Abstract: Cloud computing has fundamentally transformed the methods of processing, sharing and storing data, becoming a pivotal enabler of global digital transformation. The widespread adoption of cloud computing services simultaneously introduces profound legal and regulatory challenges concerning the protection of personal data. This article conducts a comparative legal examination of the Vietnamese regulatory framework governing cloud computing services and the protection of personal data within cloud service contracts, drawing parallels with selected foreign jurisdictions. By analyzing both statutory provisions and practical enforcement, the article identifies notable deficiencies and inconsistencies within Vietnamese legal framework. It further advances recommendations for legislative and institutional reform aimed at strengthening the protection of personal data and ensuring greater legal certainty in cloud computing services in Vietnam.
Keywords: personal data, personal data protection, cloud computing, cloud computing services, cloud computing contracts.
Introduction
Cloud computing has been creating and continues to create a revolution in the organization of data storage, processing, and sharing, fundamentally transforming the manner in which data are operated and governed across society in the digital economy. According to a report by Grand View Research, the global cloud computing market size is estimated to reach USD 2,390.18 billion by 2030[1]. In Viet Nam, amid the Covid-19 pandemic, FPT Software signed a cloud computing service contract worth approximately USD 1 million with a Japanese company[2]. Although cloud computing is developing very rapidly, the storage, sharing, and processing of data through cloud computing also entail numerous risks, particularly in terms of information security and the privacy of data subjects. A study on data breaches in ASEAN conducted by the Ponemon Institute (with the support of IBM) in 2024 indicated that approximately 41% of data breaches involved data stored across multiple environments, including cloud computing environments. These breaches were identified as the most costly, with the average cost to resolve each incident amounting to SGD 4.63 million and taking up to 287 days to detect and contain[3]. This demonstrates the seriousness of personal data risks associated with the use of cloud computing services. This article analyzes the current situation of regulations on the protection of customers’ personal data in cloud computing service contracts in Viet Nam and internationally. On that basis, the authors propose several solutions to improve Vietnamese law in order to develop cloud computing services, contributing to harmonizing the requirements of technological innovation and digital transformation with the enhancement of responsibility for personal data protection of relevant entities. The article is conducted using methods of analyzing legal provisions and practical examples in Viet Nam and internationally. On that basis, the article synthesizes and evaluates current Vietnamese legal regulations, identifies legal gaps, and proposes solutions for improving the law on the protection of customers’ personal data in cloud computing service contracts in Viet Nam.
I. Overview of cloud computing service contracts and the protection of customers’ personal data in cloud computing service contracts
1.1. Concept and characteristics of cloud computing
At present, there is no unified definition of cloud computing worldwide[4].
From a linguistic perspective, the Cambridge Dictionary defines cloud computing as the use of technology, services, software, etc. on the Internet instead of software and hardware that a person has purchased and installed on his or her own computer[5].
From a research perspective, the United States National Institute of Standards and Technology (NIST) defines cloud computing as a model that enables convenient, on-demand network access to a shared pool of resources (e.g., networks, servers, storage devices, applications, and services). These resources can be rapidly provisioned and released with minimal management effort or minimal interaction with the service provider[6]. The International Organization for Standardization (ISO) defines cloud computing in Clause 3.1.1 of ISO/IEC 22123-1, according to which cloud computing is understood as a model enabling network access to a pool of existing physical or virtual resources that are shareable, scalable, or self-provisioned and managed on demand[7].
Major companies specializing in the provision of cloud computing services also adopt different definitions of cloud computing. Amazon Web Services defines cloud computing as the on-demand delivery of information technology resources over the Internet on a pay-as-you-go basis, whereby users can access technological services of cloud computing service providers instead of having to purchase and maintain existing equipment or servers[8]. According to Google, cloud computing is the ability to store computing resources on demand in the form of services over the Internet, whereby individuals and enterprises do not need to manage physical resources themselves and only pay for what they use[9].
From a legal perspective, at present only a limited number of countries have enacted legal instruments regulating cloud computing or are in the process of drafting relevant legislation. For example, in the Republic of Korea, the Act on the Development of Cloud Computing and Protection of Its Users 2015 (as most recently amended in 2021) provides a definition of cloud computing in Article 2(1), according to which cloud computing is understood as an information processing system that enables the flexible use of integrated resources and the sharing of information and communications, such as information and communications devices, information and communications systems, and software, through information and communications networks in accordance with users’ demands[10].
In 2012, the European Commission issued the European Cloud Computing Strategy with the objective of promoting the use of cloud computing[11]; however, to date, the European Union has not yet adopted a legal instrument on cloud computing. The Proposed EU Cloud and AI Development Act remains under development[12].
The Notes on the Main Issues of Cloud Computing Contracts of the United Nations Commission on International Trade Law (UNCITRAL) 2019 address the principal issues relating to contracts for the direct provision of cloud computing services between two commercial entities but do not establish a definition of cloud computing[13].
During recent years, Viet Nam has been actively implementing digital transformation activities. The storage and processing of data through traditional methods have gradually been replaced by modern technological models, among which cloud computing services are particularly prominent. On 11 June 2025, the Prime Minister issued Decision No. 1121/QD-TTg approving the National Action Program on the development of and transition to the use of cloud computing platforms for the period 2025–2030 (Decision No. 1121/QD-TTg), with the objective of promoting the development of cloud computing in Viet Nam. Decision No. 1121/QD-TTg identifies cloud computing platforms as strategic and prerequisite platforms that must be prioritized for selection and use in the digital transformation revolution and the development of artificial intelligence (Clause 1, Article 1). The concept of cloud computing is stipulated in Clause 10, Article 3 of the Law on Telecommunications 2023, according to which cloud computing is a model that allows flexible use, adjustment, and on-demand management of shared computing resources, including networks, servers, storage devices, and applications.
