Vietnam data localisation and platform regulation

Vietnam's Unified Cybersecurity Law Gives Police 24-Hour Platform Authority Without Judicial Oversight

Law 116/2025/QH15 consolidates Vietnam's internet framework while giving police 24-hour authority to remove content and access user data.

Vietnam Cybersecurity Law: Key Numbers People of Internet Research · Vietnam 79.8M Vietnamese internet users Total internet users in Vietnam as… 24 hrs Standard takedown deadline Time platforms have to remove flag… 3 hrs Emergency data window Time to hand over user data to pol… 29 laws July 1 laws enacted Vietnam's July 2026 regulatory pac… peopleofinternet.com

Key Takeaways

On July 1, 2026, Vietnam's Law on Cybersecurity No. 116/2025/QH15 came into force alongside new e-commerce and digital transformation statutes — part of a legislative package comprising 29 laws, two ordinances, and 34 decrees enacted simultaneously. Passed by the National Assembly on December 10, 2025, the statute consolidates two older frameworks — Law No. 86/2015/QH13 on cyber-information security and Law No. 24/2018/QH14 on cybersecurity — into a single unified regime. The consolidation resolves years of overlapping jurisdictional uncertainty. The obligations inside it are another matter.

Three Mandates, One Architecture

The law establishes three interlocking requirements for any provider operating in or accessible from Vietnamese cyberspace. Under Article 25(2)(b), platforms must delete flagged content or remove non-compliant services within 24 hours of a Ministry of Public Security (MPS) request, dropping to six hours in urgent national security cases. Article 25(2)(a) runs in parallel: user data — account names, usage logs, payment records, and IP addresses — must be disclosed to MPS within 24 hours, or three hours in emergencies. Article 25(3) requires foreign enterprises to establish a branch or representative office in Vietnam and store Vietnamese user data locally for a government-prescribed retention period, with implementing details still pending a Decree.

The Government's Case Deserves a Hearing

Vietnam's position is not unreasonable on its face. With 79.8 million internet users, the country faces genuine threats: cross-border fraud networks, documented cybercrime, and disinformation campaigns. A local legal presence gives regulators a meaningful enforcement point when platforms routinely ignore requests — a recurring frustration under the 2018 regime. Data localisation, in theory, limits exposure to foreign intelligence collection. The argument that global platforms cannot operate as jurisdiction-free zones is now mainstream in democratic internet governance debates, not exclusively an authoritarian talking point.

Where Proportionality Breaks Down

The problem is not the objective but the mechanism.

The 24-hour police takedown order contains no judicial checkpoint. MPS can demand content removal on its own authority, without a warrant, without an adversarial hearing, and without notifying the subject of the order. Vietnam used the 2018 predecessor statute systematically to demand removal of political criticism and independent journalism. Law 116/2025/QH15 does not narrow that authority — it consolidates and streamlines it.

The three-hour emergency user data window is structurally incompatible with meaningful due process. Three hours is insufficient for an international platform to authenticate a request, escalate to legal counsel, and assess compatibility with home-country data protection law. The operative result is an instruction to comply first and ask questions later. The law defines "emergency" as threats to national security or human life — a category broad enough to encompass virtually any politically sensitive investigation.

Data localisation compounds rather than addresses the privacy problem. Storing Vietnamese user data inside Vietnam does not protect it from state access — it guarantees access, since local storage falls under domestic law enforcement jurisdiction without requiring the international legal assistance treaties that would otherwise govern cross-border data requests. The EU's GDPR restricts data transfers to protect citizens from weaker foreign legal regimes; Vietnam's localisation mandate removes exactly that friction, ensuring police can compel local copies directly.

The branch office requirement is the enforcement lever that makes the rest credible: a registered local entity carries legal liability and leadership accountability. Non-compliant platforms face market exclusion — a serious consequence in a country of 79.8 million internet users.

Economic Stakes at a Pivotal Moment

The timing matters. The World Bank reclassified Vietnam as an upper-middle-income economy in 2026, with GNI per capita reaching US$4,970. Resolution 10-NQ/TW, adopted in June 2026, explicitly prioritises high-quality FDI in digital sectors including semiconductors and artificial intelligence. Yet Law 116/2025/QH15's compliance architecture creates friction that deters enterprise cloud, SaaS, and platform investment. ITIF has documented that data localisation mandates systematically raise compliance costs by forcing restructuring of global data architectures. Adjacent regulations — including Personal Data Protection Law No. 91/2025/QH15, in force since January 2026 — impose penalties of up to 5% of annual Vietnam revenue for cross-border data transfer violations. For mid-sized technology firms without Vietnamese subsidiaries, the combined obligations shift the risk calculus toward market caution over commitment.

What Proportionate Regulation Requires

Vietnam could meet its legitimate security objectives with substantially less damage to the open internet. Judicial authorisation for takedown orders — even via a fast-track administrative tribunal — would preserve procedural legitimacy without sacrificing response speed. Data retention scoped to active investigations, rather than blanket user storage, would address real law enforcement needs without building a standing surveillance database. A notification safe harbour permitting platforms to inform users before disclosure, where legally permissible, would bring the framework into alignment with international norms.

Law 116/2025/QH15 achieves the consolidation it set out to accomplish. Whether the unified framework becomes cybersecurity infrastructure or censorship infrastructure depends entirely on how MPS exercises the authority it now holds. The historical record under the 2018 law provides little cause for optimism.

Sources & Citations

  1. Law 116/2025/QH15 — Official Government Registry
  2. Law 116/2025/QH15 — English Text (LuatVietnam)
  3. Duane Morris — Vietnam Cybersecurity Law 2026: What You Must Know
  4. ITIF — Vietnam's Data-Localization Regulation
  5. Vietnam Briefing — July 2026 Regulatory Update
  6. Rajah & Tann Asia — Vietnam's Law on Cybersecurity Comes into Operation 1 July 2026