Chu Thi Hoa, LL.D
Deputy Director, Institute of Legal Studies, Ministry of Justice
Vietnam’s current legal provisions on personal data protection
It can be said that Vietnam’s legal provisions on protection of personal data are rooted in the right to privacy - a fundamental human right. There is a general principle enshrined in all provisions on personal data protection in Vietnam’s legal documents: personal data is protected and other subjects may use personal data only if data subjects so agree, unless otherwise provided by law; violators are subject to administrative and criminal penalties, and data subjects suffering from personal data intrusion are entitled to damages.
This spirit is expressed throughout the legal system, from the 2013 Constitution to a series of codes and laws, including the 2015 Civil Code, 2015 Criminal Procedure Code, 2015 Civil Procedure Code, 2016 Law on Information Technology, 2015 Law on Cyberinformation Security, as well as sub-law documents such as governmental decrees on sanctioning administrative violations in the fields of post and communications, information technology, among others.
Legal issues concerning personal data protection
Firstly, Vietnam is yet to have a law on personal data protection or a common understanding of “personal data” and “personal data protection”. Vietnamese laws currently use about 10 terms such as: “personal information”, “private information”, “digital information”, and “personal information on the Internet” with different interpretations, other than “personal data”. Each legal document has a different way of defining personal information and private information.
For instance, the term “personal information” is used in five legal documents, including the 2015 Law on Cyberinformation Security; Decree 85/2016/ND-CP on security assurance for information systems; Decree 72/2013/ND-CP on management, provision, and use of Internet services and online information; Decree 52/2013/ND-CP on e-commerce; and Decree 64/2007/ND-CP on application of information technology application in state agencies’ operations. In addition, these documents have contradictory interpretations of “personal information”, e.g., Decree 52 of 2013 asserts that “personal information referred to in this Decree does not include work contact information and other information that the individual himself/herself has published in the mass media”,[1] while Decree 72 of 2013 provides that “personal information means information associated with the identification of individuals, including names, ages, addresses, people’s identity card numbers, phone numbers, email addresses and other information defined by law”, irrespective of whether it has been publicized or not.
The expressions of “private information”, “information privacy”, “confidential information”, “digital information”, and “personal information on the network environment” are used in four legal documents (the 2013 Constitution, 2009 Law on Telecommunications, 2006 Law on Information Technology, and Decree 72/2013 /ND-CP).
Terminologies such as “information on private life, personal secrets, and family secrets” are used in the 2013 Constitution, 2015 Civil Code, 2016 Law on Access to Information, and 2016 Law on Children.
In terms of legislative techniques, Vietnam currently does not have a separate, comprehensive and consistent law to protect personal data. So, a number of legal documents regulating the protection of personal data show how they are conflicting, overlapping, inadequate or unsuitable.
Secondly, the current penalties for violations are not deterrent enough. Under Decree 174/2013/ND-CP on sanctioning of administrative violations in the fields of post, telecommunications, information technology and radio frequency, the maximum administrative fine for the act of intrusion of privacy is VND 70,000,000 (approximately USD 3,000) and that of criminal fine is VND 200,000,000 (approximately USD 8,600).[2] These are quite low compared to the sum of EUR 20,000,000 as laid out in European Union’s General Data Protection Regulation and do not correspond to the seriousness of the intrusion of privacy or personal data. It is not to mention the lack of criminal liability provisions for infringements of the right to protection of personal data.
Thirdly, there is a lack of provisions on sensitive personal data, i.e., personal data concerning racial origins, political views, religious beliefs, social organization participation, or health records. These are likely to be collected by local authorities for e-government systems, e-health, e-welfare, and so on, in smart cities.