Accordingly, cloud computing may be understood as a model for the remote provision of information technology resources via the Internet, including servers, data storage, databases, software, and applications. Instead of storing software and data on personal hard drives (which are difficult to relocate and have limited accessibility), cloud computing enables users to access resources anytime and anywhere, while helping to reduce costs related to infrastructure investment, operation, and maintenance of information technology systems[14].
Cloud computing has the following basic characteristics[15]:
First, cloud computing is an on-demand self-service system. When using cloud computing, users can automatically access and use resources without the intervention of the service provider.
Second, cloud computing allows broad access via the Internet through different platforms/devices such as computers, mobile phones, tablets, etc.
Third, cloud computing centralizes diverse resources such as servers, storage, and networks and can serve multiple users simultaneously. Through technology, these resources are flexibly shared and automatically allocated according to each user’s demand, delivering high efficiency due to large scale (multiple users sharing the same infrastructure) and optimized specialization (centralized and professional management).
Fourth, although resources in cloud computing can be shared by multiple users on multiple devices at the same time, the system is still able to accurately monitor the level of use of each user through automatic metering tools, and fees are calculated based on actual usage.
Fifth, cloud computing has elastic scalability, allowing users to rapidly increase or decrease resources (such as storage capacity, virtual machines, bandwidth, etc.) depending on their needs. These resources are provided instantly, do not need to be maintained continuously, and can be adjusted at any time, thereby optimizing costs and efficiency of use.
Sixth, cloud computing has a wide scope of services, ranging from basic services such as network connectivity, storage, email, and office applications, to the provision and use of the entire physical information technology infrastructure (such as servers and data centers) and the virtual resources necessary for customers to build their own information technology platforms and to deploy, manage, and operate applications or software created or owned by customers. Cloud computing service models include infrastructure (IaaS), platform (PaaS), and software (SaaS).
Seventh, together with the development of information technology, cloud computing continuously updates and enhances its quality and efficiency by expanding functionalities, including artificial intelligence, to address issues and user needs that storage through hard drives or standalone devices cannot satisfy.
1.2. Concept and characteristics of cloud computing service contracts
At present, the term “cloud computing service contract” has not yet been defined in Vietnamese legal instruments or in international law. As a type of contract, a cloud computing service contract has the nature of a contract as provided in the Civil Code 2015, namely an agreement between parties. On the basis of the concept of a contract under the Civil Code 2015, a cloud computing service contract may be understood as an agreement between a cloud computing service provider and a customer to establish, modify, or terminate the rights and obligations of the parties in the course of the customer’s use of cloud computing services.
As a type of commercial service contract, a cloud computing service contract shares the general characteristics of commercial service contracts, such as being an agreement formed on the basis of voluntariness and freedom of will between the service provider and the customer. The customer, as the service user, has the obligation to pay service fees in accordance with the agreement. In addition, cloud computing service contracts also have the following specific characteristics:
The parties to a cloud computing service contract include the cloud computing service provider and the cloud computing service user (customer). However, in the performance of a cloud computing service contract, in addition to the service provider and the customer, third parties may also be involved. The cloud computing service provider may be a personal data processor (where the provider processes data only in accordance with the customer’s instructions and does not directly control or decide data processing activities) or a personal data controller and processor (where the provider directly collects data and decides on data processing activities), as provided in Clauses 10 and 11, Article 2 of Decree No. 13/2023/ND-CP on personal data protection (Decree No. 13/2023/ND-CP), or Clauses 8 and 9, Article 2 of the Law on Personal Data Protection 2025, which takes effect from 1 January 2026 (LPDP 2025). These provisions of Vietnamese law are similar to the regulations on the data processor and the data controller under Clauses 8 and 7, Article 4 of the General Data Protection Regulation (GDPR). The service user is an individual or organization entering into a cloud computing service contract with the service provider. The cloud computing service user may be a data subject or a data controller. Where the service user is a data subject, the service user is an individual to whom personal data relate, as provided in Clause 6, Article 2 of Decree No. 13/2023/ND-CP and Clause 5, Article 2 of the LPDP 2025. The service user may also be a personal data controller (an organization or individual that determines the purposes and means of personal data processing) as provided in Clause 9, Article 2 of Decree No. 13/2023/ND-CP or Clause 7, Article 2 of the LPDP 2025, for example, an enterprise using cloud computing services to store employees’ data. In addition, cloud computing service contractual relationships may also involve third parties with rights and obligations related to the performance of the cloud computing service contract, such as software providers or auxiliary service providers, and network infrastructure providers.
The object of the contract is cloud computing services, which are entirely dependent on technological infrastructure, including servers, software, metering systems, and, in particular, Internet connectivity. As cloud computing services are provided through an online environment, in the event of network disconnection or system failures, service provision may be interrupted. Therefore, the performance of a cloud computing service contract depends not only on the efforts of the contracting parties but is also affected by external factors related to technological infrastructure and the electronic network environment.
A cloud computing service contract is not associated with the transfer of ownership or use rights over physical assets but relates to the right to access and use digital resources provided remotely via the Internet[16]. Accordingly, a cloud computing service contract is considered a typical type of digital service contract in the digital economy.
Cloud computing service contracts often contain an international element. Most major cloud computing service providers today (such as Amazon Web Services, Google, Microsoft, etc.) are foreign enterprises providing cross-border services; alternatively, servers may be located outside the territory of Viet Nam, and data may be transmitted across borders[17].
