The Ministry of Public Security has just issued a draft Law on Personal Data Protection (DLCN) with a number of important proposals.
Article 31 of the draft law stipulates the protection of DLCN with social networks, communication services provided directly to viewers via cyberspace. Organizations and individuals providing social networking services and communication services via cyberspace are therefore not required to ask users to take photos of their citizen identification cards and ID cards as an account authentication factor.
According to the drafting agency, the situation of DLCN disclosure is common in cyberspace. Users are not aware of protecting DLCN, posting publicly or disclosing it during the process of transferring, storing, exchanging for business operations or due to inappropriate protection measures, leading to being misappropriated and posted publicly.
Notably, citizens' awareness of personal data protection is still limited, ready to provide private information to take advantage of technology. Compliance with legal regulations (Decree No. 13/2023/ND-CP) on DLCN protection is still limited.
Many DLCN are being advertised for sale publicly, for a long time, with a large quantity on the internet. The buying and selling was conducted through websites, accounts, pages, groups on social networks, and blogger forums. Payment is made through bank accounts, many transactions clearly state the content of data trading.
The purchase and sale of DLCN does not only take place individually, between individuals, but also involves the participation of companies, organizations, and businesses.
Recently, the Ministry of Public Security has discovered hundreds of individuals and organizations related to selling DLCN. A number of large-scale data extortion and trading rings in Vietnam have been discovered, fought and handled. The number of illegally collected and traded DLCN discovered is up to thousands of GB of data, including many internal and sensitive DLCN.
The Ministry of Public Security assessed that there are no criminal sanctions against DLCN. Currently, crimes in this field are often proven to be two crimes in Article 159: Crimes of violating confidentiality or the safety of correspondence, phone, telegram or other forms of exchanging private information of others and Article 288: Crimes of illegally giving or using computer network information, telecommunications network with the highest sentence being 7 years in prison.
However, the Ministry of Public Security believes that there are no specific regulations on the components of DLCN trading activities, especially activities with the intermediaries of many individuals and organizations, so it is difficult to prove a crime.
With the current widespread situation of DLCN trading and handling, the lack of sanctions or sanctions that are not strong enough and not deterrent enough will not solve the situation.
The Law on DLCN Protection will therefore fully regulate the contents of DLCN protection, and violations will be based on the Law to propose appropriate forms and handling measures.
The DLCN Protection Law will be submitted to the National Assembly for comments at the 9th session (May) and approved at the year-end session.
