Viet Nam works to ensure the right to personal privacy

The Party and state have issued numerous directives on this issue aimed at ensuring cybersecurity; placing people and human intelligence as decisive factors; and completing the legal framework for personal data protection.

The 2013 Constitution, drawing from previous constitutions, affirms that individual privacy is inviolable, while expanding the scope of privacy rights to include the right to protect personal secrets, including information about private life, personal secrets, and family secrets.

Despite these efforts, personal data breaches continue to proliferate, particularly in cyberspace. According to the Cybersecurity Association, the situation of personal data leakage in Viet Nam continued to develop in a complicated and serious manner in 2024, with 66.24% of users confirming that their information had been used unlawfully.

The causes are due to users lacking awareness of protecting personal data; protection measures being inadequate; resulting in personal information being stolen and publicly posted. The lack of specific regulations on data protection in this environment has led to many violations and potential risks.

According to statistics from the Ministry of Public Security, 69 normative legal documents directly related to personal data protection have been issued; however, all lack uniformity regarding the concepts and content of personal data and personal data protection.

Government Decree No. 13/2023/ND-CP (Decree No. 13) dated April 17, 2023, is the only document providing a definition of personal data and regulations on personal data protection and a system for handling violations.

Accordingly, violations can be handled through disciplinary measures, administrative penalties, or criminal prosecution.

However, being a decree, it lacks the weight of formal legislation.

The Ministry of Public Security assesses that, through the practical implementation of personal data protection under Decree No. 13, many organisations and enterprises collect personal data excessively without a legal basis and fail to identify data processing flows.

Many activities of collecting and processing personal data are carried out without the consent of the data subjects, and there is no way to obtain consent for personal data already collected. This demonstrates that citizens’ fundamental rights concerning personal data are not fully ensured.

Legal experts believe that citizens do not know how to protect themselves, nor how to complain, object, or request compensation when violations infringe upon their legitimate rights and interests.

Articles 19 and 20 of the 2024 Archives Law stipulate archival principles and the rights and obligations of relevant subjects, however, they do not mention personal data protection.

The above situation poses an urgent requirement to complete unified and synchronous legislation on personal data protection within the legal system, to raise awareness and responsibility regarding personal data processing alongside data protection efforts, and to have clear regulations ensuring the rights of data subjects.

Most recently, the National Assembly (NA) adopted the Law on Personal Data Protection during its ninth working session in late June.

The law, which will come into force on January 1, 2026, replaces Decree No. 13 and introduces stricter regulations for organisations handling personal data, including requirements for data protection impact assessments, consent, and cross-border data transfers.

The law is expected to help raise awareness among individuals, agencies, organisations, and enterprises about their rights, responsibilities, and obligations in protecting personal data.

It opens an important milestone to protect consumers’ interests against illegal collection, use, and sale of data, and to protect citizens from fraud.

Violations of the law can result in administrative or criminal sanctions, and potentially compensation for damages.

The approval of the law continues to institutionalise provisions of the Constitution and laws on the right to protect personal secrets, human rights, citizen rights, and cybersecurity, ensuring consistency and unity within the legal system.

Link to the original article