Fourthly, Vietnam does not have a comprehensive law on personal data protection. Instead, this matter is governed by various laws and decrees (about 70 documents). Nevertheless, all current related provisions are in the form of general principles. Besides, they are not only insufficient but also contradicting, causing difficulties in law enforcement. For instance, the 2015 Law on Cyberinformation Security provides that “processing of personal information means the performance of one or some operations of collecting, editing, utilizing, storing, providing, sharing or spreading personal information in cyberspace for commercial purpose.”[3] This definition is broader than that in the 2006 Law on Information Technology, which excludes “collecting” and “utilizing” personal information.[4] The 2006 Law on Information Technology requires individuals and organizations to notify the personal information subjects of the scope, purpose, form and place of collecting and utilizing personal information before doing so, while the 2015 Law on Cyberinformation Security only requires them to notify the scope and purpose thereof.[5]
Fifthly, there exists a loophole in personal data protection regulations. First and foremost, there are no definitions of “personal data” and “personal data protection”. Hence, it is necessary to put forward these definitions and build a common understanding.
 |
| Taking citizens’ fingerprints serving the issuance of ID cards__Photo: Thanh Dat/VNA |
Lack of regulations on handling personal data-related offenses
Sale and purchase of personal data
The current legal system lacks a mechanism to handle personal data sale and purchase which have become more common. According to Joint Circular 10 of 2012 jointly issued by the Ministries of Public Security; National Defense; Justice; Information and Communication; the Supreme People’s Procuracy and the Supreme People’s Court guiding the application of the Penal Code’s provisions on some information technology- and telecommunications-related offenses, the act of selling and buying personal information does not constitute crimes without proof of it “causing serious consequences”. For years, the Police Department for High-Tech Crime Prevention (C50) has made many investigations regarding sale and purchase of personal information on the Internet. Due to legal obstacles, those cases often get transferred to Departments of Information and Communications for administrative violation handling.
Infringement of protected rights to personal data
The 2015 Penal Code provides for the “infringement of secret information, mail, telephone, telegraph privacy, or other means of private information exchange”[6] and the “illegal provision or use of information on computer networks or telecommunications networks”.[7] However, these provisions are not updated on existing illegal acts relating to personal data.[8]
Cross-border transfer of personal data
For the time being, more and more private enterprises enter into public-private partnership contracts with state authorities to provide public services to people. Then who would control the data generated? How to regulate the cross-border transfers of personal data by enterprises? These questions remain unsolved.
Initial recommendations
Making a law on personal data protection
It is urgent to codify the provisions scattered in various legal documents into a law on personal data protection which should, first of all, straightforwardly define the concepts of “personal data” and “sensitive personal data” and clearly distinguish “personal information” from “personal data”.
Specifically, personal data should be interpreted to be data on individuals or relating to the identification or ability to identify a specific individual. Fundamental personal data then include: full name, middle name, birth name, alias (if any); date of birth; date of death or missing; blood type, gender; place of birth, birth registration place, habitual residence, temporary residence, hometown, contact address, email address; academic level; ethnic group; citizenship; phone number; ID number, passport number, citizen identification number, driver’s license number, license plate number, personal tax identification number, social insurance number; marital status; and data reflecting activities or history of activities on cyberspace. Meanwhile, sensitive personal data should include personal data on political and religious opinions; health condition; genetic information; biometrics; gender status; finance; actual geographical position in the past and present; social relationships, personal data about life and sexual orientation; personal data about crimes, criminal acts and other personal data are specified by law and in need of necessary security measures.
The law should also contain provisions on rights and obligations of parties with regard to personal data, including: rights of data subjects; obligations of the Government and subjects collecting and processing data; obligations of third parties. Furthermore, although Vietnam’s law recognizes the general principle of prohibiting acts of providing, trading in, transferring, storing and using information in violation of regulations on information security, all legal documents are centering on the protection of national secrets, military secrets, etc. The law, therefore, should specifically provide for acts prohibited in collecting and processing personal data so as to create legal base for setting out penalties.
Issuing new legal documents to overcome existing legal gaps
The Supreme People’s Court should issue instructions or judicial precedents to guide the settlement of the actual damage compensation for data subjects due to violations, in addition to penalties for act of infringements. At the same time, it is necessary to devise provisions on criminal liability for acts of infringement of the right to protection for personal data as stated in the Penal Code.-
* The article is part of the outcomes of the national-level independent research entitled “Improving institutions of the socialist-oriented market economy under the impacts of the Industrial Revolution 4.0: Fundamental legal issues.
