Page 156 - ISC PROCEEDINGS 21.4
P. 156
However, Vietnam still lacks a specific law dedicated to personal data protection.
Existing regulations remain fragmented and inconsistent, which creates difficulties in their
uniform application. Some provisions remain general and lack practical feasibility, making
them difficult to implement in practice. In addition, there is currently no specialized
authority responsible for personal data protection, and state management in this field
remains overlapping and inefficient.
Moreover, enforcement mechanisms remain relatively weak and insufficient to
deter violations. The penalties imposed for violations are still relatively low and are not
proportional to the damages caused by such violations.
The legal system therefore remains incomplete. The absence of a dedicated
personal data protection law, together with fragmented and inconsistent legal provisions,
creates challenges for both the application and enforcement of the law. Some regulations
remain overly general and lack detailed guidance, which further complicates their
implementation in practice.
At the same time, the rapid development of technology poses new challenges for
personal data protection. Cyberattacks are becoming increasingly sophisticated and
complex, while legal regulations have not kept pace with technological developments. In
the digital era, personal data no longer includes only traditional information such as
names, addresses, and identification numbers but also encompasses online information
such as IP addresses, cookies, and location data.
Distinguishing between personal data and non-personal data, as well as between
personal data and publicly available data, requires clear criteria that are compatible with
technological developments. However, the current legal framework has not yet provided
specific regulations addressing these issues, thereby creating difficulties in determining
the scope of legal application.
Therefore, Vietnam needs to promptly enact a Personal Data Protection Law to
establish a comprehensive, coherent, and unified legal foundation. Such a law should
apply to all organizations that process the personal data of Vietnamese citizens,
regardless of whether those organizations are located in Vietnam or abroad. At the same
time, it is necessary to strengthen the rights of data subjects in controlling their personal
data and to clearly and specifically define the obligations of data controllers and data
processors in order to ensure legal compliance.
Furthermore, an effective enforcement mechanism should be established to
strengthen the implementation of personal data protection laws, including the
application of strict sanctions against violations.
3.3. Practice of enforcing personal data protection in Vietnam
In recent years, violations of personal data protection laws have become
increasingly common and sophisticated, causing serious impacts on the legitimate rights
and interests of individuals and organizations.
Illegal collection, storage, and use of personal data: Many businesses and
organizations collect customers’ personal data without obtaining their consent, fail to
fully inform individuals about the purpose of data collection, or use personal data for
purposes other than those initially announced.
Disclosure and leakage of personal data: Numerous large-scale incidents involving
personal data leaks have occurred, causing significant damage to data subjects. The
primary cause is that many enterprises and organizations have not fully implemented the
required measures to protect personal data in accordance with legal regulations.
155
