 |
| Specific acts such as unauthorized trading, collection without consent, or misuse of personal data are to be strictly penalized__Photo: VNA |
In the digital economy, protection of personal data is not only essential for safeguarding human rights but also a critical foundation for building a safe and sustainable digital environment. The National Assembly has recently discussed the draft Law on Personal Data Protection—a document expected to provide a solid legal framework for safeguarding personal information of Vietnamese citizens.
One of the most notable provisions in the draft law is the proposed administrative fine of up to 5 percent of the previous year’s revenue for organizations and businesses that violate personal data protection regulations. According to the Ministry of Public Security—the drafting agency—this revenue-based penalty is designed to increase deterrence and compel compliance. The approach also aligns with international practices, notably the EU's General Data Protection Regulation (GDPR).
The draft law outlines that, depending on the severity of the violation, breaches of personal data may be subject to various forms of punishment, including administrative handling, criminal prosecution, civil compensation, or disciplinary action for individuals or entities involved. Specific acts such as unauthorized trading, collection without consent, or misuse of personal data are to be strictly penalized.
At a group discussion on the draft law, Lieutenant General Tran Quoc To, Deputy Minister of Public Security, issued a stark warning: “In recent years, many organizations and businesses have collected excessive amounts of personal data beyond what is necessary for their respective industries, products, or services. Such unauthorized data collection seriously infringes upon the lawful rights and interests of citizens.”
He emphasized that in the context of widespread digital transformation, data leaks and losses are occurring frequently during the process of data transfer, storage, and sharing for business purposes—especially when protection measures are insufficient. These lapses have led to data being compromised, publicly exposed, or misused in illegal activities such as fraud, gambling, defamation, and harassment.
Insights shared at the 2025 Customer Data Conference held by the CIO Vietnam Community in mid-May echoed this concern. Technology experts pointed out that the greatest threat to data security does not come from external hackers but within organizations themselves—through human error, weak internal processes, or lack of oversight.
Tran Cong Quynh Lan, Advisory Board Member of the CIO Vietnam Community and Chairman of the Technology Committee of the Vietnam Banks Association, stated: “User data today is stored and managed by various units. The key question is whether each enterprise has a clear and enforceable data protection policy. This is not an easy task.”
Lan stressed that no technical system, regardless of sophistication, can completely prevent internal breaches if not supported by a corporate culture grounded in professional ethics. Therefore, businesses must implement policies that address both system-level controls and human conduct.
From a legal perspective, the expert affirmed the importance of the Law on Personal Data Protection and the broader Data Law in safeguarding user rights. “These laws should clearly require that any data collection must be based on customer consent. Furthermore, any transfer of data to a third party must also be explicitly approved,” he noted.
Concerning the proposed 5-percent revenue penalty, Lan called for clear criteria: “For a bank, 5 percent of annual revenue could mean trillions of dong. Thus, it is necessary to clearly define the violation and quantify the harm to apply sanctions fairly and effectively.” He added that current handling of illegal data trading relies primarily on general criminal provisions, lacking specialized legal instruments, which hampers enforcement.
From experiences of the banking sector, Lan suggested a stronger deterrent: accounts involved in fraud or illegal data transactions should be frozen across the banking system and added to a blacklist. “Even associated citizen ID numbers could be monitored. This approach would establish serious legal consequences for violators,” he emphasized.- (VLLF)
