Safeguards essential for e-commerce data

The rapid growth of e-commerce has highlighted the urgent need for an appropriate legal framework, particularly in areas such as tax administration and personal data protection. Recently issued regulations, including Decree No.117/2025/ND-CP and the Personal Data Protection Law (PDPL), have attracted considerable attention from businesses and other stakeholders.

Decree 117 took effect on July 1. The decree introduces several key provisions on tax administration for business activities conducted on e-commerce platforms, with particular emphasis on the obligations of e-commerce and digital platform operators to withhold and remit taxes on behalf of households and individuals.

Accordingly, domestic and foreign e-commerce and digital platform operators, including owners or authorised persons managing the platform, are required to withhold and remit taxes on behalf of households and individuals in several cases.

First is VAT applicable to each transaction involving the supply of goods or services that generates revenue in Vietnam by households and individuals conducting business on the e-commerce and digital platform;

Second is personal income tax (PIT) involving resident households and individuals, applicable to each transaction involving the supply of goods or services that generates revenue in Vietnam or overseas by resident individuals conducting business on the e-commerce and digital platform.

Third is PIT involving non-resident households and individuals, applicable to each transaction involving the supply of goods or services that generates revenue in Vietnam by non-resident individuals conducting business on the e-commerce and digital platform.

The VAT and PIT amounts to be withheld are determined by a percentage of the revenue generated from each transaction involving the sale of goods or provision of services.

Platform operators shall declare withheld taxes on a monthly basis, with taxes from cancelled or returned transactions offset against those from valid transactions, and the remittable tax amount being the total tax after such offsets (see box).

Key responsibilities

Platform operators should first assess whether they are subject to the tax withholding and remittance obligations under Decree 117 and review relevant transactions and revenue generated in Vietnam and abroad through their platforms. They should also identify cases where tax withholding is required on behalf of households and individuals.

Operators should build or upgrade systems to monitor required information, as well as automatically calculate and withhold taxes at the transaction level to ensure compliance.

It is also important to review applicable policies and agreements to ensure alignment with Decree 117, particularly those concerning household and individual obligations and the responsibilities of platform operators.

Operators should train internal teams and, if necessary, seek support from legal and tax advisors to ensure proper understanding and effective implementation of the new regulations.

As individuals and households with whom taxation regulations are not quite familiar, sellers should take appropriate actions to adapt to the shifting legal framework, to protect themselves, keep the business running while maintaining compliance.

They should also attend seminars or workshops organised by relevant e-commerce platforms, together with consulting taxation authorities for advice on tax obligations and/or procedures. It is recommended to maintain high awareness to avoid fraud and/or scams regarding tax return procedures.

The promulgation of the PDPL, which will take effect at the start of 2026, has already exerted considerable influence on various stakeholders - particularly organisations, businesses, and individuals involved in e-commerce activities.

Before the PDPL, protecting personal data in the e-commerce sector was primarily governed by Decree No.52/2013/ND-CP. Broadly speaking, both Decree 52 and the PDPL share several fundamental similarities, particularly with respect to responsibilities of parties involved in personal data processing, rights and consent of data subjects, and prohibition on the sale and purchase of personal data.

As of now, Decree 52 remains in effect; however, it is highly likely that it will soon be revised and supplemented to provide more detailed guidance and ensure consistency with the overarching provisions of the PDPL, particularly in light of the rapid and increasingly complex evolution of e-commerce activities.

Sanction expectations

The robust growth of e-commerce platforms - especially emerging and cross-border platforms that have yet to register legal operations in Vietnam - presents substantial challenges for ensuring the protection of consumers’ personal data. Many of these platforms lack clear commitments to data security, do not have protocols for responding to data breaches, and fail to meet minimum technical standards for information safety.

This results in heightened risks of unauthorised disclosure or misuse of personal data during electronic transactions - a latent risk that can lead to significant financial losses, reputational damage, and personal safety issues for consumers, ultimately eroding trust in the e-commerce environment.

To address this reality, the PDPL introduces stringent penalties for violations, depending on the nature, severity, and consequences of the act. Violations may be subject to administrative fines or criminal prosecution, and in cases where damage occurs, civil compensation is also required.

Notably, the PDPL provides for the following administrative fines including Illegal trading of personal data may result in administrative fines of up to 10 times the illicit gain generated from the violation. Cross-border transfers of personal data in violation of the law may be fined up to 5 per cent of the violating organisation’s revenue from the previous fiscal year.

The application of such high penalties is expected to serve as a strong deterrent. However, the effectiveness of these provisions largely depends on the investigative and enforcement capacities of competent authorities, as well as the compliance levels and legal awareness of entities involved in data processing activities, including e-commerce and digital platform operators, traders, and relevant parties such as delivery service providers and payment intermediaries.

In terms of actions to take, the current responsibility for protecting personal data in the e-commerce environment primarily rests on the shoulders of e-commerce platform operators.

However, this responsibility can only be effectively fulfilled when they maintain ongoing compliance with current legal regulations; develop and regularly review transparent and publicly available personal data protection policies, along with clear internal rules and contractual agreements; establish robust technical infrastructure that ensures strict control over data processing activities; and provide adequate training for personnel, ensuring they possess strong legal awareness as well as practical knowledge.

Meanwhile, traders operating on e-commerce and digital platforms will bear varying degrees of responsibility depending on the specific features and structure of the platforms they use. If the platform adopts transparent mechanisms, the traders’ legal liability for data processing may be reduced. This is because once the data is de-identified and no longer qualifies as personal data, their associated responsibilities are accordingly limited.

However, a more holistic view must recognise that personal data protection is a collective responsibility of both platform operators and traders. Every stage of the operational chain in e-commerce poses potential data security risks, and thus requires technical, legal, and procedural safeguards.

Unlike familiar fees such as discounts, shipping or advertising fees, the "platform infrastructure fee" is a new charge applied by Shopee across the system.

In the context of Vietnam’s e-commerce market entering a new phase of development, tightening legal regulations are placing increasing demands for compliance on all stakeholders.