The Framework

Vietnam’s data governance regime creates overlapping compliance requirements through multiple laws and decrees. The Personal Data Protection Decree (PDPD) No. 13/2023/ND-CP, effective July 1, 2023, requires entities transferring Vietnamese citizens’ personal data abroad to prepare and submit cross-border transfer impact assessments (TIAs) to the Ministry of Public Security within 60 days of processing, applying even to companies processing Vietnamese data on overseas servers.[1] The Law on Data (Law No. 60/2024/QH15), passed November 30, 2024 and effective July 1, 2025, expands regulation beyond personal data to all digital data, introducing “important data” and “core data” categories that face restrictions for cross-border transfers based on national defense and security considerations, with administrators required to conduct periodic risk assessments.^[2] Draft implementation decrees from January 2025 provide broad criteria for data classification, though final regulations remain pending.^[3] The Personal Data Protection Law (Law No. 91/2025/QH15), passed June 26, 2025 and effective January 1, 2026, introduces revenue-based penalties—up to 5 percent of annual revenue for cross-border transfer violations and 10 times illegal gains for data trading—while maintaining existing PDPD requirements with some exemptions for small enterprises.^[4] Vietnam demonstrated its willingness to enforce by ordering Telegram blocked in May 2025 for noncompliance with data sharing requests, with telecommunications providers required to implement the ban by June 2, 2025.^[5]

Implications for U.S. Technology Companies

Vietnam’s expanding data regulation framework systematically disadvantages U.S. technology companies through escalating compliance costs and operational constraints. The evolution from the PDPD’s transfer assessments to the Data Law’s broad digital data classifications and finally to revenue-based penalties under the Personal Data Protection Law forces American platforms to restructure global architectures and dedicate substantial resources to regulatory compliance.^[6] Large U.S. platforms face particular burdens given their scale—companies must now navigate multiple assessment requirements, potentially establish local data infrastructure, and risk penalties of up to 5 percent of annual revenue for transfer violations, fundamentally undermining the economies of scale that enable their competitive advantages.^[7] The May 2025 Telegram blocking demonstrates that non-compliance results in complete market exclusion, forcing U.S. companies to choose between accepting Vietnamese authorities’ data access demands or forfeiting access to a market of 79.8 million internet users.^[8]

These regulatory burdens create structural disadvantages that weaken U.S. companies’ competitive position in Southeast Asia’s fastest-growing digital market. While U.S. firms divert resources to compliance infrastructure and legal reviews, competitors operating primarily within Asia face fewer cross-border complexities and can focus resources on market expansion and innovation. The fragmented compliance landscape—with personal data under the PDPD, all digital data under the Data Law, and a separate Personal Data Protection Law with different requirements—particularly disadvantages U.S. companies accustomed to unified regulatory frameworks. Vietnam’s approach encourages other ASEAN nations to adopt similar data localization and security-focused regulations, threatening to create a patchwork of requirements that systematically erodes U.S. platforms’ ability to operate efficiently across the region.^[9]

Endnotes