This afternoon, the National Assembly reviewed the Government’s presentation and the verification report on the draft Law on Personal Data Protection. One of the most notable provisions: social media platforms will not be allowed to require users to upload images or videos containing national ID card details.

According to the draft law, as personal data is frequently transferred, stored, and exchanged in digital environments, incidents of data leakage or loss have become increasingly common - often due to insufficient protection measures or during business transactions.

14.5 million accounts compromised in Vietnam

202505051422152081_z6570192107801_1f55a9455e88b260e081b374b5d2495b (1).jpg
Deputy Prime Minister Le Thanh Long presents the draft law to the National Assembly. Photo: National Assembly

As reported in Vietnam’s 2024 national cybersecurity threat assessment, ransomware attacks paired with personal data theft reached up to 10 terabytes, causing an estimated loss of USD 11 million.

Vietnam saw 14.5 million user accounts exposed - 12% of the global total. The Ministry of Public Security has uncovered and disrupted several large-scale operations trafficking personal data, with some involving thousands of gigabytes of sensitive internal information.

In 2023 alone, authorities investigated 16 cases involving leaks or sales of confidential state information and internal data on platforms such as BreachedForums, Telegram, and Facebook. Some cases even included real-time personal data lookup services for Vietnamese citizens.

In many sectors, paper-based records remain the primary method of personal data storage. However, the lack of specific regulations to protect data in these formats poses significant risks and leads to frequent violations.

No call eavesdropping or unauthorized recording

202505051422152238_z6570197423943_cf7d35d3a28b558045b0ec8dd9014a70 (1).jpg
Chairman of the National Defense, Security, and Foreign Affairs Committee, Le Tan Toi, presents the law verification report. Photo: National Assembly

Presenting the draft, Deputy Prime Minister Le Thanh Long stated that the law aims to complete Vietnam’s legal framework for personal data protection, create a legal foundation for data privacy enforcement, and improve national data protection capabilities.

The draft law comprises seven chapters and 68 articles, covering conditions for data protection for businesses processing personal data, requirements for certification of qualified entities, personal data protection rating services, and data protection service organizations.

It also defines state responsibilities, roles of relevant ministries and agencies, and the duties of data controllers and processors.

A new provision targets social media and online communication service providers. These platforms must ensure the privacy of Vietnamese users if they operate in Vietnam or are available through app stores targeting the Vietnamese market.

Specifically, the government proposes banning these platforms from requesting images or videos that contain any portion of a user's national ID card, citizen ID, or personal identification card as a condition for account authentication.

The draft also prohibits unauthorized eavesdropping, call recording, or reading of text messages without the data subject’s consent. Providers must offer mechanisms for users to report violations related to privacy and data security.

In the review session, Committee Chairman Le Tan Toi confirmed support for the law’s necessity, stating it would establish a strong legal foundation to protect personal data, prevent violations, and enhance the accountability of agencies and organizations.

However, the committee raised concerns about a proposed penalty clause: administrative fines ranging from 1% to 5% of the previous year’s revenue for organizations that violate personal data regulations. Some members argued that such a penalty is impractical and excessively punitive for businesses.

Tran Thuong