On January 1, 2026, Vietnam's Personal Data Protection Law (PDPL) — passed by the National Assembly in 2025 — came into force, replacing the interim Decree 13/2023/ND-CP that had governed personal data since mid-2023. The PDPL is the country's first comprehensive, statute-level data protection regime, and on paper it borrows generously from the EU's General Data Protection Regulation (GDPR): lawful-basis requirements, granular consent, data subject rights, mandatory breach notification, restrictions on cross-border transfers, and administrative penalties that can reach up to 5% of a violator's prior-year revenue for the most serious infringements.
For a country whose digital economy the government and the e-Conomy SEA report have repeatedly described as one of Southeast Asia's fastest-growing, this is a significant moment. It is also a moment that deserves more scrutiny than celebration.
What the law actually does
The PDPL applies to any organization or individual — domestic or foreign — that processes the personal data of people in Vietnam. That extraterritorial reach mirrors GDPR Article 3 and will pull in global platforms like Meta, Google, TikTok, Shopee, and a long tail of SaaS vendors that previously operated under a much lighter touch regime.
Key obligations include:
- Consent and lawful basis: Controllers must obtain specific, informed consent for most processing, with stricter rules for sensitive data categories.
- Cross-border transfer controls: Transfers abroad require an impact assessment dossier filed with the Ministry of Public Security, continuing the localization-flavored approach Vietnam established under Decree 53/2022 implementing the 2018 Cybersecurity Law.
- Breach notification: Controllers must notify authorities of qualifying breaches within tight windows, similar to GDPR's 72-hour standard.
- Administrative fines: Up to 5% of prior-year revenue for serious violations — a ceiling that is, notably, higher than GDPR's 4% cap.
The pro-innovation case for codification
To be clear: moving from a decree to a parliamentary statute is a real improvement. Decrees in Vietnam can be amended quickly by the executive, which created legal uncertainty for businesses trying to plan multi-year compliance programs. A statute is harder to change overnight, and the legislative process — even an imperfect one — surfaces more stakeholder input.
A predictable rulebook is good for the open internet. It gives Vietnamese startups a clearer baseline to build on, makes it easier for foreign investors to underwrite long-term bets, and reduces the discretionary enforcement risk that has historically deterred smaller foreign operators from entering the market. Vietnam's stated ambition to grow its digital economy to a substantial share of GDP by 2030 depends on exactly this kind of legal clarity.
Where the proportionality problem starts
The trouble is that the PDPL does not operate in a vacuum. It sits on top of the 2018 Cybersecurity Law, Decree 53/2022 on data localization, Decree 147/2024 on internet services and social media, and a draft Digital Technology Industry Law that has been circulating in 2025. Together, these instruments create overlapping — and at times contradictory — obligations around storage location, content moderation, identity verification, and government access to data.
A few concrete concerns stand out:
1. The 5% revenue ceiling is unusually steep
For global firms, 5% of worldwide prior-year revenue (if interpreted broadly) would dwarf even GDPR's maximums in absolute terms. The text and implementing guidance leave room for narrower interpretations — e.g., Vietnam-only turnover — but until regulators clarify, boards will plan for the worst case. That tends to produce defensive over-compliance, not better privacy outcomes.
2. Cross-border transfer friction
Requiring an impact assessment dossier for routine transfers — including ordinary cloud usage — risks recreating the worst features of the EU's post-Schrems II environment without the corresponding adequacy machinery. Small Vietnamese exporters and SaaS-dependent SMEs will feel this most.
3. Consent fatigue and innovation drag
GDPR's experience is instructive: heavy reliance on consent has produced cookie-banner theater and entrenched incumbents who can afford compliance teams, while squeezing smaller competitors. Vietnam can do better by leaning more heavily on legitimate-interest-style bases for low-risk processing.
Good data protection law protects people without freezing the products they actually want to use. Vietnam now has the framework; the open question is whether enforcement will be calibrated or maximalist.
What proportionate enforcement looks like
The Ministry of Public Security and the forthcoming Personal Data Protection Commission have significant discretion in how they operationalize the PDPL. A few principles would help reconcile the law's protective goals with Vietnam's growth ambitions:
- Risk-tiered enforcement: Reserve the 5% ceiling for genuinely egregious cases — repeat offenders, sensitive-data breaches at scale, or deliberate non-cooperation. First-time, good-faith violations should attract guidance, not headline fines.
- SME safe harbors: Lower documentation burdens for small businesses, mirroring the spirit of GDPR Article 30(5).
- Workable cross-border mechanisms: Standard contractual clauses, recognition of equivalent foreign regimes, and a published whitelist of jurisdictions would reduce friction without sacrificing oversight.
- Independence and due process: Housing the lead regulator within Public Security raises legitimate questions about independence; transparent procedures and judicial review will matter.
The bottom line
Vietnam's PDPL is a meaningful step toward modern data governance and, in many respects, a welcome one. But the law's protective promise depends entirely on how it is enforced — and on whether it is harmonized with, rather than stacked on top of, the country's existing thicket of cybersecurity and content rules. The pro-innovation path is open. Whether Vietnam takes it will be visible in the first wave of enforcement actions in 2026 and 2027.