II. The necessity of protecting customers’ personal data in cloud computing service contracts
Tccording to statistics from Research and Markets, the Vietnamese data center market is expected to grow at a CAGR of 10.68% during the period 2022–2028, increasing from USD 561 million in 2022 to USD 1.037 billion in 2028. The Vietnamese cloud computing market has been identified as having the highest growth rate in Southeast Asia, ranking third in Asia. The projected growth rate of the Vietnamese cloud computing market over the next 5–10 years is estimated at 19–20%, with the market size expected to reach approximately USD 768 million by 2025 and USD 1.2 billion by 2030[18].
However, the development of the cloud computing market also brings numerous risks related to the protection of customers’ personal data in cloud computing service contracts, such as: the risk of loss or leakage of customers’ personal data; difficulty in controlling customers’ personal data when hackers infiltrate systems and exploit vulnerabilities in the user’s or cloud service provider’s systems to seize data; and the issue of responsibility among the involved parties in ensuring the security of customers’ data, which has not yet been specifically regulated by law[19].
According to the Cybersecurity Situation Summary Report 2024 of the Viet Nam Cyber Security Network (VSEC), 27% of organizations reported cloud security incidents in 2024, with more than 80% of cloud vulnerabilities exploited due to misconfiguration or lack of monitoring[20]. The Information Security Risk Report 2024 in Viet Nam, conducted by Viettel Cyber Security (VCS), disclosed that in 2024 Viet Nam recorded over 14.5 million exposed accounts, accounting for 12% of the global total, resulting in widespread public sale of personal and corporate information on online platforms[21]. The losses related to personal data arising from cloud computing services are considerable. The Illumio, Inc. Cloud Security Index Report 2023[22] indicates that the average loss per personal data breach arising from cloud computing services is approximately USD 16.1 million (equivalent to SGD 22 million) for the affected organizations, and 56% of survey participants stated that a cloud security breach could completely paralyze organizational operations. Cloud computing presents numerous personal data risks due to the following fundamental reasons:
(i) Cloud infrastructure and services are highly complex, making it extremely difficult to control all security vulnerabilities. When multiple cloud services interact with each other, the risk of incident propagation increases.
(ii) Cloud computing services operate in a multi-user and resource-sharing environment. Customer separation is primarily logical (through encryption and access rights) rather than physical, which increases the risk of unauthorized access due to misconfiguration or actions from providers and insiders within the organization.
(iii) Cloud services are accessed via the Internet and intranets. In cases of Internet-based access and remote management, the scope of potential access is expanded, allowing malicious actors to exploit security vulnerabilities.
(iv) When using cloud services, the service user often transfers control over data and systems to the provider, which reduces the user’s ability to monitor, directly manage, and respond to incidents, while increasing dependence on the provider.
(v) Threat actors can exploit the power of the cloud as a tool to bypass protective layers and scale security attacks, such as renting multiple virtual machines to crack passwords quickly, operating botnets[23] to send spam, or defeating CAPTCHA mechanisms[24].
Therefore, countries need to establish a comprehensive legal framework for the protection of customers’ personal data in cloud computing service contracts. Currently, Vietnamese law regarding the protection of customers’ personal data in cloud computing service contracts remains incomplete, and state agency oversight mechanisms are still weak. This is considered one of the major barriers affecting the effectiveness of personal data protection in cloud computing service contracts and the sustainable development of cloud computing services. In the coming period, Viet Nam needs to ensure the development of technical infrastructure and legal regulations to support the growth of cloud computing and the protection of customers’ personal data in cloud computing service contracts.
III. Vietnamese law on the protection of customers’ personal data in cloud computing service contracts
At present, Viet Nam does not have a separate legal instrument regulating cloud computing, cloud computing services, or cloud computing service contracts. Furthermore, provisions regarding the protection of personal data in cloud computing service contracts under personal data protection law remain very limited.
Vietnamese law defines personal data as “digital data or information in other forms that identify or assist in identifying a specific individual, including basic personal data and sensitive personal data. Personal data that has been anonymized is no longer considered personal data. Protection of personal data is understood as the use by agencies, organizations, or individuals of personnel, means, and measures to prevent and counter activities that infringe on personal data” (Clauses 1, 3, and 4, Article 2 of Decree No. 13/2023/ND-CP, and from 1 January 2026, Clauses 1 and 4, Article 2 of the Law on Personal Data Protection 2025 – LPDP 2025). The protection of personal data, including the protection of customers’ personal data in cloud computing service contracts, must comply with the principles of personal data protection set out in Article 3 of Decree No. 13/2023/ND-CP, and from 1 January 2026, Article 3 of the LPDP 2025, as follows: “Compliance with the Constitution, this Law, and other relevant legal provisions; Personal data may only be collected and processed within a specific, clear, and legitimate scope and purpose, ensuring compliance with legal regulations; Ensuring the accuracy of personal data, with the ability to correct, update, or supplement it as necessary, and store it for a period appropriate to the purpose of data processing, unless otherwise provided by law; Effectively implementing coordinated measures and solutions regarding institutions, technology, and human resources to protect personal data; Proactively preventing, detecting, stopping, combating, and promptly and strictly handling all acts that violate personal data protection laws;
Finally, protecting personal data must be linked to the protection of national and public interests, serve socio-economic development, ensure national defense, security, and foreign relations, and ensure a balance between personal data protection and the protection of the legitimate rights and interests of agencies, organizations, and individuals”.
