On the morning of June 5, the National Assembly Standing Committee gave its opinion on the reception, explanation, and revision of the draft Law on Personal Data Protection.
The draft law is adjusted to apply to all individuals, agencies and organizations related to personal data processing, including personal data processing in the physical environment, not just the network environment.
In particular, clarify that the subjects of application are foreign agencies, organizations and individuals who directly process or are related to the processing of personal data of Vietnamese citizens.
Chairman of the National Assembly's Committee on National Defense, Security and External Affairs Le Tan Toi said that some opinions suggested regulating the ban on the purchase and sale of personal data to suit reality and unify the legal system.
Many opinions suggested considering the regulation on a fine of 1-5% of revenue; it is necessary to stipulate a fine commensurate with the damage or benefits gained from the violation; propose regulations to unify with the law on handling administrative violations.
Regarding prohibited acts, the draft law expected to be accepted and revised has focused on stipulating strictly prohibiting common and high-risk acts such as processing personal data to fight against the State; obstructing personal data protection activities.
It is strictly forbidden to take advantage of personal data protection activities to violate the law; illegally collect, store, disclose, and transfer personal data; buy and sell personal data (except where otherwise provided by law); appropriate, intentionally expose, or lose personal data.
Regarding the handling of violations of the law on personal data protection, the draft law stipulates that the handling principle is to depending on the nature, extent, and consequences for which administrative sanctions or criminal prosecution are imposed; if damage is caused, compensation must be paid.
Regarding administrative fines, due to the serious nature and consequences of violating regulations on personal data protection, it is necessary to stipulate higher fines to ensure deterrence for large enterprises, especially multinational corporations or technology enterprises with revenue of thousands of billions of VND.
Based on the experience of the European Union and some countries, the draft stipulates that for the act of buying and selling personal data, a fine of up to 10 times the revenue from the violation can be imposed.
For violations of regulations on cross-border personal data transfers, the maximum fine is 5% of the previous year's revenue; for other violations, the maximum fine is 3 billion VND.
At the same time, the fine for individuals is partly equal to two fines for organizations. The Government is assigned to specify in detail the fine levels, the fine framework and the method for calculating illegal fees.
Chairman Le Tan Toi also said that there are opinions suggesting reviewing to ensure consistency with the regulation on cross-border data transfer in the Data Law, in line with international commitments, without creating administrative barriers and to promote digital trade.
Therefore, it is recommended to add conditions when transferring data abroad; suggest adding cases that need to immediately update impact assessment records to ensure strictness; regulating in accordance with integration trends, reducing compliance costs for businesses.
Regarding cross-border personal data transfers, the draft law has revised the name of the Article and agreed the term " cross-border personal data transfer" with the provisions of the Data Law.
Apply the post-inspection mechanism through the dossier to assess the impact of cross-border personal data transfers and only check when necessary, instead of requiring prior permission in most cases, creating convenience for businesses.
