National Assembly Deputy Chairman Trần Quang Phương speaks at the session. — VNA/VNS Photo Doãn Tấn

HÀ NỘI — The National Assembly (NA) Standing Committee on Thursday morning heard that fines could be larger for companies and individuals, when discussing the draft revised Law on Personal Data Protection.

Presenting a summary report on the draft law, Chairman of the NA's Committee on National Defence, Security and Foreign Affairs Lê Tấn Tới said that the draft was adjusted to apply to all individuals, agencies and organisations related to handling personal data.

The drafting committee incorporated comments from NA deputies and redesigned the data owners’ rights to make them clearer, in line with international practices, including the right to know, the right to consent, the right to access, view, edit or request data correction, the right to withdraw consent, the right to request processing restriction, the right to request data deletion and other rights.

Some deputies had proposed regulating buying and selling of personal data to fit the reality and be consistent in the legal system, consider imposing a fine of from one to five per cent of revenue for violations, regulate a fine commensurate with the damage or benefits gained from the violation, and regulate it in a consistent manner with the law on handling administrative violations.

Chairman Tới said that the committee worked with the drafting agency to make adjustments.

Accordingly, with regard to prohibited acts, the draft law focused on prohibiting common, high-risk acts, such as processing personal data to oppose the State. Also included are obstructing personal data protection activities, taking advantage of personal data protection activities to violate the law, illegally collecting, storing, disclosing, or transferring data, buying and selling personal data (except in cases where the law provides otherwise), appropriating, intentionally disclosing, or losing personal data.   

Regarding the regulations on handling violations related to personal data protection, the draft law has seven clauses. The clauses define handling principles that, depending on the level and consequences, administrative sanctions or criminal prosecution will be imposed. If damage is caused, compensation must be paid. 

Regarding administrative fines, due to the serious consequences, it is necessary to prescribe higher fines to ensure deterrence for large enterprises, especially multinational corporations or technology enterprises with revenues of thousands of billions of đồng.

Based on the European Union’s and several countries’ experience, the draft law stipulates that for acts of buying and selling personal data, the fine can be up to ten times the revenue obtained from the violation. 

As for acts of violating regulations on transferring personal data across borders, the maximum fine is five per cent of the revenue of the previous year.

For other violations, the maximum fine is VNĐ3 billion (approximately US$114,700), while the fine for individuals is half of the fine for organisations. 

The Government is responsible for specifying the fine level, the fine framework, and the method of calculating illegal revenue. 

Chairman Tới also said that post-inspection would be applied through the impact assessment of cross-border personal data transfer and only checked when necessary, instead of requiring prior permission in most cases, creating convenience for businesses.

Discussion

Explaining and clarifying some provisions in the draft law, Senior Lieutenant General Lê Quốc Hùng, Deputy Minister of Public Security and also representative of the law drafting agency, said that in the context of increasingly widespread digital transformation, most economic and social activities are shifting to cyberspace.

People's personal data are increasingly facing numerous risks of infringement, so it is necessary to prevent and address this problem. 

Personal data is closely linked to people, human rights and privacy rights, so it cannot be considered as ordinary goods and assets.

Because it is a special type of property, the requirements for exploitation and use must go with the highest and strictest level of protection.

Therefore, Senior Lieutenant General Hùng said that allowing personal data buying and selling meant allowing the buying and selling of human rights and the right to decide on the personal information of others.

He added that in the large-scale fraud cases that the Ministry of Public Security had cracked down on and was investigating, personal data leaking and trading was a very complicated problem today.

According to Hùng, the source of illegal personal data collection can be attributed to hacking activities, illegal transfer, buying and selling of personal data, or the use of high technology to obtain personal data for criminal purposes. 

Discussing the draft law, the NA Standing Committee agreed with the report of the Committee on National Defence, Security and Foreign Affairs.

Concluding the discussion, NA Deputy Chairman Trần Quang Phương requested the committee to preside over and coordinate with the drafting agency as well as relevant agencies to continue researching, reviewing and perfecting the draft law to ensure the Party's viewpoints on the issue and closely following the requirements of innovation in law-making. — VNS