Ha Sy Dong, a National Assembly deputy from Quang Tri, noted that many provisions in the draft suit large enterprises or data-related businesses like social media, telecommunications, online gaming, internet services, banking, securities, and insurance. However, the draft does not cover small-scale cases, imposing too many obligations and procedures on these businesses and individuals.

Under the definition of personal data, lists of employees and customers are considered personal data, and those holding them must fulfill numerous obligations. 

A pho shop with just a three-waiter staff and a salary ledger also has personal data. A rice shop offering delivery has a list of customer names, addresses and phone numbers, which are also personal data. A class has a list of students with names, birth dates, and phone numbers.

The pho shop owner, rice shop owner, and teacher would be considered personal data controllers and have obligations under the draft law. They would have to obtain consent from data subjects when collecting information.

For example, the teacher could not ask student A about student B’s phone number but must ask B directly. If data is breached, they must report to the Ministry of Public Security’s data protection agency. 

They could face police inspections about protecting waiter lists or rice buyer lists. These records must be stored for audits, and if they operate for more than five years, they must hire a data protection expert.

The draft only exempts small businesses from hiring data protection experts for the first five years. Other obligations, like preparing impact assessment files, reporting to authorities and undergoing inspections, still apply.

High costs

Dong argued that with hundreds of thousand of businesses and millions of employers, compliance costs would be immense. He suggested easing procedural burdens, proposing exemptions for cases involving data of 100 people or fewer from impact assessments and expert hiring, while ensuring no leaks or misuse. Educational institutions should also be exempted from impact assessments or hiring experts for student data.

Nguyen Minh Duc, a National Assembly deputy from HCM City, said personal data cells would constitute all Big Data (big data, database), creating a large resource in digital transformation. Thus, it would be difficult to manage by law when both carrying out digital transformation and protecting personal confidential data.

Duc also mentioned that data in the fields of finance, credit and health is shared frequently. Every day, hundreds of delivery workers handle countless buyer contacts, involving vast personal data. 

"How do we control those people to protect data? And will the seller or the delivery person be considered a data controller or a third party?" 

People are frustrated with spam calls, and don’t know how criminals can obtain phone numbers, ID numbers, or even electricity bills, using them to extort or threaten. Duc asked where these leaks originated and called for clear provisions to prevent data breaches.

Bui Xuan Thong, a National Assembly deputy from Dong Nai, said personal data is widely exploited for crimes, like stealing identities to create “bogus” companies. 

Some individuals, preparing to board international flights, discovered that they were banned from exiting the country due to tax debts. But they had never established any business. The truth was that their data was misused to establish fraudulent firms for tax evasion, causing them harm and legal risks. Thong noted the draft lacks robust solutions for such issues.

Quan Minh Cuong, Cao Bang Provincial Party Committee Secretary, said the issue of personal data breaches and misuse is an urgent one. Protecting personal data in cyberspace is extremely challenging.

Cuong said he accidentally clicked on a real estate ad, and received 40-50 calls within a day promoting property projects. “This is a form of data leakage," he said.

Cuong stressed that in the digital environment, safeguarding personal data related to privacy, finance, and economics is immensely difficult. "When legislating, it’s essential to clarify how to handle cases of data breaches and misuse for malicious purposes," he said.

“Flight tickets include phone numbers, and right after landing, someone calls asking, ‘Do you need a taxi?’ " he said.

Viettel Cybersecurity Company recently released a 2024 report on cybersecurity in Vietnam, noting 14.5 million accounts were compromised, with much personal information and corporate documents openly sold on social media platforms.

Thai Khang