Page 157 - ISC PROCEEDINGS 21.4
P. 157
Cyberattacks aimed at stealing personal data: Cyberattacks targeting the theft of
personal data are increasing both in number and sophistication. Attackers often employ
complex techniques such as phishing attacks and malware to obtain personal data.
Phishing refers to a fraudulent attempt to trick users into providing sensitive information
such as passwords, credit card numbers, or social security numbers, often by sending
emails or text messages that appear to originate from legitimate organizations, such as
banks or government agencies. Malware refers to any type of software designed to
damage computer systems, such as viruses, worms, or Trojan horses. Malware can be
used to steal data, corrupt files, or take control of computer systems.
Limited awareness among citizens and businesses regarding personal data
protection: Many citizens are not fully aware of the importance of protecting personal
data and do not clearly understand the legal provisions regarding personal data
protection, as well as their rights and obligations in safeguarding such data. Likewise,
many enterprises have not fully recognized their responsibilities in protecting the
personal data of customers and employees.
Limited enforcement capacity of regulatory authorities: Relevant authorities still lack
sufficient resources, funding, and technological tools to conduct inspections, supervision,
and handling of violations related to personal data protection. In particular, investigating
and prosecuting cybercrimes involving personal data violations is challenging due to the
complex nature of these cases.
Overall, Vietnam has made efforts to establish a legal framework for personal data
protection. However, the practical enforcement of these laws still faces many difficulties
and challenges. The legal system still contains several shortcomings, public and corporate
awareness remains limited, and the enforcement capacity of regulatory authorities has
not yet met practical requirements.
To enhance the effectiveness of personal data protection in business activities in
Vietnam, comprehensive and coordinated solutions are needed. These include improving
the legal framework, raising awareness among citizens and businesses, and strengthening
the enforcement capacity of competent authorities.
Although several legal provisions related to personal data protection have been
introduced, Vietnam’s legal system in this field still contains many unresolved issues. This
study therefore identifies shortcomings in the legal framework, such as the lack of
effective monitoring and supervision mechanisms for personal data protection, the
absence of clear regulations on handling violations in cyberspace, and insufficient
provisions for protecting individual rights when personal data is compromised.
4. Recommendations for improving the legal framework for personal data
protection in business in Vietnam
Given the recent enactment of the Law on Personal Data Protection 2025, legal
reform in Vietnam should no longer be framed simply as the need to create a dedicated
law. The more important task is to improve the coherence, specificity, and enforceability
of the broader legal regime governing business-related personal data processing. On that
basis, several recommendations may be proposed.
First, the law should clarify the requirements for valid consent in digital business
environments. Consent should be freely given, specific, informed, and demonstrable.
Businesses should not be allowed to rely on bundled consent clauses hidden in lengthy
standard terms where users are unable to distinguish between necessary processing and
optional data uses. The legal framework should also expressly ensure that the withdrawal
156
