Feedback on the Draft Decree on Science, Technology, Innovation, and Data-related Products and Services

In January 2025, the Ministry of Public Security issued the second draft of the Decree regulating scientific, technological, and innovation activities, as well as data-related products and services, for public consultation from businesses and experts. The new Decree is expected to be approved by the Government in July 2025.In this article, ALTAS Law Firm (“ALTAS”/“We”) presents key comments and suggestions regarding the Draft Decree.

Conditions for Entities Providing Data Intermediary, Analysis, and Aggregation Services

The second draft stipulates that organizations providing data intermediary, analysis, and aggregation services must meet the business entity requirement of being a “public service unit or enterprise” (Article 23.1 of the Draft Decree).

We believe that the use of the term “public service unit” in this context creates ambiguity. Currently, the concept of “public service units” is rarely used and lacks an official legal definition. It is unclear whether the drafting committee intends to refer specifically to “public administrative units.” If not, this terminology could create difficulties in determining business entities and might cause confusion with the concept of “public administrative units.”

We suggest replacing the term “public service unit” with “organization” for clarity and ease of implementation.

The Need to Clarify the “Data Breach Notification” Procedure with Defined Quantitative Criteria

3.1. Unclear Notification Requirements

According to Article 24.9 of the Draft Decree, organizations providing data intermediary services must notify affected individuals and entities as soon as possible if a data breach is likely to cause significant harm to individuals or has a large-scale impact.

We find several unclear aspects in this regulation:

• Timing of Notification: The phrase “as soon as possible” lacks a clear timeframe. A defined maximum period is necessary to ensure timely compliance and prevent intentional delays or cover-ups that could worsen consequences. Additionally, penalties should be introduced for failure to notify within the specified timeframe, along with exceptions for cases where immediate notification is not feasible.

• Definition of Affected Entities: The term “affected individuals and organizations” is vague. Does this include data service users, data owners, or other stakeholders? In the event of a large-scale data processing system breach, should the notification also be sent to regulatory authorities? The use of “affected” limits the scope of recipients, creating ambiguity and potential security loopholes.

Furthermore, the 2024 Data Law states that “Data controllers not covered under Clause 2 of this Article shall assess and identify risks, implement data protection measures, and promptly mitigate risks while notifying relevant data subjects, agencies, organizations, and individuals” (Article 25.3 of the 2024 Data Law). Here, the term “relevant” is used instead of “affected,” which may lead to inconsistent interpretation and application between the Law and the Draft Decree.

• Criteria for “Significant Harm”: The Draft Decree mandates notification only for breaches with a “significant impact” on individuals or a “large-scale” effect. However, these terms need clarification:

  • What defines “significant”? What criteria determine the scale of a breach?

  • Who has the authority to assess and decide the severity of a breach? If the violating entity self-assesses, there is a risk of subjective or non-transparent evaluation.

Under Decree 13/2023/ND-CP on Personal Data Protection, all data breaches require notification, regardless of their impact. The inconsistency between the Draft Decree and Decree 13 may lead to discrepancies in enforcement.

3.2. Recommendations

To ensure feasibility and effectiveness, the Draft Decree should include clear quantitative criteria for data breach notifications, aligning with existing regulations like Decree 13/2023/ND-CP.

Regulations on Data Processing Impact Assessments

The second draft does not explicitly require data processing impact assessments. However, it mandates compliance with related laws on cybersecurity, electronic transactions, data security standards, and regulatory approvals for data exchange platforms (Articles 31 and 35).

Notably, the responsibilities of data intermediary service providers do not mention compliance with relevant laws or the obligation to conduct impact assessments. We believe this requirement may have been unintentionally omitted and should be explicitly included.

Standards for Personal Data Protection

• The second draft requires data intermediary service providers to “ensure personal data transfer limitations abroad in compliance with legal regulations and maintain equivalent data protection standards” (Article 24.8).

• This requirement differs from Decree 13/2023/ND-CP, which only encourages organizations to adopt appropriate data protection standards.

• Decree 13 assigns the Ministry of Public Security the responsibility of establishing Personal Data Protection Standards (Article 32.2). However, no official document defining these standards has been issued.

• The Draft Decree mandates compliance with undefined standards, creating uncertainty for both businesses and regulators.

Recommendations

To ensure practical enforcement, a formal regulatory framework defining personal data protection standards should be issued before imposing compliance obligations.

Issues with Cross-referencing Legal Provisions

• The Draft Decree references related laws but lacks specific details, such as document numbers and issuing authorities.

• Inconsistent citation practices may lead to confusion and difficulty in implementation.

Recommendations

All referenced legal documents should be clearly listed with complete details to ensure transparency and legal consistency.

Approval of Data Analysis and Aggregation Services

• The Draft Decree does not clearly define which authority is responsible for approving data analysis and aggregation services.

• It applies uniform assessment criteria across all levels of data analysis, including AI-driven automation (Level 4), despite higher risks associated with AI-based decision-making.

• Certain AI models evolve over time, necessitating periodic reassessments rather than one-time approvals.

Recommendations

• Establish specific review criteria based on the risk level of data processing activities.

• Implement periodic reassessments for AI-based models.

Licensing Requirements for Data Service Providers

• According to the Draft Decree’s Explanatory Statement, data intermediary services are considered a conditional business sector, requiring a business eligibility certificate before operation (Clause 2.3 of the Explanatory Statement).

• However, the Draft Decree outlines two scenarios:

  1. Mandatory licensing: For intermediaries between data users and government agencies (Article 21.3).

  2. Optional certification for incentives: Organizations may voluntarily seek Ministry of Public Security approval for benefits similar to high-tech enterprises (Article 21.4).

• The requirements for licensing and certification differ between the Explanatory Statement and the Draft Decree, leading to inconsistencies.

Recommendations

Clarify and align the licensing requirements to ensure transparency and ease of compliance.

Conclusion

The above feedback represents ALTAS’s key recommendations for the Draft Decree. We respectfully request that the relevant authorities consider these suggestions to refine the legal framework, ensuring effective implementation of data management and transaction regulations.

Should further clarification or additional information be required, please feel free to contact us for detailed guidance.

This translation maintains the clarity, structure, and formal tone of the original document. Let me know if any adjustments are needed!

Written: Luong Van Chuong - Partner Lawyer at  ALTAS Law & Dang Thi Ngoc Lan - Legal Senior Assistant

Date: 17/03/2025