At the 46th session of the National Assembly Standing Committee several days ago, opinions were given on the review, explanation, and revision of the draft law.

Le Tan Toi, Chair of the National Defense, Security, and Foreign Affairs Committee, said the verification agency closely coordinated with the drafting agency to incorporate feedback from National Assembly deputies after group and plenary discussions.

The revised draft includes 5 chapters and 47 articles, 2 chapters and 21 articles fewer from the government’s initial submission.

Higher fines needed

Le Tan Toi said the draft was adjusted to apply to all individuals, agencies, and organizations involved in processing personal data, covering both physical and digital environments, not just online.

It clearly stipulates that foreign agencies, organizations, or individuals directly processing or involved in processing personal data of Vietnamese citizens are subject to the law.

Data subject rights have been more clearly defined, aligning with international practice, including the right to know, agree, and to access to view or edit data, withdraw consent, restrict processing, request data deletion, and other rights.

He said the draft law is expected to revise the regulations prohibiting common and high-risk behaviors such as handling anti-state personal data; obstructing personal data protection activities; illegally collecting, storing, disclosing, and transferring data; and buying, selling, or appropriating, intentionally disclosing, or losing data, etc.

Regarding penalties for violations, the draft stipulates that penalties depend on the nature, severity, and consequences of the violations, with administrative fines or criminal liability. Compensation is required if damage is caused.

The committee suggested higher administrative fines due to the serious nature and consequences of personal data protection violations to ensure deterrence, especially for large enterprises, multinational corporations, or tech companies with revenues of thousands of billions dong.

The draft specifies that buying or selling personal data may face fines up to 10 times the profit gained from the violation. The violations of cross-border data transfer regulations face fines of up to 5 percent of the previous year’s revenue, while other violations carry a maximum fine of VND3 billion. The fines for individuals are half those for organizations.

The government is authorized to set regulations detailing fine levels, penalty frameworks, and methods for calculating illicit profits.

Addressing widespread personal data violations

According to Lieutenant General Le Quoc Hung, Deputy Minister of Public Security (MPS), 150 out of 193 countries worldwide have issued regulations on personal data protection.

“Personal data faces increasing risks of violation, affecting legitimate rights and interests. Thus, the goal of this law is to prevent and address widespread and increasingly serious personal data violations, which relate to both national security and human rights,” Hung said.

Explaining the draft’s coverage of both traditional and digital environments, Hung said data collection and processing can shift between the two. 

Regulating only the digital environment would create legal gaps in traditional settings, enabling data violations. The government has incorporated feedback, revising the scope, applicable entities, and the definition of personal data for comprehensive coverage.

For buying and selling personal data, the draft proposes fines up to 10 times the profit from violations. If there is no illicit profit or the calculated fine is below the maximum specified in clause 5 (VND3 billion), the maximum fine of VND3 billion will be applied.

Prior to that, the draft law was submitted to the National Assembly in late May. The Ministry of Public Security’s stance is that personal data is tied to human rights and personal privacy, not to be treated as a commodity or corporate asset. Personal data is a special resource, requiring exploitation to be paired with the highest level of protection.

“Allowing the buying and selling of personal data is akin to permitting the trade of human rights and control over others’ information,” MPS Minister Luong Tam Quang said.

Many National Assembly deputies then agreed on the necessity of enacting the law.

National Assembly Deputy Hoang Minh Hieu from Nghe An supported the law’s distinction between basic personal data and sensitive personal data, noting that sensitive data requires stricter protection measures. He proposed applying sensitive data protection regulations to fields like health, insurance, finance, banking, and credit information.

“This approach aligns with current trends,” he said.

Hieu also noted that, based on international practices, sensitive personal data is critical as it relates to individual rights and is often specified in laws. For example, Japan includes social status, medical records, and criminal records.

Tran Thuong