The World Bank is asking Duane Morris on Vietnam’s digital development practice – here are our answers:


Q: Is there any law (including data protection/privacy law) of general application explicitly governing the use, collection, and processing of personal data (including sensitive data)?

A: No, there are only sector-specific personal data protection and/or privacy laws. There’s a draft decree concerning the personal data protection of the Ministry of Public Security in 2019 to codify all the provisions on relevant matters, but this decree has not been ratified

Q: Is there a law or regulation that prohibits network service providers from restricting data traffic on their network?

A: No

Q: Does any law or regulation prohibit security breaches and/or prohibits unauthorized access to and use of databases, information systems, and the related hardware?

A: Yes, there are sectoral regulations.

Q: Does any law or regulation criminalize the following activities?

  • Unauthorized access to systems or other databases holding personal data
  • Unauthorized interception of data from systems or other databases holding personal data
  • Misuse of devices or data for the purpose of committing any of the above criminal behavior

A: Yes, the Law on Cybersecurity 2018.

Q: Is there a law or regulation setting out cybersecurity requirements for public and private sector entities?

A: Yes

Q: Do data processors/controllers have to comply with the following cybersecurity requirements?

  • Adoption of an internal policy establishing procedures for preventing and detecting violations
  • Ensuring the confidentiality of data and systems that use or generate data
  • Appointment of a personal data processing office/manager
  • Performance of internal controls

A: Yes, the Law on Cybersecurity 2018.

Q: Do organizations collecting or processing personal data have to comply with the following security requirements?

A: No.

Q: Does any law, regulation or policy provide for the creation of a cyber-security strategy, infrastructure and institutions to identify, investigate, and address cyber-security threats?

A: No.

Q: Is the national CERT/CSIRT institutionalized (formally set up, mandated, staffed and resourced) and operational?

A: No.

Q: Is there a network of local/sectoral CERTs / cybersecurity focal points across public sector entities that monitor and report threats to the national CERT/CSIRT?

A: No

Q: Do any laws, regulations or policies place conditions on, or otherwise restrict, the transfer of data outside the country?

A: No

Q: Does the country have arrangements with foreign countries or multinational entities, or are there decisions of domestic and foreign bodies or agencies, to require, permit or limit transfers of personal data across borders?

A: No

Q: Has the DPA published any Binding Corporate Rules (BCRs) or model data transfer agreements to help facilitate compliance for cross-border data transfers?

A: No

Q: Is your country a member of any regional enforcement or coordination bodies that support regulatory interoperability for data regulation (e.g., ECOWAS, APEC CPBR, etc.)?

A: Yes. APEC.

Q: Is there a law or regulation that explicitly governs electronic transactions?

A: Yes, the Law on E-Transactions 2005.

Q: Does the law referred to above include provisions that grant legal (functional) equivalence between paper-based and electronic communications, contracts, signatures and records?

A: Yes. Electronic signatures (Articles 24 & 34 of the Law on E-transactions 2005)

Q: Does the law identified above recognize electronic signatures as legal in your country?

A: Yes (Chapter III of Law on E-transactions 2005)

Q: Are there any documents that cannot be legally accepted in electronic format and cannot be signed electronically?

A: Yes, property deeds and other contracts for the lease or sale of immoveable property.

Q: Are there entities authorized to issue digital certificates?

A: Yes. Both public and private entities.

Q: Have any licenses been issued for private Certification Authorities (Cas)?

A: Yes, for example digital certificates granted by Root Certification Authority.

Q: Have any certificates been issued for digital signatures (PKI)?

A: Yes (Artilcle 29 Law on E-Transactions 2005).

Q: Does the law or regulations prescribe a specific form or condition for electronic signatures?

A: Yes (Decree No. 130/2018/ND-CP on guidelines for the law on e-transactions of digital signatures and digital signature authentication.

Q: Is there a law or regulation that governs the creation and management of a government- recognized foundational digital ID system (ID enabling law)?

A: Yes, Law on Citizen ID 2014.