Customers in cloud computing service contracts who are data subjects shall have the general rights and obligations of data subjects as prescribed in Article 9 and 10 of Decree No. 13/2023/ND-CP or in Clauses 1, 2, and 3 of Article 4 of the Law on Personal Data Protection 2025 (LPDP 2025) (effective from 1 January 2026), including: Rights “to be informed about the processing of personal data; to give or withhold consent, and to withdraw consent for the processing of personal data; to access, correct, or request correction of personal data; to request provision, deletion, or restriction of personal data processing; to submit objections to the processing of personal data; to lodge complaints, denunciations, initiate litigation, and request compensation in accordance with the law; to require competent authorities or relevant agencies, organizations, or individuals involved in personal data processing to implement measures and solutions to protect their personal data in accordance with legal provisions”. And obligations "to protect their own personal data; to respect and protect the personal data of others; to provide complete and accurate personal data in accordance with the law, the contract, or when granting consent for personal data processing; to comply with laws on personal data protection and participate in preventing and combating activities infringing on personal data”. When exercising their rights and obligations, data subjects must “Fully comply with the principles prescribed by law; comply with the obligations of data subjects under the contract, exercise their rights and obligations for the purpose of protecting their own lawful rights and interests; not obstruct or hinder the lawful exercise of rights and obligations of the data controller, the data controller and processor, or the data processor; not infringe upon the lawful rights and interests of the State, agencies, organizations, or other individuals”.
Cloud computing service providers, as well as other relevant entities, are prohibited from engaging in the acts specified in Article 8 of Decree No. 13/2023/ND-CP or Article 7 of the Law on Personal Data Protection 2025 (LPDP 2025)(effective from 1 January 2026), including: “Processing personal data in a manner that opposes the Socialist Republic of Viet Nam, affects national defense, national security, social order and safety, or the lawful rights and interests of agencies, organizations, or individuals; Obstructing activities related to the protection of personal data; Exploiting personal data protection activities to commit acts in violation of the law; Processing personal data contrary to legal regulations; Using another person’s personal data, or allowing others to use one’s personal data, to carry out acts that violate the law; Buying or selling personal data, except where otherwise provided by law; Misappropriating, intentionally disclosing, or causing the loss of personal data”.
Decree No. 13/2023/ND-CP does not contain specific provisions on the protection of personal data in the cloud computing environment. However, Article 30 of the Law on Personal Data Protection 2025 (LPDP 2025) provides that personal data in the cloud computing environment “must be processed for legitimate purposes and limited to the necessary scope, ensuring the lawful rights and interests of data subjects; processing of personal data in… the cloud computing environment must comply with this Law and other relevant legal regulations; be consistent with ethical standards and the customs of Viet Nam; cloud computing systems and services… must integrate appropriate personal data security measures; use appropriate authentication, identification, and access control methods to process personal data; in cases where cloud computing service providers apply artificial intelligence to optimize functionality and enhance user experience, providers must classify data by risk level to implement appropriate personal data protection measures; cloud computing systems… must not use or develop personal data in a way that causes harm to national defense, national security, social order and safety, or infringes upon the life, health, honor, dignity, or property of others”.
In addition to the above, other Vietnamese legal instruments also address data protection, including personal data in cloud computing service contracts, such as:Articles 26 and 41 of the Cybersecurity Law 2018, and Articles 26 and 27 of Decree 53/2022/ND-CP detailing certain provisions of the Cybersecurity Law, which regulate responsibilities, data storage, establishment of branches or representative offices, and duration of data storage for providers of telecommunications networks, Internet networks, and value-added services in cyberspace in Viet Nam (including cloud computing services). Points b and g, Clause 2, Article 29 of the Law on Telecommunications 2023, which prescribe obligations for enterprises providing data center services and cloud computing services.
Article 28 of Decree 163/2024/ND-CP detailing certain provisions and enforcement measures of the Law on Telecommunications, which regulates the provision and storage of user information in cloud computing services...
Thus, it can be seen that Vietnamese legal regulations on the protection of customers’ personal data in cloud computing service contracts, while establishing principles of personal data protection and defining the rights and obligations of data subjects, remain limited, offering only general guidance rather than concrete, detailed rules. Furthermore, the dispersion of these provisions across multiple legal instruments leads to overlap and reduces the coherence of the national legal system.
IV. Recommendations for improving Vietnamese law on cloud computing services and the protection of customers' personal data in cloud computing service contracts
Decision No. 1121/QD-TTg has identified the task of “improving the legal framework to promote the development of infrastructure and services using cloud computing technology”. However, Vietnamese law on cloud computing services and the protection of customers’ personal data in cloud computing service contracts still contains many legal gaps, such as the lack of definitions for cloud computing, cloud computing services, the rights and obligations of parties participating in cloud computing service contracts, and the responsibilities of cloud computing service providers. These limitations necessitate the prompt completion of a legal framework to facilitate the development of cloud computing services and better protect customers’ personal data. The State should quickly develop and promulgate legal documents regulating cloud computing, cloud computing services, and cloud computing service contracts. To ensure consistency within the legal system, such legislation does not necessarily need to be a separate law but could be issued as a Government Decree, containing the following basic contents:
Regulation of concepts for cloud computing, cloud computing services, and cloud computing service contracts, based on harmonization with concepts and understandings of cloud computing and cloud computing services currently used worldwide. A cloud computing service contract can be defined as an agreement between a cloud computing service provider and a customer to create, modify, or terminate the rights and obligations of the parties during the customer’s use of cloud computing services.
QDetailed provisions on the rights and obligations of parties participating in cloud computing service contractsshould clarify the responsibilities of cloud computing service providers and related third parties, with particular emphasis on the responsibility to protect customers’ personal data. In the event that risks to customers’ personal data occur, and the cloud computing service provider or a third party is found to be at fault - whether negligently or intentionally - they shall be liable to compensate for the arising damages and be subject to administrative sanctions or criminal liability.
