It is suggested that personal data violations, which are increasingly common these days, need to be recognised as criminal offences. — VNA/VNS Photo Minh Tuấn

HÀ NỘI — With the number of internet users in the country rising to 68 million (two-thirds of the total population) in recent years, the Vietnamese are becoming more susceptible to falling victim to data breaches. 

In fact, major personal data leaks have revealed how private information is shared and sold in Việt Nam as criminals take advantage of insufficient laws and legal frameworks. 

A quick search of the Vietnamese phrases “buy list of ID cards” or “buy customer data” return numerous websites offering thousands of contacts.

The data are even classified into different categories, which specify the contacts’ occupation, consumption habits, residences, and even families. 

Depending on the size, these data packages can be sold for dozens to hundreds of millions of Vietnamese dong.

In May 2021, a 17-gigabyte database, supposedly containing ID information of more than 10,000 Vietnamese citizens, was put up for sale for more than US$9,000. 

The seller, who uploaded the now-deleted post to the online underground marketplace RaidForums, was said to only accept payment in cryptocurrency to avoid leaving any trace.

Around the same time, the Department of Cyber Security and High-technology Crime Prevention (also known as A05, under the management of the Ministry of Public Security) cracked down on a major inter-provincial ring that conducted illegal trading of over 1,300 gigabytes (1.3 terabytes) of personal data. 

Collected from various sources through different methods, this data was then acquired in large quantities by multiple businesses for their own gains. 

According to A05 deputy director Colonel Nguyễn Ngọc Cương, data leak and sales have been an issue in recent years.

There have been an increasing number of individuals and organisations that collect user data without consent for various purposes.

Dr Chu Thị Hoa, deputy director of the Institute of Legal Science (under the Ministry of Justice), also raised concerns that many internet users are not aware of personal data protection.

The fact that multiple people readily share their own profiles, relationships, health or financial status, or even biometric information on social media also creates a favourable condition for automatic data collection.

She also noted that Việt Nam's legal system has yet to use the term 'personal data', which means this definition is yet to be determined according to the laws.

There are also several legal documents regarding personal information that overlap or even conflict with one another.

For example, Decree No. 52/2013/NĐ-CP stated that information that one has made public about oneself on the media is not considered personal information.

Meanwhile, Decree No. 72/2013/NĐ-CP wrote that all personal information, whether it is private or made public, is deemed personal information.

Buying and selling data has become easily accessible, but the situation is also getting more complicated with many people exploiting legal loopholes for business purposes.

Multiple enterprises even allow their partners to access the customer database without concrete rules or restrictions, which can result in data leaks.

Disclosure of such personal data is not only a violation of privacy but can also lead to other illegal acts such as phone, computer or internet scams, warned Colonel Cương.

He also suggested that personal data violations, which are increasingly common these days, need to be recognised as criminal offences.

These acts include setting up illegal large-scale systems to collect personal data; developing spy software; large-scale trading of personal data; and the illegal disclosure of personal data that cause damage to life or assets.

Colonel Cương also proposed increasing fines for this type of privacy violations, comparing the substantial difference in penalties between the EU's General Data Protection Regulation and the Vietnamese laws.

On the role of State management, Deputy Minister of Information and Communications Phạm Đức Long has also announced that in 2022, the ministry will submit proposals regarding legal frameworks on data for approval from the Government and the National Assembly.

While acknowledging that the country already has a basic legal framework for personal data protection, Dr Hoa also agreed that the laws need to be further developed in the upcoming time.

It is necessary to have fundamental, long-term solutions instead of situational responses, she said. — VNS