ÀÖÓ㣨Leyu£©ÌåÓý¹ÙÍø

Xem bản Tiếng Việt

Vietnam has intensified its focus on data protection over the past two years. This effort began with the enactment of the Personal Data Protection Decree (Decree 13/2023/ND-CP) in 2023, followed by the immediate development of the Personal Data Protection Law, which is expected to be issued in the last quarter of 2025. Additionally, the Ministry of Public Security (MPS) initiated its inaugural campaign in late 2024 to ensure compliance with Personal Data Protection (PDP) regulations. This effort concentrated on lawful data sharing and reinforcing network security measures for data protection.

This year has seen significant developments. Most notably, on February 21, 2025, the Government issued Decree 24/2025/ND-CP, which amends and supplements several provisions of Decree 98/2020/ND-CP, dated August 26, 2020, on administrative penalties in consumer rights protection. The new decree increases sanctions for various violations related to data privacy. Accordingly:

• Violations related to the collection, storage, and use of consumer information may incur fines of up to 30,000,000 VND, or up to 60,000,000 VND in cases involving sensitive personal data. Such violations include failing to document authorization when hiring third parties to collect, store, use, modify, update, or delete consumer information, drafting agreements that lack clear responsibilities for data protection, or outsourcing these activities without consumer consent, except in specific cases outlined by regulations, collecting or using data without obtaining consent, lacking clear consumer protection policies, not informing consumers about the usage of their data, failing to allow data access or updates, and not deleting information after the storage period has expired. Penalties can reach up to 120,000,000 VND for significant digital platforms (Article 46.1).
• Infractions such as not addressing consumer complaints regarding unauthorized data collection or misuse, failing to report security breaches within 24 hours, lacking adequate measures to ensure data security, or sharing consumer information with third parties without consent, may result in fines of up to 40,000,000 VND or up to 80,000,000 VND in cases involving sensitive personal data. For large digital platforms, these penalties may increase to 160,000,000 VND (Article 46.2).
• Digital platform service providers may be fined up to 70,000,000 VND for failing to properly document authorization when outsourcing consumer data handling, drafting unclear agreements on data protection responsibilities, or engaging third parties without consumer consent. Organizations operating intermediary digital platforms can face fines of up to 200,000,000 VND for these violations, while those managing large digital platforms may be fined up to 400,000,000 VND for the same infractions (Article 53a).

With stricter regulations, B2C companies and digital platforms must ensure compliance to avoid heavy fines. Violations such as unauthorized data collection or delayed breach reporting can result in severe penalties. Businesses should prioritize securing user consent, strengthening security measures, and addressing consumer complaints while implementing proactive compliance strategies, including clear data policies, regular audits, and consent management tools.

At the same time, the government, particularly the Ministry of Public Security (MPS), is expediting the finalization of the Draft Personal Data Protection Law—a more advanced and comprehensive version of the current Personal Data Protection Decree. The draft law introduces significant updates, including expanded scope, stricter consent requirements, mandatory data protection evaluations, stricter conditions for cross-border data transfers, and special provisions for sensitive data such as biometric, credit, and location information.

According to Notification No. 56/TB-VPCP from the Government Office, summarizing the 2024 review meeting of the National Committee on Digital Transformation and Project 06, the MPS has been tasked with leading and coordinating efforts to finalize the Personal Data Protection Law (PDPL). The law is expected to be submitted to the National Assembly for review and approval during its 9th session in May 2025. Following its enactment, the MPS must also draft government decrees to provide implementation guidelines. Additionally, the upcoming Decree on Administrative Sanctions for Cybersecurity and Personal Data Protection Violations—which proposes fines of up to 5% of the previous fiscal year’s revenue—is expected to be passed after the PDPL’s promulgation.