentially causing legal disputes.
This translation maintains the legal and professional tone while ensuring clarity and accuracy. Let me know if you need further refinements
| Transfer | Assignment | |
| Luật Sở hữu trí tuệ | “Transfer” of intellectual property rights means that the owner allows another organization or individual to use their intellectual property for a specific period, without transferring ownership. The ownership remains with the transferor, and the transferee does not acquire ownership rights over the intellectual property (Article 41 of the Intellectual Property Law). | “Assignment” of intellectual property rights refers to the transfer of full ownership of the intellectual property to another organization or individual. The assignee becomes the new owner of the intellectual property and has full rights to use, exploit, and reassign it if desired (Clause 1, Article 45, Article 138 of the Intellectual Property Law). |
| Technology Transfer Law | "Transfer" is used in the context of the right to use technology (Clause 7, Article 2 of the Technology Transfer Law). | "Assignment" is used in the context of the right to own technology (Clause 7, Article 2 of the Technology Transfer Law). |
| Draft Decree on Data | Data transfer is the activity of transferring ownership rights or usage rights of data from the entity authorized to transfer the data to the receiving entity (Clause 8, Article 13 of the Draft Decree detailing certain provisions and implementation measures of the Data Law). |
Specifically, the data recipient may exploit the data beyond the permitted scope, while the data transferor may assume that the right to use the data remains with them and attempt to restrict the recipient's usage rights. This ambiguity can create difficulties in contract enforcement and may even lead to prolonged legal disputes between the parties.
3.2. Comparison with the Intellectual Property Law and the Technology Transfer Law
3.2.1.
In the Draft Decree, “Data Transfer” is defined as “the activity of transferring ownership rights or usage rights of data from the entity authorized to transfer the data to the receiving entity.” However, to ensure consistency and alignment with the current legal framework, this provision should be examined in relation to other legal texts.
3.2.2.
It is evident that there is already consistency between the Intellectual Property Law and the Technology Transfer Law—both laws use the term “Assignment” for ownership rights and “Transfer” for usage rights. Therefore, any deviation from this established terminology in the Draft Decree would disrupt this consistency.
3.2.3.
Defining overlapping legal terms differently can cause misunderstandings in legal applications. Therefore, it is recommended that terminology interpretations be standardized across the entire legal system.
REGULATIONS ON DATA PROVISION TO GOVERNMENT AGENCIES
4.1.
The Draft Decree currently presents inconsistencies regarding the responsibility of organizations providing intermediary data products and services in supplying data to government agencies. There is a discrepancy between the Draft Decree and the Draft Decree on Science, Technology, Innovation, and Data Products and Services Activities (hereinafter referred to as the “Science and Technology Data Activities Draft Decree”).
4.2.
According to the Science and Technology Data Activities Draft Decree, organizations providing intermediary data products and services must demonstrate their responsibility in connecting, sharing, exchanging, accessing, and protecting data as required by law (Clause 1, Article 24 of the Science and Technology Data Activities Draft Decree). This provision establishes a clear legal obligation for intermediary data organizations to manage and provide data, implying a mandatory duty.
4.3.
However, the Draft Decree merely encourages organizations and individuals to provide data to government agencies (Clause 1, Article 8 of the Draft Decree detailing certain provisions and implementation measures of the Data Law). This could create overlaps and inconsistencies, as on one hand, the Science and Technology Data Activities Draft Decree establishes a clear obligation for intermediary data service providers to supply data, but on the other hand, the Draft Decree only encourages data provision for other organizations and individuals.
4.4.
To ensure consistency within the regulatory framework, we propose that the authorities review the relationship between the Draft Decree and the Science and Technology Data Activities Draft Decree to clarify whether intermediary data organizations have a mandatory duty or are merely encouraged to provide data to government agencies. If the duty is mandatory, the decree should explicitly define the conditions, scope, and mechanisms for protecting the rights of data-providing organizations.
4.5.
Clarifying the distinction between legal obligations and voluntary mechanisms will enhance the transparency of the Draft Decree, facilitate compliance for businesses and organizations, and protect the legitimate rights of all stakeholders involved.
REGULATIONS ON REPORTING MECHANISMS
5.1.