Regulation on Service Level Agreements (SLA). A Service Level Agreement (SLA) is a common commitment in service contracts provided via the internet by service providers (including cloud computing services), which allows customers to know precisely the scope and quality of services guaranteed. The contents typically included in an SLA are: scope of services, service quality, uptime, incident response time, remediation time, and commitments to protect personal data. SLAs clearly define the level of service the provider guarantees, including criteria and indicators for evaluating service performance, serving as a legal basis for resolving disputes related to service quality. At the same time, SLAs also regulate security parameters, such as encryption of data during storage, transmission, and usage, access control and authorization, security monitoring, incident response time, and data recovery time. An SLA is a publicly available document from the provider, reflecting transparency regarding service quality, and also supporting the protection of personal data in cases where the contract does not specifically regulate personal data protection[25].
Regulations on multi-tier contracts and contractual liability in cloud computing services. As discussed above, Vietnamese law has not yet provided comprehensive regulations on cloud computing services or cloud computing service contracts. Multi-tier contracts are a common type of contract in cloud computing services, but they remain one of the areas not yet addressed by Vietnamese law. A multi-tier contract in cloud computing services is a contract in which the provision of cloud computing services to a customer involves multiple parties, linked through contractual relationships to ensure the efficiency of service delivery. However, such contractual arrangements pose significant challenges in delineating the responsibilities of the parties involved, especially regarding the protection of customers’ personal data. Therefore, Vietnamese law needs to include specific provisions guiding how to identify the party responsible and the scope of responsibility of the parties in cases where a cloud computing service contract is a multi-tier contract.
Regulation on Acceptable Use Policy (AUP)[26].
Cloud computing services allow broad access and simultaneous sharing among multiple users. Meanwhile, service providers primarily manage the infrastructure level, without direct control over individual users’ activities; their control is also limited by the operational principles of the service, and comprehensive monitoring is not feasible. Even a single user’s violation - such as distributing malware, attacking systems, storing or performing illegal activities - can affect the entire service system and other users. An AUP is a set of rules established by the service provider, legally enforceable as a contract clause, to regulate users’ service usage, limit abuse, and protect the system and the provider against illegal acts committed by users via the provided infrastructure. The AUP also plays an important role in protecting personal data, because comprehensive personal data protection requires responsibility not only from the service provider but also compliance and cooperation from the users[27].
Therefore, AUPs should be regulated by law to ensure transparency, maintain a balance between the rights and obligations of parties, and safeguard customers’ personal data.
Regulations on the form and sample content of cloud computing service contracts, and server location. Cloud computing service contracts must be executed in writing or in other forms with equivalent legal validity, including electronic formats. All referenced documents should be attached to the main contract to ensure transparency and ease of access. The contract content is generally based on the free will of the parties. However, the law should provide guidance on sample content for cloud computing service contracts, serving as a reference for parties when entering into agreements. Under Article 41 of the EU Data Act 2023[28],
“by 12 September 2025, the European Commission shall develop and propose non-binding model contractual clauses on access to and use of data, including clauses on fair compensation and trade secret protection, as well as non-binding standard contractual clauses for cloud computing service contracts to assist parties in drafting and negotiating contracts with fair, reasonable, and non-discriminatory contractual rights and obligations.” This approach - proposing model clauses for cloud computing service contracts as a reference rather than mandatory rules - is appropriate to safeguard the interests of both service providers and customers while promoting the development of cloud services. Sample clauses for cloud computing service contracts may include: Definitions and terminology; Service Level Agreement (SLA); Acceptable Use Policy (AUP); Service fees and payment terms; Rights and obligations of parties; Commitments on confidentiality and personal data protection; Procedures for detecting, reporting, and resolving incidents; Handling of service requests, support, and contact information; Termination, suspension, or transfer of data; Data deletion.
Regulations on server location. When using cloud computing services, the server location is a critical factor because data storage and transmission in cloud environments are complex and difficult to control[29]. Therefore, personal data may be at risk of exploitation or violation, reducing the enforceability of applicable law and directly affecting the legal rights of data subjects and national cybersecurity. As of October 2022[30],
Vietnam had 39 cloud service providers, 27[31]
data centers operated by 11 companies, with Vietnamese companies holding 19.68% of the market and foreign providers over 80%. Among foreign providers, Amazon Web Services held 33%, while Google and Microsoft held 21% each. By November 2025, providers such as AWS, Google, Microsoft, Akamai, IBM Cloud, and Alibaba Cloud had servers located abroad. Currently, Vietnamese law has no provisions regulating server location, which complicates determining the applicable law, especially when data storage or servers are located overseas or involve cross-border data transfers.
Therefore, Vietnamese law should include provisions requiring disclosure of server and data storage locations, and stipulate that any change in server location must be explicitly specified in the cloud computing service contract.
Regulations on technical criteria, standards, and certifications for ensuring cybersecurity and information security when providing cloud computing services, for example: personal data security competency certification, information security certifications (ISO/IEC 27001, ISO 27017, SOC 2, CSA STAR, MTCS SS 584…). Currently, Vietnamese law only stipulates general obligations for the protection of personal data but does not provide specific regulations. For example, it only provides for the “effective and synchronized implementation of institutional, technical, and human measures and solutions suitable for protecting personal data” (Clause 4, Article 3, Law on Protection of Personal Data 2025), and that “cloud computing services… must integrate appropriate personal data security measures” (Clause 3, Article 30, Law on Protection of Personal Data 2025). The cybersecurity criteria for cloud computing platforms have so far only been applied to serve e-Government and digital government[32], and are limited to encouraging other agencies and organizations to refer to them when building and deploying cloud computing platform solutions. Therefore, it is necessary to have a set of data security criteria or personal data protection certifications applicable to the entire cloud computing industry, regardless of whether the services are provided to the public or private sector. Regulations on sanctions or suspension of operations for service providers who do not have or fail to maintain such certifications throughout the service provision period should also be provided, in order to ensure legal binding and maintain personal data protection. This will both increase transparency, strengthen user trust, and create competitive advantages for domestic enterprises in international integration.
