The Ministry of Public Security (MPS) is currently seeking public opinions on the draft Personal Data Protection Law, which is expected to take effect on January 1, 2026.

The Personal Data Protection Law is anticipated to become the most important legal foundation in Vietnam for protecting the rights of data subjects. 

The weaknesses in businesses' personal data protection mainly stem from the lack of awareness. Instead of viewing personal data protection as an integral part of sustainable development strategy, many businesses just consider it a legal requirement. This mindset results in serious management gaps.

Many businesses still have not established standard processes for handling and protecting personal data, or have just met minimum requirements, while not caring about effectiveness and comprehensiveness. 

Their technological and security systems are underinvested, thus leading to the risk of data incidents. The cyber-attack on an airline's server system in 2016 in Vietnam, which exposed 410,000 data of clients’ information, is a typical example.

Furthermore, poor human resource management also increases risks. Workers are inadequately trained and lack security awareness, leading to serious mistakes. 

A bank officer in Vietnam posted images of a transaction made by a bank account, believed to belong to a celebrity in May 2021, raising concerns about deficiencies in building a data protection culture and internal controls. These shortcomings can lead to businesses violating personal data protection laws.

‘Hard’ and ‘soft’ sanctions

Alongside the introduction of the Personal Data Protection Law, civil, administrative and criminal penalties have also been tightened to address violations related to personal data handling. 

The law clearly stipulates the requirements, including notification before data pre-processing and data subjects' consent. These regulations have similarities to the European General Data Protection Regulation (GDPR), which has established severe precedents for data breach handling.

For instance, in 2021, WhatsApp Ireland Ltd was fined 225 million euros because it didn’t meet the the obligation to provide transparent notification about the processing of personal data.

In 2023, Meta Platforms Ireland Limited, the parent company of Facebook, Instagram, and Threads, faced a record fine of 1.2 billion euros for lacking a legal basis for transferring users’ personal data to the US. In the same year, France's data protection authority (CNIL) fined the online advertising company CRITEO 40 million euros for not responding to data subjects' requests and not deleting personal data as requested.

These precedents indicate that when Vietnam's Personal Data Protection Law takes effect, non-compliant businesses may face similar penalties.

In fact, businesses not only face legal sanctions when violating the laws, but also face negative reactions from consumers, considered as "soft" sanctions. 

In today’s world, consumers are increasingly sensitive to data security issues. They will discontinue using a company's services if they see a risk of unsafe or breached personal data.

A typical example happened in January 2021 involving WhatsApp. When WhatsApp announced changes to its privacy policy, allowing users’ data to be shared with Facebook and requiring user consent by February 8, a backlash occurred. Many users abandoned WhatsApp due to fears of personal data misuse.

WhatsApp later decided to postpone the plan. The reputational damage and user departures resulted in a costly lesson for businesses in personal data management.

Readiness 

The Personal Data Protection Law requires businesses not only to comply with but also to demonstrate adherence to data protection principles. This means that businesses must be transparent about the purposes of collecting and processing personal data and ensure the data subjects' consent.

Businesses need to only collect data in a certain sphere, necessary for registered purposes. When data subjects exercise their rights such as withdrawing consent, or requesting data deletion, businesses must respond promptly, thus harmonizing the interests of businesses and data subjects.

A report from MPS’ Department of Cyber ​​Security and High-Tech Crime Prevention in mid-2024 showed that the purchase or sale of personal data in Vietnam not only is being made between individuals, but also with the participation of institutional buyers and sellers. Some businesses have been set up with technical systems that illegally collect personal data.

Van Anh