According to Clause 11, Article 18 of the Draft Decree, core data controllers must conduct an annual risk assessment regarding their core and critical data processing activities:
"11. Core data controllers and critical data controllers must conduct an annual risk assessment of their core and critical data processing activities. The risk assessment report must include:
a) Basic information about the core data controller, details about the data security department, and contact information of the person responsible for data protection;
b) Purpose, type, quantity, method, scope, storage duration, storage location of the data, data processing activities, and circumstances of data processing;
c) Data security management systems and their implementation, technical measures such as encryption, backups, labeling, access control, authentication protection, and other necessary measures and their effectiveness;
d) Identified data security risks, past data security incidents, and resolutions;
e) Risk assessment of critical data provided or entrusted for processing;
f) Other reporting contents as required by relevant authorities."
5.2.
While this provision mandates an annual risk assessment, it only outlines the report’s required contents and assigns self-reporting responsibility to data controllers. However, it does not specify whether these reports must be submitted to a government agency or any submission deadlines if required.
5.3.
To enhance clarity and consistency, we propose adding a provision specifying the receiving authority, such as the Ministry of Public Security, along with defining a specific reporting frequency, such as annually or biennially, depending on the risk level of the data being processed.
5.4.
This regulation could refer to Clause 9, Article 12 of the Draft Decree on cross-border core data processing reporting requirements, which states:
"9. Cross-border core data processors must conduct a risk self-assessment every six months, while cross-border critical data processors must conduct an annual risk self-assessment and submit the report to the Ministry of Public Security."
This means that cross-border core data processors must conduct biannual risk assessments, whereas cross-border critical data processors must conduct annual risk assessments and submit reports to the Ministry of Public Security.
5.5.
Adding a provision specifying the reporting authority and submission deadlines will ensure transparency, prevent self-evaluation without oversight, and facilitate regulatory agencies in monitoring and managing risks related to core and critical data.
REGULATIONS ON SANCTIONS
6.1.
According to Point (đ), Clause 3, Article 8 of the Draft Decree, when Party, State, or socio-political organizations request data from organizations or individuals in special cases, they are responsible for informing data controllers and data owners of the applicable sanctions in case of non-compliance:
"3. When requesting organizations or individuals to provide data in special cases, Party, State, and socio-political organizations must:
…
(đ) Notify data controllers and data owners of the sanctions applicable in case of non-compliance."
6.2.
This provision aims to ensure transparency and accountability in data collection and usage while emphasizing compliance obligations. However, certain issues need clarification to ensure strict legal applicability and feasibility in practice.
6.3.
First, the Draft Decree does not specify the types of sanctions or the legal basis for imposing them. This raises questions about consistency in handling non-compliance cases, preventing different agencies from interpreting and applying sanctions inconsistently. Lack of detailed guidelines could lead to arbitrary enforcement or inconsistencies.
6.4.
Second, the decree should clarify who has the authority to impose sanctions. Can the requesting agency unilaterally impose sanctions, or must it follow a defined legal procedure? If not clearly defined, legal disputes may arise between the data owner and the requesting agency.
6.5.
To ensure transparency, fairness, and feasibility, the Draft Decree should include a list of applicable sanctions, legal bases, and enforcement authorities. Additionally, oversight mechanisms should be established to prevent abuses of power and protect the legitimate rights of organizations and individuals.
CONSISTENCY OF THE DRAFT DECREE
7.1.
According to Point (c), Clause 1, Article 10 of the Draft Decree:
"Data disclosure may cause harm to the interests of the Party, the State, national interests, foreign relations; social ethics, public health; and may endanger the life, health, rights, and legitimate interests of organizations and individuals."
7.2.
To ensure consistency with Clause 3, Article 4 of the Draft Decree and to enhance the legal precision of the provisions, ALTAS proposes amending this clause as follows:
"Data disclosure may cause harm to the interests of the Party, the State, national interests, foreign relations; social ethics, public health; and may endanger the life, health, dignity, honor, property, and legitimate interests of agencies, organizations, and individuals."
![?️ [ALTAS TALK IS COMEBACK | SERIES: “TAX MATTERS 2025”]](thumbs/210x144x1/upload/news/altas-talkintro-7705.png "?️ [ALTAS TALK IS COMEBACK | SERIES: “TAX MATTERS 2025”]")
