Vietnam's data protection architecture has matured at remarkable speed. In the span of three years, Hanoi has moved from a patchwork of cybersecurity rules to a full-fledged regime anchored by Decree 13/2023/ND-CP on Personal Data Protection (effective July 2023) and the new Personal Data Protection Law (PDPL), which took effect on January 1, 2026. For European companies operating in one of Asia's fastest-growing digital economies, the question is no longer whether to comply, but whether compliance is even operationally feasible.
The European Chamber of Commerce in Vietnam (EuroCham) has flagged the issue in successive editions of its annual Whitebook, the chamber's main vehicle for raising policy concerns with the Vietnamese government. The complaint is not that Vietnam regulates data — it should — but that the regime layers stringent localisation expectations on top of mandatory cross-border transfer impact assessments (TIAs), ambiguous consent rules, and notification duties to the Ministry of Public Security's A05 department. The cumulative effect, EuroCham argues, risks deterring exactly the kind of European investment Vietnam is trying to attract.
What the new regime actually requires
Three features make Vietnam's framework unusually demanding by APAC standards:
- Transfer Impact Assessment dossiers. Any organisation transferring personal data of Vietnamese citizens abroad must compile a TIA dossier — covering the purpose, recipient, safeguards, and risk mitigation — and file it with A05 within 60 days of the transfer beginning. The dossier must remain available for inspection at any time.
- De facto localisation pressure. While the PDPL stops short of a blanket localisation mandate for all personal data, it operates alongside the 2018 Law on Cybersecurity and Decree 53/2022, which already require certain categories of data — and local entities or branches — for foreign service providers meeting specified thresholds. The combined effect is that many EU firms feel pushed toward local data storage as the lowest-risk default.
- Sensitive data and consent. Vietnam's definition of "sensitive personal data" is broader than the GDPR's Article 9, capturing categories like financial information and location data. Explicit, granular, and revocable consent is the default lawful basis, with limited room for the legitimate-interests reasoning EU controllers rely on at home.
Why this matters for EU adequacy conversations
None of this would matter much if Vietnam were a small market. But Vietnam is now one of the EU's largest trading partners in ASEAN, with bilateral goods trade reportedly exceeding €60 billion in 2024 according to European Commission data, and the EU-Vietnam Free Trade Agreement (EVFTA) has accelerated digital services integration. European firms in sectors from manufacturing IT to fintech to logistics now routinely move personnel, customer, and operational data between EU headquarters and Vietnamese subsidiaries.
Under the GDPR, those transfers require either an adequacy decision under Article 45 or appropriate safeguards under Article 46 — typically Standard Contractual Clauses (SCCs) coupled with a transfer impact assessment in the post-Schrems II sense. The European Data Protection Board has indicated repeatedly that an importing country's local surveillance and government-access regime is part of that assessment. Vietnam's framework, with broad data access powers vested in A05 and the Ministry of Public Security, raises exactly the kind of questions that doomed the EU-US Privacy Shield.
The risk is a quiet decoupling: EU firms continue to operate in Vietnam, but at the cost of duplicated infrastructure, lengthier procurement cycles, and a competitive disadvantage versus regional rivals less burdened by GDPR-equivalent obligations.
The proportionate path Vietnam could still take
Vietnam's regulators deserve credit for taking privacy seriously and moving faster than most ASEAN peers. Indonesia's Law 27/2022 on Personal Data Protection and the Philippines' Data Privacy Act look comparatively under-enforced. But strict rules are not the same as good rules, and Hanoi has room to refine without retreating.
A more proportionate model would:
- Replace ex-ante TIA filing with risk-tiered obligations, so that low-risk routine transfers (HR data within a multinational group, for instance) are not treated like sensitive bulk transfers.
- Recognise SCC-based transfers approved by the European Commission as a presumptive safeguard, mirroring the approach Japan and South Korea adopted en route to their adequacy decisions.
- Issue clear guidance on legitimate interests and contractual necessity, narrowing the practical reliance on consent for transactions where consent is a fiction.
- Provide a real safe harbour for cloud-based storage outside Vietnam where encryption-at-rest and key management remain under the controller's exclusive authority.
The bigger picture
Vietnam's choice will reverberate. Thailand, Malaysia, and Indonesia are all watching how Hanoi's model performs in practice. If the PDPL succeeds in attracting compliance without choking investment, it becomes a template. If, instead, European firms quietly route new digital initiatives to Singapore or stay out altogether, the cost will fall on Vietnamese consumers and SMEs that lose access to global services.
The EU, for its part, should engage constructively. An adequacy dialogue — even a long, demanding one — is more useful than the current pattern of bilateral complaints and reactive guidance. A pragmatic framework that protects Vietnamese citizens while enabling European companies to operate at scale is plainly achievable. The question is whether either side will treat data governance as a partnership rather than a barrier.
For now, EU firms operating in Vietnam are doing what regulated firms always do: hiring compliance counsel, redesigning data flows, and absorbing the cost. The deeper question — whether Vietnam's regime is the future of APAC data protection or a cautionary tale about overshoot — will be answered over the next 12 to 24 months.