Illegal Data Trading on the Internet is Too Easy
According to technology experts, the 17GB of data being sold could contain information on 10,000 individuals, with the source of the data still unclear. Currently, many organizations and agencies require people to provide personal contact information and verify their identity, such as banks, real estate companies, stock markets, and more.
Looking more broadly, personal data (preferences, travel patterns, online behaviors, etc.) collected by tech companies when people use their platforms (mobile apps, smart devices, etc.) may be analyzed and shared without users' consent.
The issue raised is how internet users can know how their personal data (names, phone numbers, thoughts expressed on platforms like Facebook, Zalo, etc.) is being collected every minute, every second by smartphones, often referred to as "digital humans"?
This "digital human" has thoughts, health, and behaviors that are expressed through personal "data." How can individuals know what is happening to that data? The benefits provided by the internet, social networks, and digital applications are clear, but what about the risks associated with them? These questions are becoming more pressing as humanity delves deeper into the digital era.
Reviewing the law on this matter, although there are regulations, they lack specificity and are scattered across 17 legal documents. At the law level, documents like the 2006 Information Technology Law, 2008 Health Examination and Treatment Law, 2010 Consumer Protection Law, 2015 Network Information Security Law, and 2018 Cybersecurity Law all contain provisions regulating the rights and obligations of entities related to personal data.
At the subordinate legal level, Decree 15/2020/ND-CP, Decree 117/2020/ND-CP, and Decree 98/2020/ND-CP regulate administrative penalties for violations of personal data in specific fields.
Recently, the government, led by the Ministry of Public Security, announced the full draft of a decree on personal data protection, which for the first time specifies personal data rights. These include the right to control data (knowing what data exists about oneself on the internet, the right to permit or deny third parties from using, processing, or sharing that data; the right to be "forgotten," meaning to delete data when one no longer wants it to exist online).
To ensure the enforcement of these rights, organizations and individuals collecting data must implement measures to ensure these rights are upheld. If the decree is passed, it will mark a significant step in recognizing these rights and establishing enforcement measures and mechanisms.
However, the decree requires further adjustments to address concerns from businesses regarding the burden of obligations when implementing certain mechanisms and technical measures as outlined in the draft.
Continuing to Improve Legal Provisions
In the context of a rapidly advancing digital transformation, now is the time for the government to take stronger actions and make pioneering, practical strides in protecting personal data—an essential foundation for the digital economy.
There are two core issues that need to be addressed. First, empowering and ensuring the ability of data subjects to control their personal data. These individuals are defined as those whose data is reflected and owned by that data.
They must have control over their personal data, forcing other entities to respect this through exercising their rights to consent, the right to be notified when their data is processed/shared with third parties, the right to access (view), the right to edit, the right to request the restriction of data processing/restriction of data sharing with third parties, and the right to request data deletion.
If a data breach occurs, the subject has the right to lodge a complaint and receive compensation.
Second, regulations should be clear about the responsibility to protect personal data by data processors. First, it is necessary to categorize entities to allocate responsibility. Data processors should be clearly divided into data controllers and data processors.
A data controller is an individual, legal entity, agency, or organization that determines the purpose and means of processing personal data, either independently or in conjunction with another entity. A data processor is an individual, legal entity, agency, or organization that processes personal data on behalf of the data controller.
Each party must adhere to its obligations regarding personal data and may be limited in its responsibility when a data violation occurs. The relationship between the data controller and data processor is similar to the relationship between a service user and a service provider in a contractual agreement.
However, due to the sensitive and important nature of personal data, these entities are subject to certain binding legal obligations. Furthermore, data controllers/data processors must implement administrative and technical measures to protect personal data.
Attorney Truong Thanh Duc (ANVI Law Firm)
To ensure privacy and the necessary freedom in daily life, individuals do not want their personal information exposed or violated. In Vietnam, the handling of personal data breaches is generally slow, and penalties are weak, so they do not have sufficient deterrent effect, leading to an increasing number of severe violations.
Abroad, this is considered an extremely serious act that can result in imprisonment or fines of up to millions of USD. In the 2015 Civil Code and its 2017 amendments, there are provisions on protecting individuals, ensuring they are protected, and allowing them to file lawsuits or request corrections when their data is violated. However, this is only a principle, and applying it to specific cases is relatively complex. A more systematic approach is needed, and a law protecting personal data with detailed provisions should be enacted as soon as possible.
Nguyen Quang Dong - Institute for Policy Studies and Media Development.
(This translation was provided by an automated AI translation tool)
.jpg "Online Public Services: Stories along localities")
