Vietnam’s Cross-Border Data Transfer Regulation
The Framework
Vietnam’s Decree No. 13/2023/ND-CP mandates that any entity transferring personal data of Vietnamese citizens outside the country must prepare comprehensive impact assessment dossiers and submit them to the Ministry of Public Security’s Department of Cybersecurity and High-Tech Crime Prevention within 60 days of processing.[1] The regulation defines cross-border transfers broadly to include not only actual data transfers but also any processing of Vietnamese citizens’ data using automated systems located outside Vietnam, effectively capturing cloud services and global platforms.[2] Companies must obtain explicit consent from data subjects, detail all data protection measures, identify recipients and their nationalities, specify retention periods, conduct risk assessments, and maintain binding contracts between transferring and receiving parties.[3] The Ministry of Public Security retains discretionary power to halt transfers if data is deemed to violate “national interests and security”—an intentionally vague standard—or if companies fail to comply with documentation requirements, with mandatory updates required whenever assessment contents change.[4] Unlike data protection frameworks in other jurisdictions, Vietnam entrusts enforcement to its security apparatus rather than an independent privacy authority, requiring foreign companies to submit proprietary operational details directly to government security officials.[5]
Implications for U.S. Technology Leadership
This regulation imposes disproportionate compliance costs on leading U.S. technology platforms that dominate Vietnam’s digital landscape. Facebook, with 65 million Vietnamese users generating nearly $1 billion in revenue, and Google’s YouTube platform with $475 million in advertising revenue, bear the heaviest burden as they must establish dedicated compliance infrastructure, maintain extensive documentation systems, and continuously update assessment dossiers for their global operations. The requirement to process impact assessments for any automated processing of Vietnamese data effectively forces these companies to fragment their global architectures, undermining the operational efficiencies that enable their competitive advantages.
The broader implications for U.S. technological leadership extend beyond immediate compliance costs. The regulatory approach diverts critical engineering and legal resources from innovation to compliance activities, as U.S. companies must develop Vietnam-specific frameworks while managing similar but incompatible requirements across multiple jurisdictions. Major platforms report compliance rates of 90–95 percent with government requests, demonstrating how these regulations force American companies to compromise operational independence to maintain market access. The precedent set by Vietnam’s security-focused approach to data governance encourages other countries in the region to adopt similar measures, creating a fragmented regulatory landscape that systematically erodes the scalability advantages that have historically enabled U.S. platforms to drive global digital innovation.[6] As companies face escalating costs to maintain operations in Vietnam’s substantial market, they must choose between accepting diminished profitability or ceding ground to competitors, ultimately weakening America’s position in the global competition for digital platform leadership.[7]
Endnotes
[1] “Personal Data Processing Impact Assessment, Cross-Border Transfer Impact Assessment (Vietnam),” Lexology, June 29, 2023, https://www.lexology.com/library/detail.aspx?g=9e62512e-16ac-4e71-8e39-afbd5126dc69.
[2] “Vietnam’s Personal Data Protection Decree: Overview, Key Takeaways, and Context,” Future of Privacy Forum, https://fpf.org/blog/vietnams-personal-data-protection-decree-overview-key-takeaways-and-context/.
[3] “Legal update on Personal Data Protection: An overview of the significant provisions outlined in Decree No. 13/2023/ND-CP,” Lexology, July 21, 2023, https://www.lexology.com/library/detail.aspx?g=8a617748-e0b8-4b71-9ee0-12e8a1c885ca.
[4] “Legal Alert on Decree 13 on Personal Data Protection,” KPMG Vietnam, June 26, 2024, https://kpmg.com/vn/en/home/insights/2023/04/legal-alert-on-decree-13.html.
[5] “Vietnam’s 2023 Personal Data Protection Decree,” SecurePrivacy.ai, https://secureprivacy.ai/blog/vietnam-personal-data-protection-law.
[6] Nigel Cory and Luke Dascoli, “How Barriers to Cross-Border Data Flows Are Spreading Globally, What They Cost, and How to Address Them” (ITIF July 2021), https://itif.org/publications/2021/07/19/how-barriers-cross-border-data-flows-are-spreading-globally-what-they-cost/.
[7] Nigel Cory, “Cross-Border Data Flows: Where Are the Barriers, and What Do They Cost?” (ITIF, May 2017), https://itif.org/publications/2017/05/01/cross-border-data-flows-where-are-barriers-and-what-do-they-cost/.
Related
March 7, 2025
Vietnam’s Data-Localization Regulation
June 2, 2025
Vietnam’s Content Moderation Regulation
June 5, 2025
