As one of the countries with the highest Internet development and application speed in the world, with nearly 80% of the population using it, personal data of 2/3 of Vietnam's population is being stored, posted, shared and collected on cyberspace in many different forms and levels of detail.

In 2022 and 2023, Vietnam prosecuted five criminal cases involving thousands of gigabytes of data and billions of personal information being bought and sold. This shows that the need to improve the law on personal data protection based on research and reference to international law is urgent.

International law on personal data protection

GDPR is considered a major legal step forward, creating the strictest personal information protection mechanism in the world today.

The European Union (EU) General Data Protection Regulation (GDPR) is considered a major legal step forward, creating the strictest personal information protection mechanism in the world today and is applied to all organizations and businesses that are processing personal data of citizens in the EU.

The GDPR imposes uniform penalties on businesses for violations across the bloc. Specifically, fines are up to 2% of turnover or €10 million for minor violations, and 4% of turnover or €20 million for major violations. In addition to fines, businesses that violate the GDPR may also be subject to other sanctions, such as being forced to stop processing data or deleting data that has been processed in violation of the GDPR.

The EU's personal data protection authority is the EU Data Protection Supervisory Authority (EDPS) - an independent body whose members include experienced lawyers, IT experts and administrators.

This body has the main function of supervising the processing of personal data in EU agencies and organizations as well as advising on issues related to personal data. GDPR also requires the establishment of a Personal Data Protection Authority in each member state such as a National Personal Data Protection Commission (France, Ireland...) or a Data Protection Inspectorate (Finland, Latvia...).

Along with the EDPS, the EU also established the European Data Protection Board (EDPB), which is composed of representatives of the national data protection authorities of the member states and representatives of the EU, and functions as the main independent advisory body on personal data protection issues, responsible for the consistent application of the GDPR across the union.

The GDPR provides for highly deterrent sanctions, both material and immaterial. In addition, the EU personal data protection authority is implemented according to the Commission/Commissioner model, so it has broad and independent powers to impose sanctions if organizations violate personal data protection regulations and is able to independently assess and decide on the processing of personal data.

The Personal Information Protection Law of China (PIPL) enacted in 2021 is considered the first comprehensive, national-level personal information protection law in China. PIPL takes a relatively unified view of personal data/Personal information as information that identifies or identifies a specific individual, targeting a narrow group of individuals within the territory of China (Article 4, Chapter 1 of PIPL). At the same time, it regulates the issue of sensitive personal data to establish regulations on the rights and obligations of parties with respect to more specific groups of data.

The sanctions for violations of personal data rights under the PIPL are very severe, including forced remediation, confiscation of illegal income, suspension of services, revocation of business or operating licenses, and fines of up to 50 million yuan or 5% of an organization’s annual revenue in the previous fiscal year. In addition, violations may also be recorded in the “credit file” of the processing unit under the national social credit system.

Furthermore, the processing units will be responsible for compensating for damages if they infringe upon the rights and interests of organizations and individuals. Criminal sanctions for these types of violations are also specifically stipulated in the Chinese Criminal Law, which stipulates heavier criminal liability for those who are responsible for information confidentiality, adds the form of confiscation of property, and stipulates life imprisonment as the highest prison sentence.

Singapore Personal Data Protection Act (PDPA) passed in 2012 (amended in 2020). Singapore law recognises the right to personal data protection as well as the need for organisations to collect, use and disclose information for appropriate purposes in certain circumstances.

The PDPA also provides for severe financial penalties for data breaches. Individuals who violate the law will be subject to fines or imprisonment. The fine depends on the nature and severity of the violation, with fines ranging from SGD 2,000 to SGD 100,000 (equivalent to VND 1.6 billion) and/or imprisonment of no more than 12 months, and in serious cases up to 3 years1; for agencies and companies that violate the law, they can be fined up to 10% of their annual turnover.

The body that plays an important role in ensuring the implementation of the PDPA is the Personal Data Protection Commission (PDPC). This is a specialized body with broad powers and wide enforcement capabilities, with the right to request individuals and organizations to provide information and documents related to the processing of personal data, impose financial penalties for violations as well as handle them by other measures.

The establishment of a specialized agency, the Singapore Personal Data Protection Commission, which works independently and proactively in detecting, handling violations, and applying sanctions is also one of the conditions for effective enforcement of personal data protection in Singapore.