Regulations on the inspection and supervision of cloud computing service provision and personal data protection by competent state authorities and by the contracting parties (data subjects, data controllers, data processors, and data controllers and processors) or by third parties involved in the provision of cloud computing services (such as parties contracted to perform service audits, inspection, certification providers, etc.). Accordingly, the data controller is required to assess the capability of the cloud service provider to ensure that it is competent and must continuously monitor and supervise the processing of personal data by the cloud service provider; the service user is entitled to supervise the service provider’s compliance with the contract and the law by requesting reports on the fulfillment of personal data protection obligations; the service user is entitled to audit the service provider’s compliance with the contract and the law through an independent auditing unit or request to receive regular assessment results from a standard and service quality certification organization (for example, ISO 27001, ISO 27017, etc.). For example, Japan’s Act on the Protection of Personal Information (APPI)[33]
provides specific regulations on the supervision of entrusted parties in Article 25 as follows: “When a business entrusts all or part of the processing of personal data to a third party, the business shall conduct necessary and appropriate supervision of the entrusted party to ensure the security of the entrusted personal data.”
Qpecific regulations on notification of violations of personal data protection in cloud computing service contracts, including: cases requiring notification, recipients of the notification, deadlines for preliminary and detailed reporting, and sanctions for failure to fulfill the notification obligation. According to Article 23 of Decree 13/2023/ND-CP or Article 23 of the Law on Protection of Personal Data 2025 (effective from January 1, 2026): “The data controller, the data controller and processor, or a third party that detects a violation of personal data protection regulations that may cause harm to national defense, national security, social order and safety, or infringe upon the life, health, honor, dignity, or property of the data subject must notify the competent authority for personal data protection no later than 72 hours from the time the violation is detected. In the case where the data processor detects the violation, it must promptly notify the data controller or the data controller and processor.” However, this regulation is not comprehensive, as it does not cover situations where no violation is detected or the violation is not detected but still causes damage to personal data, for example, the case of Dubsmash Inc., where user data (including names, profile pictures, and encrypted passwords) was unlawfully shared and offered for sale on the Internet. After investigation, the Berlin Commissioner for Data Protection and Freedom of Information (a state-level public authority responsible for supervising data and information protection) determined that there was insufficient evidence of a violation under general personal data protection regulations[34].
Article 23 also does not provide rules on notification responsibility in cases where violations occur but may not cause damage, and the recipients of violation notifications should include the data subject or their guardian, or legal representative of the data subject, as they have the right to be informed and are the parties who directly bear the consequences of the damage from the violation.
Regulations on the processing of personal data after the termination of cloud computing service contracts. The deletion, destruction, and anonymization of personal data have been stipulated in Clause 5, Article 39 of Decree 13/2023/ND-CP and further clarified in Article 14 of the Law on Protection of Personal Data 2025. However, to safeguard the rights and interests of customers, the law needs to provide additional regulations regarding the processing of personal data after the termination of cloud computing service contracts, including: the methods of processing, the processing deadlines, and the responsibilities in cases where personal data are not processed in accordance with the agreement or legal provisions after contract termination. Vietnamese law may stipulate that the return of data shall be carried out as follows: The method of data transfer shall be determined at the request of the service user at the time of termination; The data format shall be specified at the request of the service user at the time of termination; The service provider shall be responsible for encrypting the data before transfer and providing the password/decryption method to the service user; The service provider shall be responsible for transferring the data in good faith and ensuring information security. Additionally, the service provider may be allowed to retain the data and the access rights of the service user for a certain period to enable the service user to review and complete the data transfer, and this period shall not incur service fees.
V. Conclusion
Thus, cloud computing has brought outstanding benefits in terms of flexibility, efficiency, and cost optimization in data storage and processing. However, alongside the rapid development of cloud computing, challenges related to privacy and the protection of personal data are increasingly significant. Therefore, it is essential to establish a legal document on cloud computing with clear and strict provisions to optimally protect customers’ personal data in cloud computing service contracts. This would contribute to strengthening user trust in the services, enhancing the efficiency of cloud computing service provision, and promoting the sustainable development of the cloud computing market in Viet Nam.
REFERENCES
1. Law on Protection of Personal Data 2025
2. Law on Cybersecurity 2018
3.
Law on Telecommunications 2023
4. Decree No. 13/2023/ND-CP on Protection of Personal Data.
5. Decree No. 53/2022/ND-CP detailing certain articles of the Law on Cybersecurity
6.
