Vietnam's Personal Data Protection Law (PDPL), passed by the National Assembly on June 26, 2025 and in force since January 1, 2026, is the most ambitious privacy statute Southeast Asia has produced this decade. It introduces a consent-based processing regime, codifies data subject rights, regulates cross-border transfers, and — most strikingly — empowers regulators to impose administrative fines of up to 5% of an organisation's prior-year revenue for serious violations. On paper, it reads like a GDPR-inspired modernisation. In practice, it sits on top of two pre-existing regimes that already make Vietnam one of the most compliance-heavy markets in Asia: Decree 53/2022 implementing the 2018 Law on Cybersecurity, and Decree 13/2023, the country's first Personal Data Protection Decree (PDPD).
The result is not one privacy framework but three, partially overlapping, with the newest layer carrying the heaviest penalties. For a region competing hard for cloud investment, AI development, and platform headquarters, that is a problem worth naming.
Three regimes, one compliance team
To understand what changed on January 1, you have to read the new law against what was already there.
- Decree 53/2022/ND-CP implements Vietnam's 2018 Law on Cybersecurity. It requires certain foreign service providers and all domestic ones to store specified categories of user data inside Vietnam and, in some cases, establish a local branch or representative office. The Ministry of Public Security (MPS) administers the regime.
- Decree 13/2023/ND-CP (PDPD), in force since July 2023, introduced consent requirements, breach notification, and the now-infamous Cross-Border Data Transfer Impact Assessment (TIA) — a dossier that controllers must file with the MPS before sending personal data abroad.
- The PDPL (2025) elevates these obligations from decree to statute, adds organisational duties (DPOs for large processors, automated decision-making rules, stricter rules for children's and biometric data), and unlocks the headline 5%-of-revenue fines.
None of the older obligations have been repealed. Companies operating in Vietnam now answer to MPS on cybersecurity and localisation, MPS again on personal data, and — for cross-border flows — must produce both a TIA filing and PDPL-compliant transfer documentation. The compliance team is doing the same job three times, against three sets of definitions that do not perfectly align.
Localisation: a settled bad idea, freshly reinforced
The empirical case against forced data localisation has been made repeatedly by the OECD, the World Bank, and the European Centre for International Political Economy. Their conclusion is consistent: localisation mandates raise compute costs, fragment security architectures, depress trade in digital services, and — paradoxically — make data less secure by forcing it into smaller, less mature local infrastructure. Vietnam's own experience tracks the literature. Hyperscalers have been slow to build full Vietnamese regions, and several have routed Vietnamese workloads through Singapore — exactly the cross-border flow Decree 53 was meant to suppress.
The PDPL does not loosen any of this. It assumes localisation as the baseline and bolts privacy rules on top. A foreign SaaS vendor processing Vietnamese employees' payroll now needs: (i) a local storage arrangement or exemption under Decree 53; (ii) a filed TIA under Decree 13; (iii) PDPL-grade consent records, DPO appointment if thresholds are crossed, and breach-notification machinery. For a mid-sized European or Indian firm, this is a serious deterrent to entering the market at all.
The 5% fine is the part that will reshape behaviour
Until the PDPL, Vietnam's privacy penalties were modest and administrative. The new revenue-linked ceiling moves Vietnam into GDPR territory on paper — and, in one respect, beyond it: the EU's 4% of global turnover applies to a regime with well-developed proportionality jurisprudence, judicial review, and a network of independent supervisory authorities. Vietnam's enforcement runs through MPS, a security ministry rather than an independent data-protection authority. Foreign investors are right to ask how proportionality will be assessed when the same body writes the rules, investigates breaches, and sets the fine.
What proportionate reform would look like
None of this is an argument against privacy law. Vietnam has roughly 78 million internet users and one of the fastest-growing digital economies in ASEAN; codifying data subject rights is overdue. But the PDPL would do far more good — for citizens and for the sector — if Hanoi paired it with three corrections:
- Repeal or narrow Decree 53's localisation triggers. A modern privacy law makes blanket localisation redundant; transfer impact assessments already address the underlying risk.
- Establish an independent data protection authority. Concentrating cybersecurity, criminal, and privacy enforcement inside MPS conflates very different regulatory tasks and undermines investor confidence.
- Publish clear, technology-neutral guidance on AI and automated decision-making before enforcement begins, rather than after — the EFF's critique of vague US privacy drafting in May 2026 is instructive: rules that no one can operationalise produce litigation, not protection.
Vietnam has positioned itself as a credible alternative to China for regional supply chains and a serious AI-adoption story. That positioning is not free. It depends on whether multinational firms can deploy modern cloud and SaaS stacks inside Vietnam without retaining three law firms. The PDPL was the moment to consolidate. Instead, it stacked. The next decree cycle — implementation guidance is expected through 2026 — is the chance to fix it.