Q: Is there a data sharing protocol for the ID system that sets out standards to manage data sharing with third parties?

A: Yes, Chapter II, Decree 137/2015/ND-CP.

Q: Is there a national data classification policy or directive issued by the government? If yes, does the policy or directive prescribe the categories by which data is to be classified (e.g., public, restricted, strictly confidential)?

A: Yes. Law on Citizen ID 2014, Decision 714/QD-TTg dated 22 May 2015, Decision 06/QD-TTg dated 06 Jan 2022.

Yes, the relevant categories are Citizen identification database, residence database, civil status database and other specialized databases.

Q: Is it mandatory to use the common data classification categories across all government database applications or document management systems?

A: Yes. Article 10 Law on Citizen ID 2014.

Q: Is there a law/regulation that governs the (re)use of public sector data?

A: Yes, Law on Citizen ID 2014.

Q: Does this law or regulation require the private sector to share data with the public sector when the data has been collected or generated using public sector funding?

A: No.

Q: Are there special arrangements for administrative data sharing within the public sector (between NSO/institutions in the National Statistical System and other ministries)?

A: Yes, in Chapter II, Decree 137/2015/ND-CP.

Q: Is there a law or regulation that grants individuals the right to request access to government records or data (Access to Information/Right to Information/Freedom of Information Laws)?

A: Yes, Article 10.2 (b) Law on Citizen ID 2014.

Q: Does the law provide for limitations or exceptions to this right of requesting access to government records or data?

A: Yes, Article 10.2 (c) Law on Citizen ID 2014.

Q: Does the law provide for the creation of a centralized body to process Access to Information (ATI) requests?

A: Yes, Article 10.1 Law on Citizen ID 2014.

Q: Are the number of requests received published and publicly available on a citizen-facing government website?

A: No.

Q: Is there an Open Data Act or open data policy applicable across the entire public sector?

A: Yes, Decree No. 47/2020/ND-CP.

Q: Does the government publish datasets on a publicly available data portal/platform?

A: Yes, on National/centralized (one stop shop) website.

Q: If yes, are the data published on the platform in an open and reusable format?

A: Yes. The data are regularly maintained and updated with accompanying metadata.

Q: What are the features of the government operated data sharing platform?

A: They are based on an open source, proprietary solution and all government agencies are connected to the platform.

Q: Is there a National Interoperability Framework for the public sector?

A: Yes, Article 17 Law on Citizen ID 2014. The Interoperability Framework include mandatory provisions for legal interoperability, semantic interoperability and organizational interoperability.

Q: Are governmental/official entities mandated to use common technical standards (e.g. “FAIR” – Findable, Accessible, Interoperable, Re-usable.) that enable interoperability of systems, registries, data bases?

A: Yes. Article 9 Circular No. 10/2016/TT-BCA

Q: Are there technical standards that certain types of data (such as “high value datasets” or “public good” datasets) are required to follow to promote re-use?

A: No.

Q: Does any law or regulation mandate the portability of non-personal data?

A: No.

Q: Is there a legal regime that protects intellectual property rights (IPRs) for data-driven Products and services?

A: Yes, Article 14, IP Law 2005, as amended by IP Law 2009.

Q: Is there a law that gives government or industry bodies (e.g., national Standard Setting Organizations, or SSOs) the power to compel IPR holders to provide access to “essential” data or applications on FRAND6 [or similar standard] terms (e.g., data essential to competition)?’

A: no

Q: Have antitrust authorities initiated investigations relating to data access, e.g., under abuse of dominance infringements or market inquiries?

A: No

Q: Has the competition authority issued any decisions on anticompetitive practices or mergers involving data control (e.g., including remedies related to data access)?

A: No.

Q: Is there a law or regulation of general application for the development and use of Artificial Intelligence (AI) or Automated Decision-Making Systems (ADMS)?

A: NO.

Previous Review of duty-free access for ODOP products in trade agreements: Piyush Goyal
Next 'Narcos' director José Padilha is suing his production partner for millions