Vietnam's Ministry of Justice released a draft Law on Data Security on July 14, 2026, that would prohibit the cross-border export of "core data" outright and require Ministry of Public Security (MPS) pre-approval before companies can move "important data" or large-scale personal data out of the country. The bill, which classifies information into four tiers — ordinary, internal, important and core — is scheduled for a National Assembly vote in October 2026. If passed, it becomes the fourth major Vietnamese data statute in roughly two years, stacking atop the Law on Data (Law No. 60/2024/QH15, effective July 2025), the revised Cybersecurity Law (effective July 2026), and the Personal Data Protection Law (PDPL, effective January 2026).
The Case for the Bill
Vietnam's concern is not invented. A mid-sized economy sitting between two great powers, with a fast-growing digital sector and no domestic hyperscale cloud champion of its own, has a legitimate interest in knowing where sensitive state, defense and critical-infrastructure data physically resides and who can compel its disclosure. The Ministry of Justice's own drafting notes tie the bill to protecting "national digital sovereignty" — language that echoes, deliberately, the classification architecture in China's 2021 Data Security Law, which Vietnam's 2024 Data Law already borrowed the "important/core data" split from. For data tied to national defense, energy grids or financial-system stability, a government wanting sign-off before that data leaves the jurisdiction is a defensible, proportionate instinct, not an outlier one — most large economies, including EU member states, restrict cross-border flows of classified and critical-infrastructure data in some form.
Where the Bill Overreaches
The problem is what happens once that principle is stretched from classified state data to "large-scale personal data" and an undefined category of "important data" — decided case by case by the same ministry that also runs cyber-enforcement. The Ministry of Justice's own appraisal council flagged this risk in its assessment of the draft, warning explicitly that the new law risks duplicating obligations already imposed by the Data Law, the PDPL and the Cybersecurity Law rather than clarifying them. That is a government regulator conceding, in its own review document, that the fourth law in two years may add confusion rather than resolve it.
The compliance exposure lands on exactly the firms Vietnam says it wants more of: cloud and hosting providers, e-commerce platforms, multinational shared-service centers processing payroll and finance data, and any consumer platform large enough to hold bulk personal data on Vietnamese users. Because "important data" is not defined with a fixed, published list, companies cannot know in advance whether a routine data transfer — an HR system sync, a fraud-detection feed, a SaaS backup — requires an MPS filing until the ministry tells them, after the fact, that it did. Industry groups have made a related point about earlier Vietnamese data rules: BSA Asia-Pacific policy director Jared Ragland has argued that data localization mandates generally "do not improve the security or availability of data to customers or law enforcement," while raising compliance costs that can push firms toward "other regional markets with more welcoming policies." The US Chamber of Commerce, AmCham Hanoi and the Asia Internet Coalition have separately told Vietnam's government that ambiguous data-compliance wording makes it "impossible for companies to accurately assess the cost of doing business in Vietnam."
A Calibrated Alternative Already Exists
The irony is that a workable middle path is sitting in the EU's own rulebook. GDPR Article 45 lets the European Commission grant "adequacy" status to a non-EU jurisdiction whose privacy regime is judged equivalent — after which data flows freely, with no case-by-case government sign-off required. Where adequacy doesn't apply, companies fall back on standardized instruments — Standard Contractual Clauses and Binding Corporate Rules — that are pre-approved templates, not discretionary approvals sought transaction by transaction. Eighteen jurisdictions currently hold EU adequacy status, including Japan and South Korea; none are in Southeast Asia, and Vietnam is not among them. The comparison isn't that the EU is more permissive than Vietnam wants to be — GDPR is famously strict — it's that Brussels built a graduated, rules-based toolkit instead of routing every qualifying transfer through a single security ministry's discretion. A company operating under GDPR knows the rule before it moves data. A company operating under Vietnam's draft would often find out after.
What Would Fix It
Vietnam does not need to abandon the core-data restriction to fix this bill. It needs three things the current draft lacks: a fixed, published list — not an open-ended ministerial category — defining exactly what counts as "important data"; a standardized approval mechanism with statutory response deadlines, replacing open-ended MPS discretion; and an explicit reconciliation clause folding the Data Law, PDPL and Cybersecurity Law provisions into one compliance pathway rather than three overlapping ones. Vietnam's own digital-economy program targets the sector reaching 30% of GDP by 2030. Every additional layer of unpredictable, discretionary data-transfer approval makes that target harder to hit, not easier — and the National Assembly has until October to decide whether this draft closes that gap or widens it.