Are countries around the world banned the sale and purchase of personal data?

In the era of digitalization, personal data has become a valuable resource, often likened to the "new gold" of the 21st century. From browsing history, consumption habits, geographic location, to biometric characteristics such as faces or fingerprints, any information about an individual can be collected, analyzed, and, in many cases, purchased and sold for commercial, research, etc  or even illegal activities. However, the explosion of data breaches – such as the Cambridge Analytica case in 2018[1] or large-scale data breaches at tech corporations – has raised privacy concerns and placed an urgent need for tight control over the sale of personal data.

So, do countries around the world ban this behavior? The answer is not simple and depends on the legislative philosophy, the level of technological development, and the cultural perspective on privacy in each country. Some countries, especially in Europe, consider personal data as a fundamental human right and apply strict regulations. Meanwhile, in other regions, such as the United States, the approach is somewhat more flexible, creating a legal gray area where personal data is still widely traded. In this article, we will analyze the legal frameworks in key regions of the world – Europe, North America, Asia, Oceania, and South America – to clarify how countries handle the purchase and sale of personal data, while assessing global trends and making recommendations for Vietnam.

 

Lieutenant General Le Quoc Hung, Deputy Minister of Public Security, clarified key contents of the  draft Personal Data Protection Law at the 46th Session of the National Assembly Standing Committee. Source: National Assembly.

 

1. Europe, where privacy is an inviolable right

Europe is a pioneer in the protection of personal data, considering privacy as a fundamental human right, on a par with the rights to freedom of expression or freedom of movement. The General Data Protection Regulation (GDPR), issued by the European Union (EU) in 2016 and effective in 2018, is the world's most comprehensive and stringent legal framework for personal data protection. The GDPR applies to all 27 EU member states and global companies that process the data of EU citizens, regardless of where their headquarters are located.

GDPR and the principle of consent

Under the GDPR, any processing of personal data, including the collection, storage, sharing, or sale of data, must be based on one of six legal bases, of which the explicit consent of the data subject is the most important factor in commercial transactions. The sale and purchase of personal data without consent is considered a serious violation. Violating businesses can be subject to administrative fines of up to 20 million euros or 4% of annual global revenue, whichever is higher[2].

Typical cases in France and Germany

In France, the National Commission for Informatics and Freedoms (CNIL) is the GDPR enforcement agency with strong powers. In 2019, the CNIL fined Google 50 million euros for violating the GDPR, related to a lack of transparency in the collection and use of user data[3]. Similarly, in Germany, the Federal Data Protection Agency (BfDI) has adopted tough measures. Germany not only applies administrative penalties but also criminalizes illegal data trading. According to Article 42 of the German Federal Data Protection Act, the knowingly sale of sensitive data (such as medical or biometric information) can result in imprisonment for up to 3 years[4].

UK regulations

After Brexit, the UK enacted the UK GDPR, a localized version of the GDPR, with similar regulations. Companies operating in the UK must strictly comply with consent and transparency requirements when processing personal data. In 2021, the UK Data Protection Authority (ICO) fined British Airways £20 million for the data breach of more than 400,000 customers[5], showing the seriousness of law enforcement.

Europe sets the gold standard for the protection of personal data. Buying and selling data without explicit consent is not only prohibited but also heavily punished. This view reflects the philosophy of treating privacy as a fundamental human right, which cannot be arbitrarily commercialized.

2. Flexibility of the North American region

North America, especially the United States and Canada, has a significantly different approach than Europe, reflecting the preference for business freedom and differences in the legal system.

 

 

The United States, protecting personal data with practice and substance

Unlike Europe, the United States does not have a federal-wide personal data protection law. Instead, regulations are fragmented by industry (like HIPAA for healthcare, GLBA for finance, COPPA for children) and by state-specific regulations. This creates a complex legal environment where the sale and purchase of personal data is still common, especially in the field of online advertising.

The state of California leads the way with the California Consumer Privacy Act (CCPA, 2018[6]) and the California Privacy Act (CPRA, 2020). These laws give people control over their data, including the right to opt out of the sale of personal data. However, the concept of "selling" in the CCPA/CPRA is not limited to currency transactions but also includes the sharing of data in exchange for commercial gain. For example, a company that shares user data with an advertising platform in exchange for a service can be considered "selling data."

At the federal level, the terms of use are often lengthy and confusing to use to collect user consent, leading to the fact that many people are not really aware that their data is being traded. The 2022 lawsuit against Meta[7], alleging unauthorized sharing of user data with advertisers, is a testament to the legal risks in this model.

Canada prioritizes consumer data protection

Canada has a stricter approach to the Protection of Personal Information and Electronic Documents Act (PIPEDA). This law requires businesses to obtain explicit consent before collecting, using, or sharing personal data. Selling data without consent can result in fines of up to CAD 100,000 under federal law. In Quebec, Act 64 (2021) tightens even more with a fine of up to CAD 10 million or 2% of global revenue[8].

It can be seen that, while Canada adopts a uniform and focused approach on consumer rights, the United States shows fragmentation, with states such as California, Virginia, and Colorado leading the way in data protection, while other regions still lack clear regulations. This creates a vibrant personal data market but is also fraught with legal risks.

3. Asia is rapidly shifting the direction of personal data protection

Asia is a region that has seen a dramatic shift over the past decade, with many countries enacting or amending laws to more tightly control the sale and purchase of personal data.

