Pham Quy Dat[1], LL.D., and La Nhu Quynh[2]
 |
| A foreigner residing in Khanh Hoa province has her fingerprints taken for the issuance of a level-2 electronic identity account__Photo: Nguyen Thanh/VNA |
Biometric data (BMD), with its unique and immutable nature, is increasingly utilized across various sectors, raising urgent concerns about misuse, privacy breaches, and data security, especially in the digital age. Although Vietnam has recently enacted the Law on Personal Data Protection, significant challenges remain in ensuring comprehensive and effective protection for BMD. This article provides a theoretical and practical overview of BMD protection and offers critical analysis and suggestions to enhance the implementation and future improvement of BMD-related legal safeguards in Vietnam.
The current state of biometric data protection and relevant legal framework in Vietnam
Practical biometric data protection
The Party and the State of Vietnam have always paid attention to improving the system of policies and laws regarding the protection of BMD in particular and human privacy rights in general. The Government has been vigorously directing the development of e-Government, aiming toward a digital government and a digital economy. Currently, the issue of BMD has garnered increasing attention. Since early 2021, Vietnam has begun issuing chip-based citizen identity cards to support the operation of e-Government systems. To achieve this goal, BMD must be safely collected, processed, and centrally stored. Any incident involving the BMD storage center could lead to serious consequences. As such, the protection of BMD has become even more critical.
Various ministries and sectors have developed their own BMD systems, and have implemented data protection measures in their respective management fields. For example, in the civil status management, the Ministry of Justice has enforced regulations guiding the Law on Civil Status and is currently implementing a national electronic civil status database. So far, no information security incidents have been reported during the development of software within the Civil Status Registration and Management Information System. In the banking sector, the State Bank of Vietnam on December 31, 2023, issued Decision No. 2345/QD-NHNN requiring that from July 1, 2024, any online money transfer valued at VND 10 million or more must be authenticated using biometric methods[3]. Accordingly, banks are mandated to encrypt and protect BMD in accordance with international financial security standards.
In the digital era, BMD is being widely used across various sectors, including finance, banking, healthcare, e-commerce, and public services. However, while many authorities and organizations have adopted their own approaches to protect BMD, and biometric authentication is considered safer than traditional methods like passwords or OTPs, security vulnerabilities still exist. New-type frauds have emerged, leveraging technology to steal users’ BMD, leading to cyberattacks and financial scams[4]. Therefore, not only state agencies but also individual data subjects should raise awareness, act cautiously when conducting financial transactions and in other areas of daily life, refrain from sharing personal information, and remain vigilant even after applying biometric authentication measures.
The legal framework for biometric data protection
In Vietnam, the current legal framework for BMD protection primarily relies on the Constitution, codes and laws relevant to personal data protection, cybersecurity, citizen identification, specific regulations on banking and telecommunications, and other relevant legal documents.
Firstly, the 2013 Constitution serves as a foundational law that establishes the groundwork for privacy protection in general and for BMD in particular. Article 21 of the Constitution explicitly affirms the inviolability of private life, personal secrets, and family secrets, stating that the collection, storage and use of personal data must be consented to by the data subject, unless otherwise provided by law. This creates a crucial legal basis for guiding legal texts to concretize the rights and obligations related to BMD protection. While the Constitution does not provide detailed mechanisms for or scope of BMD protection, it lays down general principles and delegates specific implementation to other legal instruments. As a result, the effectiveness of the protection of personal data, including BMD, depends on the level of detailedness and appropriateness of sub-constitutional legal documents.
Secondly, the Cyber Security Law is one of the most impactful legal documents concerning the protection of personal data, including BMD. One of its objectives is to safeguard national sovereignty and security, and the lawful rights and interests of individuals and organizations participating in cyberspace, while promoting a safe and healthy digital environment. To maximize the protection, Chapter III of the Law outlines comprehensive measures for preventing and handling threats and data violations. Chapter IV focuses on the coordinated implementation of cybersecurity protection activities from central to local levels, primarily targeting state agencies and political organizations, and specifically provides for security audits for their information systems[5]. However, the Law emphasizes the national security more than individual rights and lacks specific mechanisms enabling citizens to protect or control their own BMD.