Recommendations for improving personal data protection laws in Vietnam

Currently in Vietnam, there are 69 legal documents directly related to the issue of personal data protection stipulated in different documents including the Constitution, Code (4), Law (39), Ordinance (1), Decree (2), Circular/Joint Circular (4), Decision of the Minister (1).

These documents basically approach the issue of personal data protection in the direction of promoting the principle of ensuring the privacy of the subject, but have different regulations on information related to personal data, referring to issues of rights and obligations of subjects, information processing, and methods of protecting personal data. The law regulating the issue of personal data protection in Vietnam has achieved some remarkable results, especially on April 17, 2023, the Government issued Decree No. 12/2023/ND-CP on personal data protection - this is a separate document regulating this issue in our country. These legal documents have created a legal corridor in the work of protecting personal data; Specify the rights of data subjects as well as processing parties, prescribe sanctions for violations of personal data protection, and identify the specialized agency for personal data protection as the Department of Cyber ​​Security and High-Tech Crime Prevention under the Ministry of Public Security...

Vietnam is facing many risks, challenges and dangers from cyberspace, especially the leakage and appropriation of personal information and data, causing many harmful effects to citizens and society.

However, the actual implementation of these documents has also revealed many limitations such as the current separate legal documents are only at the Decree level, not meeting the importance of protecting personal data, many contents are currently regulated in general and unclear, leading to a lack of specific guidance for each specific case, and the sanctions are still light and not deterrent enough...

In this situation, the continued improvement of the law on personal data protection in Vietnam has been and is an issue that needs to be studied based on the experience of other countries. Specifically:

First, build a Law on Personal Data Protection . In the context of the 4.0 industrial revolution, at the regional and national scale, 80 countries have issued separate legal documents to protect personal data. Vietnam needs to soon research and issue a general, specialized law on data such as the Data Privacy Law like the EU, China or Singapore, which identifies basic issues and principles for protecting personal data. The issuance of a separate law on personal data will be an important legal basis for protecting personal data when currently, legal documents related to this issue in our country are not consistent in terms of terminology and content regulations.

Second, amend and supplement sanctions for violations of personal data in a more severe manner to match the nature and severity of the violation. Although sanctions for violations of personal data in our country include administrative, civil and criminal sanctions, they are generally quite light and do not have a high deterrent effect. The main method currently is still to apply sanctions for administrative violations, but the regulations are scattered in many Decrees with quite low fines, the highest being: 100 million VND for individuals and 200 million VND for organizations.

While the damage that administrative violations of personal data can cause is not only material damage but also damage to honor and dignity. In addition to administrative sanctions, criminal sanctions for violations of personal data are only reflected in the regulations on privacy and the field of information technology and network security in Article 159 and Article 288 of the current Penal Code with relatively low prison sentences of no more than 7 years in prison and fines of no more than 1 billion VND. This fine, when compared to the EU's level of 20 million Euros, Singapore's 1 million SGD or China's life sentence, is still very low, not commensurate with many violations.

At the same time, it is necessary to regulate many groups of behaviors that are not currently mentioned in the law, such as large-scale data trading, setting up systems to violate data, violations in marketing service business, etc.

Third, on the model of personal data protection agency in Vietnam . Currently, the Department of Cyber ​​Security and High-Tech Crime Prevention under the Ministry of Public Security is the specialized agency for personal data protection. Referring to international regulations, we can consider establishing an independent personal data protection agency responsible for enforcing the Law on Personal Data Protection, conducting inspections, examinations, issuing guidelines and recommendations, and applying sanctions for violations if any.

We can refer to these models in the EU or Singapore... to effectively enforce personal data protection laws, balancing the protection of personal rights and ensuring network security.

Protecting personal data is not a simple issue, especially when it is placed in the context of integration, when personal data monitoring and collection activities are taking place on a large scale and the Vietnamese legal system regulating this issue is still in the process of being built and perfected.

Researching international law on this issue in reference to the practical situation in Vietnam will help us soon build a legal framework for comprehensive personal data protection, compatible with international law and effective enforcement.

1 https://nhandan.vn/chu-trong-bao-ve-du-lieu-ca-nhan-post780834.html