Sharing personal data for illegal activities can lead to imprisonment

New law prohibits using others' personal data and allowing one's own data to be used for unlawful acts.

Vietnam's first law on personal data protection, passed by the National Assembly on 26/6 and effective from 1/1/2026, significantly expands on previous regulations found in Decree 13/2023. It covers a broader scope and specifically addresses data protection in sectors impacting the general public, such as labor, banking, media services, social networks, and insurance.

The law prohibits three key actions: using another person's data or allowing one's own data to be used for illegal activities; buying or selling personal data; and misappropriating, intentionally disclosing, or losing personal data.

Personal data sold for as little as 1,000 VND

The buying, selling, and leasing of personal information, facilitating illegal activities, has been a recurring issue addressed by investigative and judicial authorities in recent years. Personal data is widely traded on social media, sometimes for as little as 1,000 VND per user.

In a case cracked by Hue police in early 2022, five young people were found to have collected and traded 7,000 to 10,000 data entries daily. Over 14 months, they sold 6.2 million pieces of personal data nationwide, totaling 720 million VND.

Authorities advise people to protect their personal data and not lend, lease, sell, or allow others to use it for illegal purposes. Photo: Hai Thu

Authorities advise people to protect their personal data and not lend, lease, sell, or allow others to use it for illegal purposes. Photo: Hai Thu

Another common violation involves lending identification documents to open bank accounts or cards for criminal groups involved in fraud and money laundering.

In November 2024, a father and son in Dong Thap province sold three bank accounts to criminals for 9 million VND. They were fined 127.5 million VND for lending and selling bank accounts for payment purposes.

The son-in-law had seen an online advertisement seeking bank accounts and suggested the scheme to his father-in-law. The buyer used these accounts in an illegal immigration ring busted by Lang Son police, leading to the discovery of the account sales.

In these cases, those involved weren't criminally prosecuted because they were unaware the accounts would be used for illegal purposes. However, knowingly lending or leasing personal information or identification documents can lead to imprisonment.

In a December 2020 Hanoi People's Court case, three individuals in their 20s were hired by a Taiwanese individual to open Vietnamese bank accounts for 2 million VND each. They sold 12 accounts and withdrew 2.4 billion VND for the individual. This money belonged to fraud victims coerced by scammers impersonating police officers. The three admitted knowing the accounts would be used for fraud but proceeded anyway. They were convicted of fraud and sentenced to 7 to 13 years in prison.

Before the Personal Data Protection Law, lending personal information for criminal activity wasn't independently prosecuted but addressed through other offenses like complicity or aiding and abetting, if such involvement could be proven. Those unknowingly involved faced administrative penalties.

The new law designates this as a prohibited act, providing a framework for clearer administrative penalties and potentially criminalizing specific offenses in the future.

Children 7 and older have the right to decide how their personal data is handled

The law introduces new provisions absent in Decree 13/2023, concerning the data protection of children, individuals with limited or no civil capacity, and those with cognitive or behavioral difficulties. Their rights will be exercised by their legal representatives.

For children 7 and older, disclosing their private or confidential information requires consent from both the child and their legal representative (parents or guardians).

Consent isn't required in certain cases, such as government activities, state management, emergencies, preventing riots or terrorism, and combating crime.

Personal data can only be disclosed for specific, lawful purposes within defined scopes and with the data subject's consent.

Violations can result in fines up to 3 billion VND or criminal prosecution, depending on the severity. Buying or selling data can lead to fines up to 10 times the illegal profits.

Violations of cross-border data transfer regulations can result in fines up to 5% of the organization's previous year's revenue.

Hai Thu

By VnExpress: https://vnexpress.net/cho-nguoi-khac-dung-du-lieu-ca-nhan-cua-minh-de-pham-toi-co-the-bi-di-tu-4921029.html