Decree No. 163/2024/ND-CP detailing certain articles and implementing measures of the Law on Telecommunications
7. Decision No. 1121/QD-TTg of the Prime Minister approving the National Action Program on Development and Transition to Cloud Computing Platforms for the 2025–2030 period
8. Decision No. 8297/QD-BCA-A05 dated October 9, 2025, of the Minister of Public Security on Promulgation of the Cybersecurity Criteria for Cloud Computing Platforms serving E-Government/E-Government Administration
9. European Union Data Act 2023 https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng
10. Act on the Protection of Personal Information of Japan https://laws.e-gov.go.jp/law/415AC0000000057
11. Act on the Development of Cloud Computing and User Protection of the Republic of Korea https://elaw.klri.re.kr/eng_mobile/viewer.do?hseq=60378&type=part&key=43
12. Cambridge Dictionary https://dictionary.cambridge.org/dictionary/english/cloud-computing
13.https://uncitral.un.org/sites/uncitral.un.org/files/media-documents/uncitral/en/19-09103_eng.pdf
14.Carlos A. Rohrmann & Juliana Falci Sousa Rocha Cunha,
Some legal aspects of cloud computing contracts, Journal of International
Commercial Law and Technology, Vol. 10, No. 1 (2015)
15.Enas M. Qutieshat, Bassam Al-Tarawneh, Consent in cloud
computing contracts: Some legal issues under the Jordanian Law, International
Journal of Humanities and Social Science, Vol. 6, No. 11, November 2016
16.Krzysztof Zok, Cloud
computing contracts as contracts for the supply of digital content:
Classification and information duty, Masaryk University Journal of Law and
Technology, Vol. 13, No. 2 (2019)
17.Krzysztof Zok, Law
applicable to cloud computing contracts concluded with consumers under
Regulation 593/2008, according to the CJEU case law, Masaryk University Journal
of Law and Technology, Vol. 13, No. 2 (2019)
18.https://mst.gov.vn/an-toan-thong-tin-khi-doanh-nghiep-len-may-loi-ich-se-nhieu-hon-rui-ro-197151654.htm
19.https://vsec.com.vn/tin-tuc-bao-chi/security-assessments-on-cloud/
20.Viettel Cyber Security, Report on Information Security Risks in Viet Nam, https://s.ladicdn.com/64814eb316872400126f2f2b/bao-cao-tinh-hinh-nguy-co-attt-tai-viet-nam-nam-2024-20250305081424-6a5-e.pdf
21.Malik Irain, Jacques Jorda, Zoubir Mammeri, Landmark-based
data location verification in the cloud: review of approaches and
challenges, Journal of Cloud Computing 6, 31 (2017)
22.Object Management
Group, Cloud working group, Cloud service agreements: What to expect and what
to negotiate, version 3.0, Tháng 9/2019
23.Ponemon Institute, Data
breach cost in ASEAN hits new high (2024), https://www.computerweekly.com/news/366612788/IBM-Data-breach-cost-in-ASEAN-hits-new-high
24.Peter Mell, Timothy Grance, The NIST definition of cloud
computing Recommendations of the National Institute of Standards and
Technology, Special publication 800 – 145, 9/2011
25.Serena Nicolazzo,
Antonino Nocera, Witold Pedrycz, Service Level Agreements and security SLA: A
comprehensive survey, arXiv, Cornell University, 31/1/2024
26.Tran Van Thien, Huynh Trong Tuan Anh, Research on the Development of Botnets over the Past 20 Years, Journal of Science and Economic Development, No. 13, Nam Can Tho University.
27. ISO/IEC 22123-1:2023 https://www.iso.org/obp/ui/en/#iso:std:iso-iec:22123:-1:ed-2:v1:en
28. https://aws.amazon.com/what-is-cloud-computing/
29.https://cloud.google.com/learn/what-is-cloud-computing
30.https://commission.europa.eu/system/files/2019-05/ec_cloud_strategy.pdf
31.https://digital-strategy.ec.europa.eu/en/policies/cloud-computing
32.Nhi Anh (2024), Vietnam’s Data Center and Cloud Market Experiences Explosive Growth, Vietnam Economic Journal, No. 13-2024, https://vneconomy.vn/thi-truong-data-center-va-cloud-viet-nam-tang-truong-bung-no.htm
33.Illumio, Inc., Cloud Security Index Key Findings from
Singapore, https://lp.illumio.com/rs/093-SFK-561/images/Illumio_Cloud_Security_Index_Sing.pdf, tr. 2
34. VTV Online Newspaper (2022), Cloud Computing Market Share, https://vtv.vn/cong-nghe/thi-phan-dien-dam-may-cloud-co-hoi-nao-cho-doanh-nghiep-noi-20221013110741398.htm
35. According to Vietstats Statistics https://vietstats.vn/con-so-biet-noi/thi-truong-trung-tam-du-lieu-viet-nam-tiem-nang-ti-do-va-thach-thuc-phat-trien/?id=0a905299-f6fe-41d1-8335-6333bfe3cb6e
36.Summary Final Decision Art 60 (LSA) https://www.edpb.europa.eu/sites/default/files/article-60-final-decisions/summary/publishable_debe_2020-07_personal_data_breach_summarypublic.pdf
37.https://www.grandviewresearch.com/industry-analysis/cloud-computing-industry
38. https://vietnamfinance.vn/fpt-software-gianh-hop-dong-trieu-usd-ve-dien-toan-dam-may-giua-mua-dich-covid-19-d49159.html
[*] PhD, Lecturer, Faculty of Economic Law, Hanoi Law University. Email: quynhanhtran1912@gmail.com, date of approval for publication: 31/12/2025
[**] Graduate student, Master’s program in Applied Economic Law, Course 31, Phase 3 (Academic year 2023–2025), Hanoi Law University – Student ID: 31UD307009
[1]https://www.grandviewresearch.com/industry-analysis/cloud-computing-industry, last accessed on 06/11/2025
[2]https://vietnamfinance.vn/fpt-software-gianh-hop-dong-trieu-usd-ve-dien-toan-dam-may-giua-mua-dich-covid-19-d49159.html, last accessed on 06/11/2025
[3]https://www.computerweekly.com/news/366612788/IBM-Data-breach-cost-in-ASEAN-hits-new-high, last accessed on 06/11/2025
[4] Enas M. Qutieshat, Bassam Al-Tarawneh, Consent in cloud
computing contracts: Some legal issues under the Jordanian Law, International
Journal of Humanities and Social Science, Vol. 6, No. 11, November 2016, trang
201-202
[5] https://dictionary.cambridge.org/dictionary/english/cloud-computing, last accessed on 06/11/2025
[6] Peter Mell,
Timothy Grance, The NIST definition of cloud computing – Recommendations of the
National Institute of Standards and Technology, Special publication 800 – 145,
9/2011, page 2
[7] ISO/IEC
22123-1:2023 (en), Information technology – Cloud computing, https://www.iso.org/obp/ui/en/#iso:std:iso-iec:22123:-1:ed-2:v1:en, last accessed on 06/11/2025
[8] https://aws.amazon.com/what-is-cloud-computing/, last accessed on 06/11/2025
[9] https://cloud.google.com/learn/what-is-cloud-computing, last accessed on 06/11/2025
[10]https://elaw.klri.re.kr/eng_mobile/viewer.do?hseq=60378&type=part&key=43, last accessed on 03/11/2025
[11] https://commission.europa.eu/system/files/2019-05/ec_cloud_strategy.pdf, last accessed on 03/11/2025
[12] https://digital-strategy.ec.europa.eu/en/policies/cloud-computing, last accessed on 03/11/2025
[13]https://uncitral.un.org/sites/uncitral.un.org/files/media-documents/uncitral/en/19-09103_eng.pdf, last accessed on 03/11/2025
[14] Carlos A.
