Chairman Le Tan Toi of the National Assembly (NA) Committee for National Defense, Security, and Foreign Affairs informed that the scope of the draft Law on Personal Data Protection has been adjusted to apply to all individuals, agencies, and organizations involved in processing personal data, encompassing not only the digital realm but also the physical environment.
“It is crucial to clarify that the law’s scope applies to foreign agencies, organizations, and individuals who directly process or are involved in the activities of processing the personal data of Vietnamese citizens.”
Chairman Le Tan Toi of the Committee for National Defense, Security, and Foreign Affairs
The Chairman also noted that his committee, in coordination with the drafting agency, had redesigned the provisions concerning the rights of data subjects for greater clarity and alignment with international norms. These rights include the right to be informed, the right to consent, the right of access to view and correct data, the right to withdraw consent, the right to request the restriction of processing, the right to erasure, and other rights.
The draft establishes a principle for handling violations based on their nature, severity, and consequences, with penalties ranging from administrative sanctions to criminal prosecution. It also mandates compensation for any damages caused.
Regarding administrative fines, the draft proposes higher penalty levels due to the serious nature and potential consequences of personal data protection breaches to create a strong deterrent for large enterprises, particularly multinational corporations and technology firms with massive revenues.
Drawing on international experience, the draft outlines several penalty structures. For the act of buying or selling personal data, a fine of up to 10 times the illicitly gained revenue. For violations related to cross-border data transfers, the maximum fine may reach 5 percent of the preceding year’s revenue. For other violations, it may hit VND3 billion (US$117,900). The penalty for individuals is set at half that for organizations.
Vice Chairman Nguyen Truong Giang of the Committee for Legal and Judicial Affairs expressed reservations about the “maximum fine of 5 percent of revenue”, noting that for corporations with vast revenues reaching trillions of VND, this could result in an enormous penalty. He also suggested that the maximum VND3 billion fine for “other acts” should instead align with existing regulations on administrative violations to ensure legal consistency and compatibility.
National Assembly Vice Chairman Vu Hong Thanh agreed that while standard fines lack deterrence for data breaches, the proposed 5-percent revenue penalty is unfeasibly “huge” for large firms and unworkable for new or foreign entities.
Deputy Minister of Public Security Le Quoc Hung further explained that the law’s primary objective is to help prevent and address the widespread and increasingly severe problem of personal data infringement, which is essential for safeguarding both national security and human rights.
The draft law explicitly prohibits buying and selling personal data. The Deputy Minister reasoned that personal data is intrinsically linked to human rights, identity, and privacy, and thus cannot be a common commodity. He stated it is a special asset requiring the highest protection, and allowing its sale would be tantamount to human trafficking or commodifying rights.
He advocated for stipulating significantly higher penalties for violations to ensure a potent deterrent effect, saying that without them, large, cross-border enterprises might be willing to risk violations to transfer personal data illegally for immense profits.
Regarding prohibited acts, the revised draft will focus on banning common and high-risk activities such as processing personal data to oppose the State; obstructing data protection activities; abusing data protection activities to violate the law; illegally collecting, storing, disclosing, or transferring personal data; buying or selling personal data (with legal exceptions); and appropriating, intentionally exposing, or losing personal data.
The National Assembly is expected to consider and pass this law during the second phase of its 9th session.
