The Personal Data Protection Law, consisting of 5 chapters and 39 articles, provides a unified definition of personal data that aligns with the Data Law and other specialized legal fields.
It clearly outlines the responsibilities of each entity involved in personal data protection, including government management agencies, data controllers, processors, third parties, and related organizations and individuals.
The law introduces additional responsibilities for establishing monitoring mechanisms when processing personal data without the data subject’s consent.
The National Assembly has passed the Personal Data Law. Image: National Assembly |
The draft law’s scope and subjects of application cover all individuals, agencies, and organizations involved in personal data processing.
Chapter II, Article 26 to 31 of the draft law also provides provisions for protecting personal data in various fields such as finance, banking, healthcare, e-commerce, media, social networks, artificial intelligence, and the Internet.
The Government is entrusted with detailing the development of emerging technologies, including big data processing, artificial intelligence, cloud computing, blockchain technology, virtual universes, and social networks.
The law significantly reduces administrative procedures, investment and production business conditions, and compliance costs, offering the highest convenience to citizens and businesses.
Compared to the Government’s initial draft, the revised version has eliminated four out of five business lines as conditional investment and business sectors, retaining only the personal data processing service (which has been added to the amendments to the Law on Investment currently before the National Assembly for approval).
Rationale for Prohibiting the Buying and Selling of Personal Data
The National Assembly Standing Committee explains that prohibiting the buying and selling of personal data aims to promptly prevent illegal collection and trading of personal data packages on cyberspace or by insiders of organizations selling personal data to outsiders for fraud and appropriation of property on a large scale, causing public outrage in recent times.
Personal data cannot be traded as regular commodities due to its association with personal rights and privacy. International experiences show that personal data is not recognized as property, and some countries (such as the US, Thailand, Singapore, and Malaysia) only acknowledge the individual’s right to control how their personal data is used.
This control right is not merely about consenting to disclose, share, or transfer personal data to others in exchange for benefits but also involves stringent regulations to operate a synchronized mechanism that safeguards individuals’ data from misuse and unauthorized purposes.
In Vietnam, personal data has been used by criminal elements for transactions, purchases, and rentals as if it were a commodity, without legal regulations in place. The lack of mechanisms to safeguard individuals’ rights, along with inadequate control over consent and data processing purposes, necessitates a unified understanding that personal data is not a commodity and that its buying and selling should be prohibited, except as otherwise provided by law.
Regarding penalties, the Personal Data Law stipulates that buying and selling personal data can result in a fine of up to ten times the income earned from the violation. For violations involving cross-border data transfer, the maximum fine is 5% of the previous year’s revenue, while for other violations, the maximum fine is VND 3 billion, and for individuals, the penalty is half that for organizations.
|
Article 7. Prohibited Acts 1. Processing personal data to act against the Socialist Republic of Vietnam, affecting national defense, security, social order and safety, and the legitimate rights and interests of agencies, organizations, and individuals. 2. Obstructing personal data protection activities. 3. Exploiting personal data protection activities to violate the law. 4. Processing personal data contrary to legal provisions. 5. Using another person’s personal data or allowing others to use one’s personal data to violate legal provisions. 6. Buying and selling personal data, unless otherwise provided by law. 7. Appropriating or intentionally disclosing or losing personal data. |
By: The World
– 10:24 06/26/2025
The Data Trade: Businesses Risk Trillion-Dollar Fines for Missteps
The alarming rise in data breaches and the illicit trade of personal information has prompted the discussion of new legal regulations with stricter penalties.
Crafting Compelling Copy: The Art of Data-Driven Decision-Making
“The buying and selling of personal data is a serious issue that has been taking place in various forms, causing significant economic damage and harming the reputation of businesses, organizations, and individuals alike. As highlighted by Senior Lieutenant General Tran Quoc To, Deputy Minister of Public Security (National Assembly delegation of Bac Ninh province), there is an urgent need to strengthen legal frameworks for protecting personal data.”
VNG Company: More than 163 million customer accounts exposed, says Ministry of Public Security
With the prevalence of personal data breaches in the online space, the Ministry of Public Security has provided concrete evidence of a specific incident where VNG Company exposed over 163 million customer accounts.
