Tighter data control: Vietnam’s race to redesign digital services

[HO CHI MINH CITY] Data in Vietnam has never been more tightly managed.

The shifting regulatory landscape is fundamentally reshaping how firms and state bodies design systems that increasingly depend on the collection, processing and transfer of user data.

Vietnam is now governing data through a series of rules that came into effect recently, which are aimed at safeguarding privacy, security and national interests. The regulations cover digital citizen documents, online health records and e-transactions, as well as electronic property identification codes, activity on websites, and data used for artificial intelligence applications.

And these new rules are no longer merely symbolic.

When Vietnam’s leading messaging app Zalo forced users to accept all data-collection clauses or risk account deletion at the end of 2025 – a few days before the country’s personal data protection rules took effect – public backlash was fierce, followed by swift penalties from the authorities.

Many users started migrating to alternative apps to avoid sharing their data with the platform, signalling that consent is not only a regulatory compliance requirement but also a negotiation of value.

Re-engineering digital services

Among the latest rules, the Personal Data Protection Law (PDPL), combined with its guidance known as Decree 356, marked a turning point for the country’s digital economy. 

Under PDPL, companies in Vietnam must now obtain clear opt-in consent for personal data including “behavioural data”, which is classified as “sensitive” and includes information about people’s activities on apps and websites. 

The regulatory shift is forcing a rethink across the broader digital industry, where business models have long relied on implicit consent and broad data-sharing agreements.

SEE ALSO

Vietnam fines TikTok, Zalo operators over data consent practices

Vietnam’s dominant messaging app faces regulatory scrutiny over data policy update

Phat Tran, managing lawyer at Ho Chi Minh City-based Henrison Law, pointed out that digital platforms and advertising-technology players are particularly at risk as data collection has traditionally underpinned revenue.

“The heaviest blow falls not just on ‘Big Tech’, but (also) on any sector where consumer data is the primary raw material rather than just an administrative by-product,” he said. “Companies that monetise user profiling must fundamentally re-engineer how they acquire and retain value.”

Combined with cross-border data-transfer limitations – this is specified in a separate Data Law that was rolled out in Vietnam last July – the situation could be even more complex.

Sending users’ behavioural data on a website to foreign third-party analytics tools without explicit consent – this was once a common practice – is no longer legal in Vietnam, pointed out Ronni Christiansen, a technical privacy engineer and chief executive at AesirX.io. The company provides firms with first-party consent management and analytics tools for their websites.

But that does not mean profitability has to suffer under stricter rules, he said, adding that businesses can “deliver their services in different ways”.

Christiansen noted that platforms must be specific and transparent when collecting user data in Vietnam. “If you explain clearly that behavioural data is used to recommend content or improve user experience, people can say ‘yes’ or ‘no’. If they say ‘no’, you fall back on standard or contextual profiling.”

Santhosh Mahendiran, chief data and analytics officer at Vietnam’s private lender Techcombank, also emphasised that consent now defines the boundaries of engagement: If customers decline permission for certain uses, the bank simply does not use the data.

He believes that as customers become more aware of how useful their information is, they also expect something in return for sharing that data. The bank’s approach, in turn, is grounded in value delivery rather than intrusive data collection.

“As long as we are able to provide a value based on the data shared, customers are going to be happy,” he said. “It’s all about understanding the customer. It’s not about just taking consent and bombarding customers with offers.”

The state needs to rethink, too

The Vietnamese government is applying a similar logic to national data collection, combining enforcement with incentives and value-added digital service offerings.

At the centre of the effort is VNeID, the national digital identity platform. By the first half of 2025, more than 65 million accounts were activated, with roughly 425,000 daily log-ins. The police-led app now hosts millions of digitised documents, including driver’s licences and vehicle registrations.

Still, the authorities acknowledge challenges in engaging with citizens to leverage and strengthen its databases. Despite progress in digitalisation, with about one-third of more than 6,000 administrative procedures nationwide being fully digitalised, 82 per cent of them did not generate any online applications.

“Efforts to encourage citizens to fulfil their role in enriching data – by creating, updating and verifying information – still face significant obstacles, as people remain largely indifferent to the benefits they receive,” stated a recent report by the Ministry of Public Security.

To address this, VNeID – originally designed for identity verification and access to public services – is being developed into a “super app” integrating digital wallets, secure e-signatures, official e-mail addresses and even social media features.

The Digital Citizen Score has also been proposed, calculated based on the frequency of digital public service usage and contributions to the national data ecosystem. Citizens with high scores may receive benefits such as tax incentives, fee reductions and faster administrative processing.

“(Vietnam does) not view data merely as a free-flowing commercial asset, but (also) as a resource subject to national digital sovereignty,” said Henrison Law’s Phat.

“Data is no longer just for storage,” he added. “It is being weaponised to monitor compliance, detect anomalies and inform policy decisions instantly.”

A level playing field

Greater state involvement in citizen data management could create opportunities for businesses, observed Nguyen Son, vice-president at ABN Asia, a global software company with engineering hubs in Vietnam and Estonia.

“When identity, transaction, asset and business activity data become interoperable and verifiable, informal economic activity is gradually recorded, standardised and managed,” he said. “This helps expand the tax base, reducing revenue leakage and creating fairer competition between compliant and non-compliant firms.”

However, the reactions to tighter data management in Vietnam have been mixed, ranging from public unease about increased surveillance and changing habits, as well as concerns over stifled innovation and resistance to greater income transparency.

Techcombank’s Mahendiran also acknowledged the greater overhead linked with data collection compliance for businesses following the new rules, but viewed it as “necessary”.

He believes that the new data rules are creating a level playing field by clearly defining the constraints with which all organisations need to operate. 

“If the data is so valuable, you had better protect it,” he said. “Customers need to fully understand their rights. When they do – and when we deliver real value – they would appreciate it.”