In an era where digital transformation is accelerating at breakneck speed, the issue of personal data leakage and illegal trading has emerged as a pressing threat to individual privacy and national cybersecurity. This problem is no longer a distant concern but a tangible risk affecting both urban and rural communities across multiple sectors such as banking, insurance, education, healthcare, and digital services.
Personal data—including names, phone numbers, addresses, identification numbers, purchase histories, location information, and even sensitive financial details—are being sold online at alarmingly low prices, often without the knowledge or consent of the individuals involved. This widespread insecurity stems from a combination of organizational negligence, user carelessness, and sophisticated cyberattacks.
The first major cause of this data vulnerability lies in the lax management and lack of responsibility by organizations and businesses that collect personal information. Many fail to implement adequate security measures when gathering data from customers. Instead, they often share this information indiscriminately with partners or allow employees to exploit it for private gain. The absence of well-defined personal data handling procedures leaves sensitive information exposed to unauthorized access, copying, and distribution.
Secondly, individual users themselves contribute to the problem through a lack of caution. When registering for accounts, engaging on social media platforms, or using free applications such as Facebook, TikTok, Shopee, CapCut, or unverified AI tools, many people readily share personal information without thoroughly reviewing privacy policies. These platforms often request broad access permissions, including contacts, location, photos, and videos. Once granted, this data can be harvested and repurposed for various undisclosed uses.
The third factor exacerbating data insecurity is the rise of high-tech cyberattacks. Cybercriminals deploy malware, phishing links, and malicious apps to seize control of users’ devices. These attacks silently extract comprehensive data—from messages and emails to images and banking login credentials. Many organizations, especially government agencies and businesses that neglect regular security software updates, fall victim to breaches exploiting system vulnerabilities. Such incidents not only violate personal privacy but also fuel large-scale fraud schemes.
Recognizing the gravity of these threats, the National Assembly Standing Committee convened on June 5, 2025, to deliberate on the urgent need for a Personal Data Protection Law. Delegates underscored the necessity of a robust legal framework to curb illegal data trading and impose stringent administrative penalties, particularly targeting large corporations and cross-border entities.
Le Tấn Tới, Chairman of the National Assembly's National Defense and Security Committee, emphasized the importance of severe fines to deter violations, stating, "Due to the serious nature and consequences of breaches in personal data protection, it is essential to set higher penalties to ensure deterrence, especially for large enterprises, multinational corporations, or tech firms with revenues in the thousands of billions of VND." The draft law proposes fines reaching up to ten times the illicit gains obtained from personal data violations. Additionally, organizations transferring personal data across borders unlawfully may face penalties up to 5% of their previous year's revenue, while other violations carry fines up to 3 billion VND. Individuals found guilty of similar offenses would be fined at half the rate imposed on organizations.
The draft law also delegates authority to the Government to specify detailed fine structures, penalty ranges, and methodologies for calculating unlawful profits. However, legal measures alone are not sufficient. Experts advocate for a comprehensive, long-term strategy that enhances public awareness of personal data rights and mandates transparency from businesses regarding data collection and processing practices.
Citizens are encouraged to take proactive steps to safeguard their data by managing sharing permissions on their devices, avoiding applications from unverified sources, and exercising caution when providing information to third parties. On the corporate side, implementing stringent security protocols—including clear data access controls, audit trails, encryption, and employee training—is critical to preventing internal data leaks.
Sectors handling vast amounts of sensitive information, such as technology companies, banks, and insurance providers, must invest in sophisticated cybersecurity infrastructures that comply with international standards. Furthermore, integrating digital safety education into schools, social organizations, and community programs is vital for cultivating a culture of information security from an early age.
Personal data is increasingly recognized as an extension of human rights. Its compromise poses not only technological risks but also significant challenges in social governance. The National Assembly's recent discussions highlight the delicate balance required between enforcing strict legal protections and maintaining flexibility to foster digital economic growth.
The Standing Committee’s session on June 5 also considered adjusting prohibited acts related to personal data trading to ensure the law remains both stringent and conducive to innovation. Such nuanced regulation aims to protect privacy without stifling the burgeoning digital economy.
Authorities have issued clear warnings and guidelines to prevent rampant data leaks and illegal sales across cyberspace. These include minimizing the sharing of personal information with unverified organizations or applications, strictly prohibiting unauthorized collection, sale, exchange, alteration, or public disclosure of lawful private data, and urging citizens to promptly report violations to local law enforcement agencies for timely intervention.
Ultimately, protecting personal data demands a collective effort. Only when individuals, organizations, and government bodies alike elevate their awareness and responsibility—and when supported by a comprehensive legal framework—can the hidden dangers lurking in the digital age be effectively mitigated.