Thirdly, Government Decree 13/2023/ND-CP dated April 17, 2023, on personal data protection (Decree 13) is the first legal document to specifically regulate personal data protection, defining BMD as sensitive personal data requiring stricter safeguards than ordinary personal data. As per the decree, processing BMD is only permissible with the clear consent of the data subject, except in special cases such as criminal investigation or performance of legal obligations. This is a positive step in reinforcing individuals’ control over their own BMD. However, one notable concern is that the Decree’s scope appears broader than that of the Cyber Security Law, imposing harsher restrictions and providing more intervention powers over personal data in general. While the Cyber Security Law focuses mainly on online data, the decree applies more widely to organizations, businesses and individuals operating both online and offline. This raises concerns about the legal coherence of a sub-law document surpassing the scope of a law, which may cause conflicts or enforcement challenges. Moreover, the decree lacks specific provisions on sanctions for violations involving BMD leakage or misuse.
Fourthly, the Law on Personal Data Protection[6], once enacted, is expected to provide a more comprehensive legal framework for BMD protection than previous legal documents. Generally, BMD is treated as a subset of personal data; therefore, its principles, rights, obligations and protection procedures are governed under broader-scope personal data protection regulations. The Law has comprehensive provisions on personal data, the protection of personal data, as well as the rights, obligations and responsibilities of related agencies, organizations and individuals. A notable feature of the Law is its specific provisions on the rights and obligations of related parties and the explicit definition of biometric data, which had not been clearly addressed in previous legal documents. Additionally, the Law no longer specifies administrative procedures, processes, or documentation requirements, instead, delegating powers to the Government to regulate these matters[7]. The Law ensures consistency within Vietnam’s legal system, aligns with treaties to which Vietnam is a contracting party, and upholds a high degree of practical enforceability.
In sum, Vietnam’s legal framework on BMD protection has made notable progress, from constitutional principles to specific provisions of the Cyber Security Law, Decree 13, and the Law on Personal Data Protection. Among these, Decree 13 remains the first legal instrument providing an official definition of, and detailed safeguards for, personal data, including BMD. While the newly enacted law marks a significant step forward, certain limitations remain, particularly in the BMD classification and the enforcement mechanisms. Therefore, further efforts are necessary to review the coherence of existing legal documents, issue guiding regulations and more specific provisions to ensure effective and comprehensive BMD protection in line with international standards.
BMD protection in the commentary on the Law on Personal Data Protection
Despite the aforementioned significant advancements, in order for the Law to be effectively enforced in everyday life and achieve its intended impact, further improvement and detailed guidance are still necessary.
Firstly, it is necessary to provide a clearer definition of biometric data, as follows: “Biometric data means data relating to an individual’s physical attributes, biological characteristics, and distinctive and stable behavioral traits for the purpose of identifying him/her”. The Law’s definition of biometric data covers only two categories of physical attributes and biological characteristics. In fact, biometric data should be categorized into three main groups: (i) physical biometrics (e.g., fingerprints, iris scans), (ii) behavioral biometrics (e.g., voice, gait), and (iii) biological biometrics (e.g., DNA, biological traces). This classification would help ensure proper protection of each type of biometric data with more detailed provisions and broaden the scope of protection in a more comprehensive manner, especially in the current context of rapidly developing digital technologies. It aligns with Vietnam’s reality where the growing application of recognition technologies leads to a clearer boundary between BMD and general personal data. It also allows for protection levels to be tailored to the risk associated with each data type (for example, physical BMD may require stricter safeguards than behavioral BMD).
Secondly, the Law should be added with a provision explicitly recognizing the right to request enhanced security for BMD. Its current provisions on personal data security are scattered across various articles and do not specifically address enhanced protection for BMD as highly sensitive information. It has only one provision in Article 31 providing the protection mechanism for this type of data. This provision aims at ensuring safety and confidentiality during the collection, processing and storage of personal data, without clearly distinguishing between ordinary and sensitive categories. As a result, organizations collecting BMD might fail to apply the necessary level of protection in response to associated risks. It is therefore recommended that a new provision be included, either through amendment to the Law or guiding texts, on the right to request enhanced protection of BMD. This provision should require organizations processing BMD to implement the highest level of safeguards, including strong encryption (such as AES-256), multi-factor authentication systems, strict access control limited to legally authorized parties, and secure storage infrastructure that avoids public cloud services unless advanced encryption mechanisms are in place. This addition is crucial, as BMD, once leaked or stolen, cannot be altered, necessitating a higher level of protection compared to that applied to ordinary personal data.
