Page 155 - ISC PROCEEDINGS 21.4
P. 155
of processing, and data portability(Tikkinen-Piri et al., 2018). Data breaches must be
reported within 72 hours. Penalties may reach €20 million or 4% of global revenue.
Japan: Japan enacted the Act on the Protection of Personal Information (APPI) to
respond to the needs of the digital economy. The law establishes clear principles for
collecting, storing, and processing personal data and requires prior consent from data
subjects before sharing data with third parties(Miyashita, 2021; Murata & Orito, 2020).
Australia: Australia strengthened personal data protection through the Australian
Privacy Principles (APPs), consisting of 13 principles governing the collection, storage, use,
and access of data (Phillips, 2024). The law also requires notification in cases of serious
data breaches (Paltiel, 2023).
Singapore: Singapore enacted the Personal Data Protection Act (PDPA), establishing
clear legal standards for collecting, using, and disclosing personal data, requiring
organizations to obtain consent before processing data and appoint data protection
officers (Chik, 2013).
Korea: The Personal Information Protection Act (PIPA) is one of the strictest
personal data protection laws in Asia. It requires organizations to collect only necessary
data, ensure transparency in data usage purposes, and prohibits cross-border data
transfer without consent (Ko et al., 2017).
3.2 Current legal framework for personal data protection in Vietnam
Currently, Vietnam has formally adopted a dedicated Law on Personal Data
Protection 2025, effective from 1 January 2026. However, the enactment of this law does
not automatically eliminate structural issues in the broader legal framework, because
rules relating to privacy, cybersecurity, consumer protection, electronic transactions, and
civil rights remain distributed across multiple legal instruments. The central issue is
therefore no longer the absence of a dedicated law, but the coherence, enforceability,
and institutional coordination of the legal regime. Regulations on personal data
protection are scattered across several legal documents. For example, Article 21 of the
2013 Constitution stipulates the inviolability of private life, personal secrets, and family
secrets, as well as the right to protect one's honor and reputation. In addition, the Civil
Code of 2015, in Article 38, provides for an individual’s rights to his or her image, and
Article 124 stipulates the protection of personal privacy.
Furthermore, Chapter V of the Cybersecurity Law (2018) regulates the protection of
personal information in cyberspace. Article 26 of the Law on Electronic Transactions
(2005) provides provisions regarding the protection of personal information in electronic
transactions. Article 34 of the Law on Protection of Consumer Rights (2010) stipulates the
rights of consumers concerning their personal information.
In addition, several subordinate legal documents have been issued. These include
Decree No. 13/2023/NĐ-CP dated April 17, 2023, which details a number of provisions of
the Cybersecurity Law regarding personal data protection, and Circular No. 25/2018/TT-
BCA dated December 28, 2018, which guides the implementation of certain provisions of
the Cybersecurity Law on personal information protection. These documents are
considered important steps in specifying the provisions of the Cybersecurity Law
regarding personal data protection.
These developments demonstrate that Vietnam has established an initial legal
framework for personal data protection, including regulations on principles, rights, and
obligations related to personal data protection, thereby contributing to raising awareness
among citizens and businesses about the importance of protecting personal data.
154
