From Page to Dataset in Vietnam: Compliance Steps Under 2026 AI and IP Laws

Compliance Strategies for AI Training and Book Digitization in Vietnam

Vietnam has introduced two important laws that reset the rules for AI developers and rights holders: the amended Law on Intellectual Property ("Amended IP Law") and the new Law on Artificial Intelligence ("AI Law"), both passed in December 2025. For the first time, there is a path to use lawfully published, publicly accessible works in AI training-subject to limits and future guidance. This creates opportunity, and it raises the bar for documentation and controls.

The Amended IP Law takes effect on 1 April 2026. The AI Law takes effect on 1 March 2026. Implementing regulations are expected in the coming months, and they will decide how far the new exception can go in practice.

Key Provisions

AI Training Exception under the Amended IP Law (effective 1 April 2026)

Article 7.5 adds an exception that may permit use of lawfully published, publicly accessible copyrighted texts and data for scientific research, testing, and AI training. The use must not "unreasonably harm" the lawful rights and interests of copyright owners. The scope of this exception will depend on forthcoming Government regulations.

Related Requirements under the AI Law (effective 1 March 2026)

Prohibited acts (Article 7.3): AI data collection, processing, training, testing, and operation must comply with IP laws, including the new exception and any future rules. Using protected materials outside the permitted scope remains a violation.

Inspection and audits (Article 28): Organizations must keep technical documentation, audit logs, training data records, and other materials that allow authorities to investigate and assign responsibility. Thorough recordkeeping is a legal requirement, not a nice-to-have.

Compliance Strategies for Legal and Compliance Teams

• Record sources and rights status: Log where each dataset item came from, when it was accessed, and why it qualifies as "lawfully published, publicly accessible." Keep evidence (URLs, screenshots, terms of use at time of access, deposit records).
• Define permitted scope by use case: Limit ingestion and training to the exception's stated purposes (scientific research, testing, AI training). Avoid uses that look like content substitution or commercial republishing.
• Implement data intake controls: Block materials with known restrictions, paywalled content without clear license, or works marked as excluded. Do not circumvent technical protection measures.
• Document data lineage: Maintain dataset manifests, hashes, versioning, and transformation notes. Make lineage queryable so you can trace a model output back to contributing data if needed.
• Maintain audit logs across the lifecycle: Keep training configurations, hyperparameters, model versions, checkpoints, and access logs. Preserve change history for datasets and models.
• Reduce "unreasonable harm" risk: Apply output controls to prevent verbatim or near-verbatim reproduction of protected text. De-duplicate training corpora and enforce rate limits on content exposure during training and evaluation.
• Align with security and privacy laws: Classify datasets, apply least-privilege access, encrypt at rest and in transit, and segregate environments. Screen for personal data and state secrets; apply removal, masking, or minimization where required.
• Vet vendors and partners: Flow down obligations in contracts (IP compliance, audit cooperation, data deletion, incident notification). Require logs and attestations that meet Article 28 standards.
• Stand up takedown and inquiry workflows: Provide a channel for rights holders to raise concerns and request review. Track complaints, decisions, and remediation steps.
• Prepare for inspections: Create a documentation pack you can hand over quickly: dataset inventories, collection rationale, legal analyses, model cards, testing reports, and risk assessments.
• Monitor regulatory updates: Assign an owner to track implementing decrees and guidance. Be ready to tighten scope, add notices, or switch to licensed sources if the rules narrow.

Signals to Assess "Unreasonable Harm" (Practical, Non-exhaustive)

• Market impact: Does your use replace the need to access or license the original works?
• Use intensity: Portion and volume used, frequency, and whether outputs mirror protected expression.
• Access controls: Who can access the dataset and model, and under what restrictions?
• Availability of licensing: If a workable license is available and your use bypasses it, risk rises.

Documentation Checklist for Article 28

• Data source logs, capture dates, and evidence of lawful access; copies of applicable terms of use.
• Copyright status notes (publicly accessible, lawfully published) and any exclusion flags.
• Dataset manifests, hashes, version history, and transformation/cleaning records.
• Training run sheets, configurations, model versions, checkpoints, evaluation reports.
• Access logs for datasets and models; change approvals; exception justifications.
• Security classifications, DLP settings, encryption standards, and incident records.
• Privacy screening outcomes and remediation (removal, masking) where relevant.

Timeline and Action Plan

• Now-February 2026: Map current datasets and models; freeze risky sources; build the documentation pack; update contracts and intake controls.
• March 2026 (AI Law effective): Ensure audit logs and technical documentation meet Article 28 requirements. Confirm prohibited-act controls are live.
• April 2026 (Amended IP Law effective): Re-check projects against any new implementing regulations. Adjust scope, notices, and licensing strategy based on finalized rules.

Monitoring and Further Reading

Track official updates and implementing regulations from the Vietnam National Assembly. Expect clarifications on the exception's scope, recordkeeping standards, and enforcement priorities.

If your team needs structured training on AI fundamentals and governance, see our curated resources at Complete AI Training.

Bottom line: the new exception opens a path, but the safe zone sits behind careful scoping, consistent documentation, and output controls. Treat the "unreasonable harm" threshold as a live risk test, keep your audit trail inspection-ready, and be ready to adapt as the regulations land.