Vietnam's Data Law Gates Core Data Exports for AI | TLY

AI Regulation Tracker  /  Legislation in force

Vietnam's Data Law 60/2024 requires state approval before "core" or "important" data leaves the country

Vietnam's standalone data statute has been in force since July 1, 2025, and it gates the export of nationally significant data, personal or not, behind a security assessment and government sign-off. Any firm moving Vietnamese datasets abroad, including AI training data, now needs prior approval.

Vietnam's Data Law 60/2024 requires state approval before
The Leveraged Years AI Regulation Tracker

Vietnam has built a hard gate around data leaving the country. The Law on Data No. 60/2024/QH15, passed by the National Assembly on November 30, 2024, has been in force since July 1, 2025. It is a standalone data statute, and it sits apart from Vietnam's personal-data privacy rules. Where the privacy regime governs how personal information is handled, the Data Law governs data as a national asset, and it decides which data can go abroad and on whose authority.

The two tiers that trigger the gate

The law turns on two categories. "Core data" and "important data" are defined by their relevance to national defense, national security, the macroeconomy, or public health. Data that falls into these tiers cannot simply be exported. An organization must first pass a security and impact assessment, then obtain approval before any outbound transfer. The approval authority depends on the tier: the Prime Minister signs off on core data, while the Ministry of Public Security handles important data. On top of that, the exporting organization must sign a contract with the foreign recipient governing the transfer.

The tiering matters because it sets a different bar than a general privacy rule. This is not a consent question. It is a state-approval question, and for the most sensitive tier it runs all the way up to the Prime Minister. The assessment is not a formality either. It is framed as a security and impact review, meaning an organization has to characterize the data, describe the transfer, and account for the risk before an authority will clear it. That sequencing puts the burden on the exporter to show the transfer is safe, rather than on the government to prove it is not.

It covers more than personal data

The reach of the law is what makes it consequential for technology firms. According to secondary analyses from KPMG, Securiti, and Digital Policy Alert, the statute covers personal and non-personal data alike. That sweep pulls in aggregated and business data, the kind of material that feeds model training. A dataset stripped of names is still within scope if it qualifies as core or important. For any firm that assembles Vietnamese data and moves it to servers, partners, or model-training pipelines abroad, the classification question now comes before the transfer.

What it does not do

The law does not ban cross-border transfers outright, and it does not turn every dataset into a state secret. Ordinary data that does not meet the "core" or "important" threshold is not subject to the approval gate described here. The heavy machinery, assessment plus government sign-off plus a recipient contract, attaches to the regulated tiers. The practical difficulty is that the boundaries of "core" and "important" carry national-defense, security, macroeconomic, and public-health language that is broad by design, so the safe posture is to classify carefully rather than assume a dataset is out of scope.

The double lock for AI data

Read alongside Vietnam's personal-data cross-border transfer regime, the Data Law creates a double lock on data exports. The privacy rules govern the movement of personal information; the Data Law governs the movement of nationally significant data. A firm exporting a Vietnamese training set may have to satisfy both. The structure echoes China's Personal Information Protection Law approach to "important data," pairing data localization pressure with an export gate keyed to national significance.

For a US reader, the cross-border angle is direct. This is not a rule that binds US firms only when they sell into Vietnam; it binds anyone moving qualifying Vietnamese data across a border, including a US company pulling Vietnamese datasets back to train a model at home. It also signals where a growing bloc of governments is heading: treating data with national-security or economic weight as something that cannot leave without permission. Firms that already map their transfers against China's regime will find the logic familiar, but the Vietnamese approval authorities and assessment steps are their own, and the contract-with-recipient requirement is a specific obligation to build into export workflows.

The immediate task is unglamorous and important. Know what Vietnamese data you hold, decide honestly whether any of it could be classified as core or important, and route those transfers through the assessment and approval path before they happen rather than after.

Frequently Asked Questions

What exactly changed under Vietnam's Data Law 60/2024/QH15?

Vietnam enacted a standalone data statute, in force since July 1, 2025. It requires a security and impact assessment plus government approval, from the Prime Minister for "core data" or the Ministry of Public Security for "important data," and a contract with the foreign recipient before that data can be transferred abroad.

Who is affected by the cross-border approval gate?

Any organization handling Vietnamese data that qualifies as "core" or "important" because of its national-defense, security, macroeconomic, or public-health relevance. This includes non-personal and aggregated business data, so AI developers exporting Vietnamese training sets are squarely in scope.

Does the law apply to non-personal data used for AI training?

Yes. Secondary analyses indicate the law covers personal and non-personal data, including aggregated and business data that feeds AI training. A dataset without personal identifiers can still fall under the export gate if it qualifies as core or important.

How does this relate to Vietnam's privacy rules?

They operate as separate but stacking regimes. The privacy regime governs cross-border transfers of personal data, while the Data Law governs transfers of nationally significant data. A single export may need to clear both, creating a double lock on data leaving Vietnam.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.