Rohrmann & Juliana Falci Sousa Rocha Cunha, Some legal aspects of cloud
computing contracts, Journal of International Commercial Law and Technology,
Vol. 10, No. 1 (2015), pages 37-38
[15] Peter Mell,
Timothy Grance, The NIST definition of cloud computing – Recommendations of the
National Institute of Standards and Technology, Special publication 800 – 145,
9/2011, page 2
[16] Krzysztof Zok, Cloud
computing contracts as contracts for the supply of digital content:
Classification and information duty, Masaryk University Journal of Law and
Technology, Vol. 13, No. 2 (2019), page 137
[17] Krzysztof Zok, Law applicable to cloud computing
contracts concluded with consumers under Regulation 593/2008, according to the
CJEU case law, Masaryk University Journal of Law and Technology, Vol. 13, No. 2
(2019), pages 85-86
[18] Nhi Anh (2024), Vietnam’s Data Center and Cloud Market Booms, Vietnam Economic Journal, No. 13‑2024., https://vneconomy.vn/thi-truong-data-center-va-cloud-viet-nam-tang-truong-bung-no.htm, last accessed on 06/11/2025
[19] https://mst.gov.vn/an-toan-thong-tin-khi-doanh-nghiep-len-may-loi-ich-se-nhieu-hon-rui-ro-197151654.htm
[20] https://vsec.com.vn/tin-tuc-bao-chi/security-assessments-on-cloud/?, last accessed on 22/11/2025
[21]https://s.ladicdn.com/64814eb316872400126f2f2b/bao-cao-tinh-hinh-nguy-co-attt-tai-viet-nam-nam-2024-20250305081424-6a5-e.pdf, last accessed on 22/11/2025
[22] Illumio, Inc.
Cloud Security Index Key Findings from Singapore,
https://lp.illumio.com/rs/093-SFK-561/images/Illumio_Cloud_Security_Index_Sing.pdf, p. 2, last accessed on 06/11/2025
[23] Botnet is a network of computers or devices remotely controlled by hackers without the owners’ knowledge (Tran Van Thien, Huynh Trong Tuan Anh, Research on the Development of Botnets in the Last 20 Years, Journal of Science and Economic Development, No. 13, Nam Can Tho University, p. 3).
[24] CAPTCHA is a type of web-based test designed to distinguish humans from automated programs, aimed at preventing bots from performing automated actions on websites (e.g., creating fake accounts, spamming, automated logins…)
[25] Serena Nicolazzo,
Antonino Nocera, Witold Pedrycz, Service Level Agreements and security SLA: A
comprehensive survey, arXiv, Cornell University, 31/1/2024, pages 1-2
[26] Acceptable Use Policy (AUP) is a common document in service contracts provided over the Internet, defining the usage limits of customers and end users with respect to cloud computing services.
[27] Object Management Group, Cloud Working Group, Cloud Service Agreements: What to Expect and What to Negotiate, Version 3.0, September 2019, pp. 8–9.
[28] https://eur-lex.europa.eu/eli/reg/2023/2854/oj/eng, truy cập lần cuối ngày 06/11/2025
[29] Malik Irain,
Jacques Jorda, Zoubir Mammeri, Landmark-based data location verification in the
cloud: review of approaches and challenges, Journal of Cloud
Computing 6, 31 (2017)
[30] VTV Online Newspaper (2022), Cloud Computing Market Share, https://vtv.vn/cong-nghe/thi-phan-dien-dam-may-cloud-co-hoi-nao-cho-doanh-nghiep-noi-20221013110741398.htm last accessed November 6, 2025.
[31] According to Vietstats statistics updated in July 2025, there were 41 data centers nationwide, including both operational centers and those under construction, https://vietstats.vn/con-so-biet-noi/thi-truong-trung-tam-du-lieu-viet-nam-tiem-nang-ti-do-va-thach-thuc-phat-trien/?id=0a905299-f6fe-41d1-8335-6333bfe3cb6e, last accessed November 6, 2025.
[32] Decision No. 8297/QD-BCA-A05 dated October 9, 2025, of the Minister of Public Security on Promulgating the Criteria for Ensuring Cybersecurity for Cloud Computing Platforms Serving E-Government/Electronic Government.
[33] https://laws.e-gov.go.jp/law/415AC0000000057, last accessed November 6, 2025.
[34] Summary
Final Decision Art 60 (LSA),
https://www.edpb.europa.eu/system/files/2023-08/fr_2023-06_external_summary_final_decision_art_60.pdf, last accessed November 6, 2025.
