Vietnam's New Privacy Law Adds an AI Opt-Out | TLY

AI Regulation Tracker  /  Legislation in force

Vietnam's new data protection law gives people a right to opt out of automated decisions

Vietnam's Law on Personal Data Protection No. 91/2025/QH15 took effect on January 1, 2026, and adds a GDPR-style right for individuals to object to profiling and automated decision-making. Any firm handling Vietnamese personal data now owes new transparency and opt-out duties.

Vietnam's new data protection law gives people a right to opt out of automated decisions regulation briefing
The Leveraged Years AI Regulation Tracker

Vietnam has closed a gap that sat in plain sight for nearly three years. Under the Law on Personal Data Protection No. 91/2025/QH15, in force since January 1, 2026, people whose data is processed in Vietnam can now object to or limit profiling, automated decision-making, and direct marketing. The country's earlier framework defined automated processing but gave individuals no comparable right to push back against it. That right now exists in statute.

From decree to statute

The change matters first because of what it replaces. Vietnam's 2023 rules lived in a decree, Decree 13/2023, an instrument of the executive rather than an act of the legislature. Law 91/2025/QH15 was passed by the National Assembly in June 2025 and elevates the same subject matter to primary legislation. A statute carries the standing of primary legislation and a firmer basis for penalties than a decree, so the move is not cosmetic. It signals that data protection in Vietnam now rests on a durable legal footing rather than administrative guidance.

The authoritative text is the Vietnamese-language version published through the National Assembly. English readers should treat the widely circulated luatvietnam.vn translation as a secondary, paid rendering, useful for orientation but not the controlling text. Law-firm handbooks from DLA Piper and Baker McKenzie, along with Vietnam Briefing, describe the same core duties.

The new right against automated decisions

The operative addition is the right to object to or limit automated decision-making. Where an organization scores, ranks, or decides about a person by automated means, the individual can now ask for that processing to be stopped or constrained. Alongside the objection right, the law requires transparency on the logic behind automated decisions and a meaningful explanation of their impact. In practice, a firm can no longer treat an automated model as a closed box when a Vietnamese data subject asks how a decision about them was reached.

Profiling and direct marketing sit inside the same objection framework. A person can opt out of being profiled and of receiving direct marketing, which reaches marketing operations and ad-tech pipelines as much as credit or eligibility scoring. The practical effect is that consent alone no longer settles the matter. A firm may have collected data lawfully and still face a valid request to stop using it for an automated purpose, which means the opt-out has to be a live, working control rather than a line in a privacy notice.

This is a meaningful shift for lenders and insurers in particular. Automated credit scoring, fraud screening, and pricing models all fall within reach when they decide something about a person in Vietnam. The obligation to give a meaningful explanation of impact pushes those decisions toward being auditable, so a firm should expect to show, on request, which factors drove an outcome and what it meant for the individual.

Impact assessments for high-risk uses

The law pairs the new right with a documentation duty. High-risk processing, including profiling, automated decision-making, use of artificial intelligence, and facial recognition, requires a data protection impact assessment. That assessment is the paperwork that proves a firm considered the risks before deploying the system, not after a complaint arrives. For teams building or buying AI that touches Vietnamese data, the assessment becomes a gate rather than an afterthought.

What it does not do

The law does not ban automated decision-making, and it does not require human decisions in every case. It grants a right to object, to limit, and to be given an explanation. It also does not, on its own, resolve every operational detail; Vietnam's implementing decree carries the forms and procedures that put these duties into daily practice. The headline change is narrower and clearer than a prohibition: individuals gain leverage over automated processing that they did not have under the 2023 decree.

For a US reader, the cross-border angle is straightforward. Vietnam is importing the substance of the GDPR's Article 22 on automated decisions, three years after it modeled its structure on the GDPR through the 2023 decree. A multinational that already runs a single European privacy program can map its Vietnamese duties onto existing GDPR automated-decision controls rather than build a separate regime. The explanation, opt-out, and impact-assessment mechanics will look familiar to anyone who has already implemented Article 22.

Frequently Asked Questions

What changed under Vietnam's Law on Personal Data Protection No. 91/2025/QH15?

Vietnam replaced its 2023 data protection decree with a statute and added a right the decree lacked: individuals can now object to or limit profiling, automated decision-making, and direct marketing, and they can demand an explanation of automated-decision logic and its impact. The law took effect January 1, 2026.

Who is affected?

Any controller or processor of Vietnamese personal data, in any sector, including firms based abroad. It reaches banks, insurers, lenders, marketers, HR teams, and any SaaS or ad-tech vendor that profiles or auto-decides about people in Vietnam.

Does the law ban automated decision-making?

No. It grants a right to object to or limit automated processing and requires transparency and a meaningful explanation of impact. It does not prohibit automated decisions or mandate a human decision in every case.

How is this different from the 2023 decree?

The 2023 decree (Decree 13/2023) defined automated processing but gave no GDPR-style right against automated decision-making. The new law adds that objection and opt-out right, requires impact assessments for high-risk uses, and carries the standing of primary legislation.

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.