Thirdly, though the Law generally provides BMD protection, it lacks specific safeguarding measures/mechanisms. Therefore, several mechanisms should be added. It is also important to require a pre-processing impact assessment for BMD. The Law’s Article 21 currently requires an impact assessment for the processing of personal data, obligating data controllers and processors to keep assessment records from the time of processing commencement. This requirement should go further for highly sensitive data such as BMD. Specifically, organizations that process BMD on a large scale for identification purposes or cross-border transfer should be required to conduct an impact assessment before data processing. This requirement should apply only to high-risk cases, rather than all BMD processing activities, thereby preventing violations from the outset. For ordinary personal data, a post-processing review may suffice to identify and mitigate risks during implementation. Since BMD are immutable and, once leaked or misused, cannot be revised or altered, pre-processing review is essential to prevent consequences that are costly or even impossible to remedy.
Fourthly, it is necessary to establish an independent supervisory body in charge of protection of personal data, including BMD. In Vietnam, the responsibility rests with the Department of Cyber Security and Hi-Tech Crime Prevention and the Personal Data Protection Committee under the Ministry of Public Security. These entities assist the Ministry in performing the state management of personal data protection. However, given the highly sensitive and private nature of BMD, it is recommended that a civilian, independent oversight body be established to ensure the maximum protection of individual privacy rights. As BMD is closely linked to personal autonomy and identity, greater authority should be granted to individuals in deciding how their data are used and protected. Accordingly, the data protection body should be formed as a civilian institution having quasi-judicial functions and capable of settling data disputes and issuing binding decisions, rather than as a body with primary law enforcement or coercive powers.
Fifthly, public awareness should be raised for the effective protection of BMD. Individuals are primary data subjects and rights holders. Without adequate understanding of their rights over BMD, even the most well-intentioned laws may fail in practice. It is therefore recommended that the Law be added with provisions requiring or encouraging organizations involved in the personal data processing to carry out educational and awareness initiatives. These initiatives include distributing educational materials, organizing training sessions/workshops, and launching public awareness campaigns, particularly focusing on BMD protection.
Conclusion
To meet the demand for BMD protection in the digital era and to ensure the effective exercise of individuals’ privacy rights, Vietnam should continue to develop a comprehensive, consistent and forward-looking legal framework aligned with global standards. While the enactment of the Law on Personal Data Protection represents a critical step forward, BMD protection remains an urgent and evolving matter, given its highly sensitive nature and the rapid advancement of biometric technologies. The current legal framework still reveals certain gaps in coherence, enforcement mechanisms and technical implementation, particularly for BMD protection. Therefore, this article offers practical recommendations aimed at contributing to the ongoing discourse surrounding the implementation and improvement of the Law on Personal Data Protection, particularly with regard to BMD, and improvement of awareness among individuals, institutions and policymakers about the importance of safeguarding biometric data in an increasingly digital society.-
[1] Vice Director of the Public Law Comparative Research Center, the Comparative Institute, the Hanoi Law University.
[2] Faculty of Advanced Law, the Hanoi Law University.
[3] Minh Nghĩa, Bảo vệ thông tin sinh trắc học trong thanh toán trực tuyến, https://nhandan.vn/bao-ve-thong-tin-sinh-trac-hoc-trong-thanh-toan-truc-tuyen, access on March 3, 2025.
[4] Phương Thanh, Xác thực sinh trắc học, vẫn còn lỗ hổng cần bảo mật, https://tapchitaichinh.vn/xac-thuc-sinh-trac-hoc-van-con-lo-hong-can-bao-mat, access on March 3, 2025.
[5] PV, Luật an ninh mạng: Sự cần thiết, mục đích, ý nghĩa và nội dung cơ bản, Trang Thông tin Điện tử tổng hợp, https://noichinh.vn/nghien-cuu-trao-doi/201806/luat-an-ninh-mang, access on March 5, 2025.
[6] On June 26, 2025, the Law on Personal Data Protection (Law No. 91/2025/QH15) was officially passed by the 15th National Assembly of the Socialist Republic of Vietnam during its 9th session.
[7] Nguyễn Hoàng, Quốc hội thông qua Luật Bảo vệ dữ liệu cá nhân, Báo Điện tử Chính phủ, https://baochinhphu.vn/quoc-hoi-thong-qua-luat-bao-ve-du-lieu-ca-nhan-102250626151253737.htm, access on July 10, 2025.
