Brian Jeffrey
The Ministry of Public Security (MPS) is actively gathering public feedback on the proposed Personal Data Protection Law, slated to be implemented on January 1, 2026.
This new law is expected to serve as the key legal framework in Vietnam for safeguarding the rights of individuals regarding their personal data.
One major issue leading to insufficient personal data protection in businesses is a general lack of understanding. Many companies see data protection merely as a compliance issue, neglecting its importance within a sustainable growth strategy, which results in significant oversight in data management.
Numerous organizations have not yet crafted proper protocols for managing and securing personal data; instead, they often settle for the bare minimum, disregarding the need for more thorough and effective measures.
Additionally, many businesses are not investing enough in their technological and security infrastructures, making them vulnerable to data breaches. A notable incident illustrating this was the cyber-attack on a Vietnamese airline’s server in 2016, which compromised the personal information of 410,000 customers.
Poor management of human resources further exacerbates these risks. Insufficient training and lack of awareness among employees can lead to severe breaches of data security. For instance, in May 2021, a bank employee shared photos of a transaction involving a celebrity’s account, highlighting flaws in the organization’s data protection practices and control measures. Such lapses can result in legal violations of data protection laws.
In tandem with the new Personal Data Protection Law, there are stricter civil, administrative, and criminal penalties for breaches concerning data management.
The law sets forth requirements for notifying individuals prior to processing their data and obtaining their consent. These guidelines bear similarities to the European General Data Protection Regulation (GDPR), which has established strict precedents for addressing data breaches.
For example, WhatsApp Ireland Ltd faced a hefty fine of 225 million euros in 2021 for failing to transparently inform users about personal data processing. In 2023, Meta Platforms Ireland Limited was fined a record 1.2 billion euros for improperly transferring users’ data to the US. In the same year, CRITEO incurred a 40 million euro penalty from France’s data protection authority for not addressing users’ data requests or deleting information as required.
Such cases illustrate the potential consequences for non-compliant businesses in Vietnam once the Personal Data Protection Law is enacted.
Businesses not only risk legal repercussions due to violations but also face backlash from consumers, which acts as a form of “soft” sanction. In today’s digital landscape, consumers are becoming increasingly concerned about data security. They may choose to stop using a company’s services if they perceive their data to be at risk.
An example of this occurred in January 2021 when WhatsApp announced updates to its privacy policy, which involved sharing user data with Facebook and required user consent. The announcement led to widespread discontent, causing many users to leave WhatsApp over fears of data misuse.
In response to the backlash, WhatsApp postponed its changes, but the reputational damage and loss of users served as a significant lesson in data management for businesses.
The Personal Data Protection Law mandates that businesses not only comply but also actively demonstrate their commitment to data protection principles. This entails being open about data collection and processing motives and ensuring that individuals provide their consent.
Companies should collect only the minimum necessary data for their stated purposes. When individuals decide to withdraw their consent or request data deletion, businesses are required to act promptly, balancing the needs of both the businesses and the individuals.
A report from the MPS Department of Cyber Security and High-Tech Crime Prevention in mid-2024 revealed that personal data transactions in Vietnam involve not just individuals but also institutional buyers and sellers. Some businesses engage in illicit operations involving the accumulation of personal data.
