Background
In December 2022, Ministers and high-level representatives of OECD Members and the European Union adopted the Declaration on Government Access to Personal Data Held by Private Sector Entities, which sets out high-level principles for trustworthy government access to personal data (the “PPC Principles”). Since then, these principles have increasingly been used as a reference benchmark in cross-border data protection assessments, particularly in the context of international data transfers and vendor due diligence.
Against this background, Vietnam’s Personal Data Protection Law No. 91/2025/QH15 (“PDPL”) coming into force on 1 January 2026 has prompted renewed scrutiny of how Vietnamese law regulates government access to personal data held or controlled by the private sector. A common question is whether the PDPL fundamentally alters, restricts, or “blocks” such access.
This newsletter provides a structured overview of Vietnam’s current legal framework on government access to personal data, and highlights matters in practice for companies operating in Vietnam.
Scope and definition of “government access”
For the purposes of this analysis, “government access” is understood in a narrow and functional sense, consistent with the PPC Principles. It refers to situations where Vietnamese public authorities access, request, or compel the provision of personal data held or managed by private-sector entities, primarily for national security or public order purposes, criminal investigation and prosecution, cybersecurity prevention and incident response, or administrative inspection and supervision.
Overview of the legal framework
Vietnamese law does not regulate government access to personal data through a single, consolidated statute. Instead, such access is grounded in multiple sector-specific laws, each reflecting a particular regulatory objective. In practice, the most representative instruments include: (1) the PDPL, as the overarching personal data governance framework; (2) the Law on Data, which establishes the national framework for data governance, data sharing, and provision of data to State authorities; (3) the Law on Cybersecurity, governing access in cybersecurity-related contexts; (4) the Law on National Security, providing broad authority to protect national security interests; (5) the Criminal Procedure Code, regulating investigative access to information and evidence; and (6) the Law on Inspection, governing administrative inspections and supervisory activities.
The role of the PDPL: The PDPL represents a significant step forward in Vietnam’s data protection regime by articulating comprehensive principles for personal data processing by private entities and reinforcing data subject rights as a general rule. The law affirms that personal data processing must pursue lawful purposes and comply with statutory principles, while expressly allowing data subject rights to be restricted where necessary to protect public interests such as national security, public order, and criminal law enforcement. It also contemplates cooperation obligations for data controllers and processors when acting upon lawful requests from competent authorities. However, the PDPL does not introduce a single, centralized control framework for government access. It neither exhaustively defines the categories of data subject to access, nor imposes uniform temporal limits, nor codifies a universally applicable proportionality test. As a result, constraints on government access continue to operate through sector-specific statutes, rather than being consolidated within the PDPL itself.
Purpose limitation and indirect constraints: Across the representative laws, Vietnam relies primarily on indirect constraints to limit government access. These constraints do not usually appear as explicit numerical thresholds or detailed access matrices, but operate through legal structure. Common features include: purpose limitation, whereby access is permitted only to pursue legally defined objectives (e.g., national security, criminal investigation, inspection scope); competence limitation, under which only authorities expressly empowered by law may request or obtain information, within their assigned remit; and relevance and necessity logic, which, while not always articulated as a formal proportionality test, underpins the expectation that access must relate to the stated purpose. In this respect, Vietnam’s approach differs from systems that rely on a single, codified proportionality rule, but nonetheless embeds substantive limits through authority design and purpose-based reasoning.
Authorization and procedural controls: Vietnamese law does not generally require uniform external pre-authorization (such as court warrants) for all government access to personal data. However, procedural safeguards vary by context. The most clearly articulated procedural controls are found in the criminal procedure framework, where certain investigative measures, particularly those involving coercive elements, are subject to defined procedural requirements and oversight, including the involvement of the procuracy. Outside criminal procedure, such as in administrative inspection, cybersecurity and data governance contexts, the legal framework relies more heavily on statutory authority and internal decision-making, rather than on explicit judicial authorization.
Transparency and notification: From a transparency perspective, Vietnamese law adopts a relatively restrained approach. There is no general obligation to notify data subjects of government access to their personal data, nor is there a statutory requirement for authorities to publish periodic statistics on access requests. Although Vietnam has an access-to-information regime, information classified as state secrets (a category that frequently intersects with national security matters) falls outside disclosure obligations. Certain sector-specific statutes, including the Law on Data, provide for limited procedural requirements vis-à-vis data providers, without establishing a general transparency or notification right for data subjects. Companies should therefore not expect government access activities to be accompanied by public reporting or individual notification mechanisms.
Oversight and remedies: Oversight mechanisms in Vietnam are similarly fragmented rather than unified. The clearest form of institutional oversight arises in the criminal procedure context, where the procuracy exercises supervisory authority over investigative activities. By contrast, Vietnamese law does not establish a data-specific redress mechanism for unlawful government access. Affected individuals must instead rely on general avenues such as administrative complaints, administrative litigation, or state compensation for unlawful acts causing damage. While these remedies are legally grounded, they are not designed around personal data protection as a distinct interest, and their practical effectiveness may be limited where considerations of national security confidentiality are involved.
Concluding observations
The PDPL represents a material strengthening of Vietnam’s personal data governance framework. It does not, however, fundamentally recalibrate the legal architecture governing State access to data. Government access remains grounded in multiple sector-specific statutes, structured by purpose limitation, allocation of authority, and procedural design, with the clearest forms of external oversight arising in the context of criminal procedure.
For businesses, the principal challenge is therefore not the absence of regulation, but the need to respond to lawful government requests in a disciplined, well-documented, and proportionate manner. In the Vietnamese legal environment, a compliance approach anchored in procedural clarity and careful legal reasoning remains the most reliable means of managing government-access risk, particularly in cross-border data protection assessments.
