“Tightening” regulations on cross-border data provision and transfer

Vietnam is a country with sovereignty and laws on cyberspace, accordingly, foreign enterprises doing business in Vietnam must comply with Vietnamese laws. The Data Law 2024 is an important step forward in shaping digital data management policies in Vietnam, with the goal of ensuring security, protecting the rights of data subjects and promoting the development of the digital economy. The Law defines the subjects of application as: Vietnamese agencies, organizations and individuals; foreign agencies, organizations and individuals in Vietnam; and foreign agencies, organizations and individuals directly participating in or related to digital data activities in Vietnam. Thus, international enterprises and platforms operating in Vietnam are all subject to this Law.

Notably, the Law encourages organizations and individuals to provide data to state agencies to serve the management and socio-economic development. However, in some special cases such as emergencies, national security threats, disasters, riot prevention and control, and terrorism, organizations and individuals are required to provide data upon request without the consent of the data subject. This provision helps the Government to quickly access and process important information when serious incidents occur.

Another notable point is that the Law stipulates that agencies, organizations and individuals are free to transfer data from abroad to Vietnam, process foreign data in Vietnam, and have their legitimate rights and interests protected by the State in accordance with the provisions of law. However, the transfer and processing of data must ensure national defense, security, protection of national interests, public interests, and the legitimate rights and interests of data subjects and data owners in accordance with the provisions of Vietnamese law and international treaties to which the Socialist Republic of Vietnam is a member. In particular, for important and core data, the transfer of data out of Vietnam must meet strict conditions, such as the data must ensure national security, public interests and the legitimate rights of individuals and organizations, and must be strictly controlled. The use of data processing platforms located outside Vietnam is also subject to regulation.

These regulations are intended to protect national data sovereignty as more and more international platforms process Vietnamese user data. However, this may also create barriers for international businesses wanting to operate in Vietnam, while increasing the cost of legal compliance for businesses.

Strict requirements on data protection and information security

Data protection is one of the most important contents of the Data Law 2024. Data protection measures are clearly stipulated, including: Developing data protection policies; Strictly managing data processing activities; Applying technical solutions to protect data; Training personnel to raise awareness of data security. State agencies are responsible for ensuring data security in their management areas, and at the same time establishing a unified data protection system nationwide.

Major technology corporations operating in Vietnam face many challenges when the Data Law 2024 comes into effect. (Photo: Getty)

At the same time, the Law identifies potential risks in the data processing process, including: Privacy risks (collection and use of personal data for the wrong purposes or without the consent of the data subject); Cybersecurity risks (cyberattacks or data intrusions); Identity and access management risks (data being used illegally or leaked). State agencies are responsible for establishing early warning mechanisms to prevent these risks. At the same time, organizations and individuals managing data also need to assess and proactively address risks, and notify data subjects if problems arise. Identifying and managing data risks is essential in the context of increasingly sophisticated cybercrime. Thus, implementing these regulations will require businesses to invest more in security systems and data control.

The law provides that individuals have the right to request the deletion or revocation of their personal data, unless otherwise provided by law. This helps protect users’ privacy, especially when data is collected without explicit consent. In addition, state agencies are also responsible for continuously adjusting, updating and storing data to ensure accuracy. This helps keep data transparent and accessible when needed. However, the challenge is whether international businesses can easily comply with this regulation, especially when their data is stored and backed up on many different platforms around the world.

Challenges in the context of artificial intelligence

The development of artificial intelligence (AI) is opening up unprecedented opportunities in many fields, from education, healthcare, finance to content creation. International AI platforms such as ChatGPT (OpenAI), Gemini, Llama, Google AI, DeepSeek, MidJourney... are increasingly popular in Vietnam, providing human support services with the ability to process information quickly, create diverse content and personalize user experiences. Moreover, new AI products are constantly being launched, "causing a fever" in public opinion, including some recent new products such as Manus, Suno AI, Kling AI, Luma Dream Machine, TikTok Symphony, Alibaba Qwen... These products represent the latest advances in the field of AI, bringing many utilities and creative solutions to users and businesses around the world.

The rapid development of AI technology poses many problems for data managers. (Photo: Dirox)

On the other hand, these advances also pose many challenges for authorities in enforcing laws and effectively managing data for foreign AI platforms. For example, most foreign AI platforms do not have servers located in Vietnam, leading to data being stored in many different countries that are difficult for authorities to control. In addition, the Data Law requires the protection of personal data and allows users to request data deletion. However, many AI platforms do not provide adequate tools for users to control their data. Meanwhile, authorities lack technical tools to monitor, inspect and require these platforms to comply with domestic regulations.

The Data Law 2024 regulates scientific and technological platforms in the construction, development, protection, administration, processing, and use of data, including artificial intelligence, cloud computing, blockchain, data communications, the Internet of Things, big data, and other modern technologies. It is worth noting that although the Law has established many regulations on cross-border data protection and management, there are still many legal gaps that make it difficult to regulate the operations of foreign technology enterprises in general and AI platforms in particular. One of those gaps is that there are no specific regulations on sanctions, as well as international legal cooperation mechanisms to coordinate the handling of violations against foreign enterprises that do not comply with the provisions of this Law.

In addition, current laws do not have clear regulations on the handling of data generated by AI. Specifically, generative AI tools such as ChatGPT and MidJourney can create content based on data collected from many sources. This leads to many unanswered legal questions: If AI reproduces false information or violates copyright, who is responsible? Is the data that AI generates itself protected as personal data?...

Source: https://baophapluat.vn/luat-du-lieu-tac-dong-den-cac-ong-lon-cong-nghe-post542425.html