China with a strict regulatory framework

The Personal Information Protection Law (PIPL), which came into effect in 2021, marks a turning point in China's approach to privacy. PIPL requires explicit consent before processing personal data and prohibits unauthorized disclosure or sale of data. Violations can be fined up to 50 million yuan (about $7 million) or 5% of the previous year's revenue. In serious cases, violators can be imprisoned for up to 7 years under the Criminal Code. The 2022 Didi Global sanction case with a fine of 8 billion yuan for violating the PIPL is a good example of the Chinese government's [9]toughness.

Japan and South Korea are close to global standards

Japan with the Personal Information Protection Act (APPI) and South Korea with the Personal Information Protection Act (PIPA) both require consent before sharing data with third parties. Recent amendments have tightened the "opt-out" mechanism (allowing users to opt out of data sharing) and increased the penalty. In South Korea, violations can result in up to six years in prison[10], while Japan imposes administrative fines of up to 100 million yen (about $700,000).[11]

Singapore and India with a modern regulatory framework

Singapore, with the Personal Data Protection Act 2012 (PDPA), Singapore does not prohibit "sale" with specific words, but the law requires consent for any disclosure, so it is illegal to sell information without consent. In addition, the PDPA has its own Do Not Call regulation – prohibiting the sale and purchase of contact lists for advertising if the user who has signed up to block ads requires explicit consent before sharing data. With the PDPA, after being amended in 2022, Singapore has increased the penalty for violations to S$1 million or 10% of annual revenue[12].

India, with the Digital Personal Data Protection Act (DPDPA) 2023. The new law requires that all processing of digital personal data must have a lawful basis (usually the consent of the individual or exceptions such as serving the public interest, legal obligations, etc.). Selling or transferring personal data to other parties for purposes other than those permitted for lawful purposes is a violation of the law. The DPDPA also emphasizes the responsibility of data security – companies must ensure that no data is leaked; if negligent to allow a personal data leak to occur, which is also considered a serious violation, strict limits apply, with fines for buying and selling personal data up to 250 crore rupees (equivalent to about 30 million USD).[13]

 

The logo of Chinese e-commerce platform Temu is seen on a mobile phone displayed in front of its website. Source: Korea JoongAng Daily

 

4. Oceania and South America are gradually integrating with global standards

Australia strengthens oversight of personal data protection

The Privacy Act 1988 and the Australian Privacy Principles (APPs) strictly control the use and disclosure of personal information. Organisations may only use or disclose (including the sale) of personal data for secondary purposes with the consent of the individual or as permitted by exceptions to the law. Therefore, selling customer data to another party without permission violates the data usage limitation principle. Australia is also discussing amending the law to further strengthen individuals' control over their data (including the right to object to the sharing of data for commercial purposes). Recent amendments have increased fines by up to AUD 50 million or 30% of annual turnover[14], reflecting the trend towards integration with standards such as the GDPR. The Australian Information Commissioner (OAIC) has handled multiple breaches, such as the 2022 Optus penalty involving the data breach of millions of customers.

Brazil is a typical example of the GDPR model in South America

Brazil's General Data Protection Law 2018 (LGPD), which came into effect in 2020, builds on the GDPR model. The LGPD stipulates that the processing of personal data (including transfer to third parties or commercialization) must be based on one of the legal bases permitted by law (e.g. with the consent of the data subject, or for the performance of a contract, legal obligation, etc.). The sale and purchase of personal data without a lawful basis is also considered a violation similar to under the GDPR. Brazil regularly emphasizes the principle of transparency and restriction of purpose – companies that collect data for purpose A must not arbitrarily sell it to another party for use for purpose B without the consent of the data subjectUnauthorized sale of personal data is prohibited,  with a fine of up to 2% of revenue in Brazil, up to 50 million Reals per violation[15]. The National Data Protection Authority (ANPD) is stepping up enforcement, with major fines targeting tech companies.

Analysis from the above regions shows a clear trend that countries are increasingly tightening the purchase and sale of personal data, especially in the absence of consent from data subjects. Regulatory frameworks such as the GDPR (EU), PIPL (China), and LGPD (Brazil) are becoming models for other countries. Even countries that used to have a flexible approach, such as the United States, have begun to enact state-level regulations to protect privacy.

The rise in data breaches — such as the 2017 Equifax data breach in the U.S[16] . or TikTok's investigation in the EU — has prompted lawmakers to act quickly. According to a 2023 report by IBM Security, the average cost of a data breach globally is $4.45 million, an increase of 15% compared to 2020. This emphasizes the importance of strict regulations to protect consumers and minimize financial risks for businesses.

 

The sale and purchase of personal data is being increasingly tightly controlled globally, with many countries banning it altogether or requiring explicit consent from individuals. From Europe with GDPR, Asia with PIPL, to South America with LGPD, lawmakers are sending a clear message that personal data is not an ordinary commodity. In a digital world, protecting privacy is not only a legal issue but also an ethical requirement, requiring collaboration between governments, businesses, and individuals to build a secure and sustainable digital ecosystem. With this global trend, Vietnamese lawmakers can boldly refer to make appropriate regulations in the issue of buying and selling personal data. However, we believe that lawmakers should also carefully consider a model or more specifically, a regulation that is unique and empathetic to the context of Vietnam and Vietnamese businesses rather than choosing regulations that are close to the world but far from reality.

Lawyer Nguyen Van Phuc

HM&P Law Firm

Read more: Khung pháp lý và cách các quốc gia xử lý việc mua bán dữ liệu cá nhân