Citizen ID data is among the riskiest personal data to be exposed, yet it is readily available on the internet. VNA/VNS Photo Minh Sơn

Anh Đức

I was riding a bicycle in the early morning when an unknown call came.

When I answered the call, an eerie robotic voice replied: "Dear Mister, please help us spread this message to Mrs. T., whose payments are behind..."

I did not know the names of the people mentioned in the call. And then another call came, asking if I was willing to open a stock brokerage account, which services I have never registered for before.

After having done some research, I found out that my phone number was exposed, leading to dozens of spam calls daily.

But receiving spam calls and having your phone number and personal data exposed is not the most problematic result of loose data privacy protection, an aspect that both the public sector and the private sector in Việt Nam are currently working towards a compromise on, and eventually, a law on private data protection.

Little photo, big problems

A common practice in registering for loans or applying for jobs or programmes, requires people to send a picture or a scanned version of the Citizen Identification Card, which includes two sides of the card that contain the QR code, fingerprints, and multiple pieces of personal data.

Some people also save these pictures and store them on their phones or computers in order to use them in the future if necessary.

However, according to authorities, citizens are putting themselves at risk of getting defrauded or having to pay for loans they never applied for.

Some finance apps now offer easier ways for people to apply for loans, to the point that they only require a two-sided copy of the Identification Card and information also available in the card, such as home address, birthday, etc. Some conmen even go further and register for a credit card using the information they have and the ID card photos that they have stolen.

This led to victims receiving spam calls about a loan that was already overpaid, but they never applied for in the first place. Should the person deny and ignore the calls, their information may sometimes be defamed by an unknown party on social media. Friends and relatives of the person (and even friends of friends) are also contacted and harassed by these calls.

In 2013 before graduation, my high school class decided to print out a yearbook that contained phone numbers and home address of everyone, as a way to keep us connected later on. As naive and silly kids, we never knew that ten years on the yearbook would bite us back.

Just after the pandemic, spam calls started to spread in our class about a classmate named A having an unpaid financial loan. The callers were no-nonsense in their approach and even went as far as hurling insults towards the classmates that did not have any idea what was going on.

We were stunned and did not know why our phone numbers were exposed and identified, until I rolled up my sleeves and did a quick Google search on my name and phone number.

It turned out that the printing company that did our yearbook decided to post the whole yearbook online in the form of a PDF for advertising purposes. The spam caller did the same thing as me. A search on A's phone number with her name and found the yearbook, which he then used the remainder of the phone numbers to harass.

It's startling when you know how companies handle your private data. After the leak was found, I immediately contacted the printing company and got the yearbook taken down with an apology. But who knows what damage might have been done during the past decade?

According to a conference in September held by the Department of Cyber Security and Crime Prevention, during the first half of 2024, three terabytes of data were breached in hacker attacks, with the damages totalling US$10 million.

Notable cases of data breaches found 12.3 million lines of data stolen within 201,903 packages, leaked by ransomware and malware.

As data shows, even big corporations fail to do enough to protect customer data and the government's new Draft Law on Personal Data Protection comes in as a new way to regulate and protect citizens from complications of the new digital era.

Nguyễn Hồng Quân, Strategic Advisor on National Data & Policy Circles and former Deputy Director-General of the Department of Foreign Affairs, Ministry of National Defence speaking at a conference in Hà Nội. Photo courtesy of the Ministry of Public Security

The saviour of the new resource

At a recent scientific conference titled 'National Data Strategy – Contributing to the Development of the Personal Data Protection Law,' held in Hà Nội in October by the Ministry of Public Security, protection of personal data was brought to the forefront of the debate.

"Data is regarded as the 'new oil' of the 21st century, crucial in driving economic growth, innovating governance and improving quality of life," said Nguyễn Hồng Quân, Strategic Advisor on National Data & Policy Circles and former Deputy Director-General of the Department of Foreign Affairs, the Ministry of National Defence.

The draft Law on Personal Data Protection, heavily discussed in the conference, is currently under construction and is slated to be effective on January 1, 2026, with a vision to enhance the legal framework governing personal data in Việt Nam.

The draft law categorises personal data into two types: basic personal data and sensitive personal data. It outlines the rights and obligations of individuals and organisations involved in data processing, emphasising the necessity of obtaining explicit consent from data subjects.

Additionally, the draft law proposes stringent penalties for violations, including substantial fines and potential criminal charges, to ensure compliance and protect individuals' privacy rights.

An additional report from petrol firm Petrolimex on the impact of personal data protection laws on businesses revealed the significant adjustments enterprises are required to make under the evolving regulatory landscape.

The report emphasised that transparency and ethical data practices are not only compliance requirements, but also essential for building consumer trust in a competitive marketplace. It warned that failing to meet these obligations risks financial penalties and reputational damage, with long-term consequences for consumer confidence.

The report notes: "Personal data protection is increasingly seen as a cornerstone of business ethics in the digital age".

However, significant challenges remain in implementing data protection laws effectively. A high financial cost, lack of awareness and expertise, as well as complexities in managing cross-border data transfers hinders businesses from successfully implementing the measures to comply with regulations.

This is even harder for small- and medium-sized enterprises, whose limited resources create greater hurdles.

"The effective protection of personal data requires collaboration between legal frameworks and practical business implementations," said Quân, who also acknowledged these challenges.

To improve personal data protection, several recommendations emerged from the discussions.

Public awareness campaigns were identified as crucial for educating individuals and businesses about their roles in protecting personal data.

Training programmes for employees and stakeholders were also highlighted as essential for understanding and implementing privacy measures.

Quân urged enterprises to adopt a proactive stance by integrating data protection into their core strategies, describing it as both a legal obligation and a moral responsibility to safeguard individual rights in the digital age.

Additionally, collaboration between governments and enterprises to create practical, enforceable regulations was emphasised as vital for addressing emerging challenges.

However, the most reasonable and practical way is for every individual to take charge and protect their own personal data and not rely upon any third party.

Methods such as making passwords more complex and updating firewalls are crucial in preventing data breaches from hacks, and internet users are also advised not to publicise personal data such as supplying a phone number, email or personal ID, or sending them to other individuals or organisations without a legal privacy policy.

As the age of AI and cloud computing emerges, data is becoming a new resource of the future, with governments and businesses racing for control. Personal data is not an exception, and its value should be treated as if we are all holding a gold bar in our hands.

It is crucial that individuals, businesses and governments must work together to protect this new resource and only then will we be able to harness it to advance into a new era of digital greatness. VNS