On July 7, the Nghe An Province Public Security Department busted a group of suspects trading personal information across Facebook and closed Telegram groups. The seized evidence includes over 72.4GB of data containing upwards of 50 million pieces of personal information.
According to investigators, since June 2025, these individuals have been gathering, synthesizing, altering, and subsequently selling the personal data of cadres, civil servants, public employees, students, and business leaders across multiple localities to illicitly pocket more than VND1 billion (US$38,000).
Prior to this, the Dong Nai Province Public Security also dismantled a cyber ring that exploited the internet to illegally trade personal data managed by the police sector.
With personal data increasingly becoming a commodity for large-scale illicit trade, the Ministry of Justice has published the appraisal dossier for the draft amended Penal Code, which was primarily drafted by the Ministry of Public Security.
A major breakthrough of the draft is the proposal to append three entirely new offenses regarding personal data:
- The crime of infringing on personal data (Article 159a),
- The crime of illegally buying and selling personal data (Article 159b),
- The crime of obstructing personal data protection activities (Article 159c).
Among these, Article 159a recommends criminal prosecution for gathering, processing, exchanging, gifting, publicizing, appropriating, illegally using, or intentionally leaking and losing others’ personal data when statutory thresholds are met. Offenders can face a fine ranging from VND200 - 500 million ($7,600 - $19,000), non-custodial reform for up to three years, or a prison term from six months to three years.
If it’s an organized and professional crime that abuses positions and powers, garners illicit profits of VND400 million ($15,200) or more, causes damages from VND1 billion ($38,000) upward, or breaches the data of a massive number of subjects, the penalty could jump to a seven-year prison sentence.
For the illegal purchase and sale of personal data, the draft dictates even more severe punishments.
Depending on the volume of trafficked data and the illicit profits earned, perpetrators could be sentenced to between one and 10 years behind bars; the maximum penalty applies when trading the personal data of 25,000 people or more, or raking in illegal profits of at least VND1 billion ($38,000).
The draft also introduces the crime of obstructing personal data protection activities to tackle actions like intentionally concealing or providing false information about data breaches and establishing illegal technical barriers to hinder inspections and evidence collection.
For Dr Tran Thanh Thao from HCMC University of Law, adding these three new offenses is a necessary next step following the promulgation of the 2025 Law on Protection of Personal Data.
She explained that this law has quite adequately outlined the rights of data subjects alongside the responsibilities of data collectors, controllers, and processors. Yet, the Penal Code needs a solid legal foundation to handle dangerous violations that infringe upon human rights, personal rights, and privacy.
Evaluating the scope, Dr Thao noted that the three proposed offenses are relatively comprehensive, as Article 159a regulates acts directly violating personal data, whereas Article 159b targets illegal buying and selling to crack down on the illicit data market, and Article 159c handles acts opposing and obstructing data protection efforts.
For future amendments, Dr Thao suggested considering the expansion of criminal liability to commercial legal entities, because, in the end, many illegal data gathering and trading acts are executed through corporations and bring direct benefits to those exact entities.
Meanwhile, Director Vo Do Thang of the Athena Cyber Security Training and Consulting Center observed that high-tech criminals don’t just limit themselves locally; they can currently target victims across multiple localities and even nations simultaneously.
The addition of these new offenses will create a much clearer legal groundwork to investigate and process violations, protecting citizens against the increasingly sophisticated spread of false information, personal data leaks, and online scams.
The Law on Protection of Personal Data, passed by the National Assembly in June 2025, comprises five chapters and 39 articles, and takes effect on January 1, 2026. This law outlines the core principles of personal data protection, the rights and obligations of data subjects, and the responsibilities of agencies, organizations, and individuals in gathering, processing, and utilizing personal data.
Ultimately, alongside the Cybersecurity Law, the Law on Network Information Security, and guiding documents, the integration of three new criminal charges into the draft amended Penal Code will contribute to perfecting the legal corridor for safeguarding personal data and tangibly protecting citizens in a digital society.