Concerns being raised for protecting digital data

( - 

 The recent data leak of 17GB worth of information of Vietnamese citizens posted on the Raidforum site for sale by hackers, shows the enormity of a serious situation accounting to loss of information privacy and security. 


 As data is the core of digital technology, the issue of protecting user information must be of serious concern in the process of all future digital transformation, the development of digital economy, and the growth of a digital society. 

Unlawful data breach

According to technology experts, 17GB of data contains information of almost 10,000 people. It also is not clear from where exactly this data was extracted, as there are many organizations and agencies that ask people to provide contact information, personal details of bank accounts, securities, or land and property documents. Broadly speaking, personal information, such as preferences, travel itineraries, or behavior patterns, are collected by technology companies when people use their related platforms like phone apps, which makes it easy for any hacker to analyse or share without the consent of the user.

The problem lies in how internet users reveal their personal data such as full name, phone number, and some thoughts on sites such as Facebook and Zalo via their smartphones. Users actually have no idea how and where this information is being stored and used. The internet sites, social networks, and digital applications clearly state that protective measures are in place and personal data will not be misused, but they do not talk about any associated risks. As humanity delves deeper into the digital age, people will have to question the tactics used in digital technology.

Although the law in Vietnam has provisions to prevent personal data from being accessed illegally, it lacks specifics and is buried in nearly 17 legal documentations. There are volumes of legal documents such as the Law on Information Technology 2006, Law on Medical Examination and Treatment 2008, Law on Consumer Protection 2010, Law on Cyber-Information Security 2015, and the Law on Cyber Security 2018, which all have provisions to protect the rights and obligations of subjects in matters concerning personal data. Decree 15/2020/ND-CP, Decree 117/2020/ND-CP, and Decree 98/2020/ND-CP, have provisions on administrative penalties for acts of personal data breach in each specific area.

Recently, the Ministry of Public Security published the full text of the draft decree regulating the protection of personal data for the first time, specifically on personal data rights. It covers the right to control data, to know what data you have on the network, the right to allow or not allow second parties to use this data, and also the right to delete data when you no longer want your data to exist on the network. Organizations and individuals collecting data are obliged to take measures to ensure the above mentioned rights. If the decree is passed, this will be a big step forward in recognizing rights and measures and mechanisms taken to enforce lawful rights of the people. However, the decree needs further adjustments to address concerns of businesses about the burden of obligations when implementing a number of mechanisms and technical measures as stated in the draft. 

Incomplete regulations

Currently, there are two core issues to deal with. First, empowering and ensuring the subject's ability to control personal data. This is identified as individuals who own the data. They have the ability to control their personal data, force other subjects to respect the right to consent, the right to be notified when their data is processed or shared with a third party, right of access, right to correct, right to request restriction of data processing and data sharing with third parties, and right to request deleting of data. If a data breach occurs, the subject has the right to complain and receive appropriate compensation.

Second, clearly defining the responsibility of the data processor to protect personal data. It is necessary to classify the type of subject in such a responsibility. Subjects who process personal data are clearly classified into data controllers and data processors. In this, the data controller can be understood as an individual, legal entity, agency, or organization that determines the purpose and means of processing personal data independently or with other subjects.

On the other hand, a data processor is an individual, legal entity, agency, or organization that processes personal data on behalf of the data controller. Each party must comply, fulfil its obligations with respect to personal data, and be able to limit risk of liability when a data breach occurs. The relationship between a data controller and a data processor is similar to that of a service user and a service provider in a contract.

However, due to the sensitive nature of all personal data, they are both subject to a number of binding legal obligations. The subject that controls and processes personal data is required to take administrative and technical measures to protect all personal data, irrespective. Currently, as the world moves towards rapid digital transformation, it is time the Government takes stronger action and stern steps to protect the personal data of all people, which will then lay a strong foundation for a future digital economy.