Nowadays, with beginning of industrial revolution 4.0, the globe has created and produced a new resource known as "Big Data". As a result, technology businesses will exploit, analyse, and transfer this data to companies and corporations in need of consumers finding, work efficiency improvement, and also business risks reduction.
However, it is hardly avoidable to gather "Personal Data" in order to collect a large amount of data. In fact, the personal information is currently referred as a kind of commodity for sale or even being expropriated, and utilised illegally. This issue affected many people's lives by disturbing them with unwanted advertising phone calls, spam, and even the risk of revealing their privacy.
Thus, the purpose of this article is to define duty of agencies and personal data collecting organizations in accordance with the Law of Viet Nam.
1. Concept of the Personal Data
The Vietnamese laws does not have an exact definition of “Personal Data”, however, we have an equivalent concept of “Personal Information”.
The personal information was previously regulated by Decree 64/2007/ND-CP, which stated: "Personal information is the sufficient information to accurately identify an individual, and includes at least the contents of the following information: full name, date of birth, occupation, title, contact address, email address, phone number, identity card number, passport number. The information of personal privacy contains medical records, tax records, social insurance card numbers, credit card number, and other personal privacies.”
According to this regulation, the personal information must be the information helping us to identify a specific person. In fact, however, there are some pieces of information being useless for identificating when they stay alone, but in combination with other information, they can lead to the personal identification.
Therefore, Proposed Decree on Personal Data Protection has a definition as follows: "Personal data is data of an individual or relating to the identification of or possibly identificating to a particular individual." . In addition, the Personal data is also divided into two categories in the draft: Basic Personal Data and Sensitive Personal Data .
It can be seen that the proposal has embraced legislation of personal data re-defining from advanced countries around the world, and the similar regulation expressed in the EU's General Data Protection Regulation. (“GDPR”): “Personal data means any information relating to identification of or possibly identificating to a natural person (‘data subject’); the natural person is one who can be identified as an identifiable person, directly or indirectly, in particular by referring to some identifications such as name, identification number, location data, an online identification number or one or more specific factors of physics , physiology , genes , mentality, economic, culture or society of that natural person;”.
Although the proposal has not been an official legal document, it has contributed to a valuable concept development of the personal data. From the mentioned concept , it can be understood that “Personal Data” refers to the datas which can be used, alone or in combination with other datas, which can lead to a specific person's identification.
2. Protection of personal data under Vietnamese law
Currently, Viet Nam still has no unified legal document stipulating issues relating to the personal data and personal data protection. Instead, this right is protected by various legal regulations such as Law on Electronic Transactions ("LET"), Law on Information Technology ("LIT"), Law on Protection of Consumer Rights ("LCPR"), Law on Cyber Information Security ("LCIS"), Law on Cyber Security ("LCS"), Decree No. 52/2013/ND-CP on e-commerce and Decree No. 72/2013/ND-CP on management, provision and use of Internet services and information on the internet…These documents have contributed to establish a legal framework of the personal data protection. Therefore, we can determine the obligations of enterprises and organizations that use using personal information as follows:
a. Some definitions
- Subject of personal information is understood as person identified from that personal information.
- Information processing is understood as performance of one or some activities of gathering, editing, using, storing, providing, sharing and distributing personal information on the social network for commercial purposes.
b. Organizations and individuals’ responsibility of personal data processing
- Consent: In order to process a person's personal data, initially, a consent of that person is required, except for cases that the information is gathered for the following purposes:
• Signing, amending, or performing contract of the use of information, products, and services in the network environment;
• Calculating prices and charges for the use of information, products, and services in the network environment;
• Perfoming other obligations in accordance with the Law.
- Information transparency: Organization and individual have responsibility of notice to the information subject about the form, scope, location, and purpose of gathering, processing, and using that person's personal information , as well as publicly announcing their organization's and individual's solution of processing and protecting the personal information.
- Infrastructure ensuring: Organization processing the personal information must apply appropriate managing and technological solution to protect their collected and archived and must comply with conditions and technical standards to ensure that the data is not stolen, revealed, changed, or destructed . Also, the organization and individual processing personal information, as soon as possible, must have remedies, prevention when an incident of network information safety happens or possibly happens.
- Storage obligations: The LCS requires the enterprises (domestic and international) which have the activities of gathering, exploiting, analyzing , and processing data relating to personal information and data of relationship service, data users created by service user in Viet Nam must be stored in Viet Nam during a period in accordance with the Government’s regulation. In addition, when aim of use has been completed or the storage time has expired, the organization processing personal information must destruct the stored personal information after completing purpose of using or meeting due date of storage.
- Data transfer: The organization processing the personal information will not be provided, shared , spreaded their personal information, collected, accessed, and controlled, to third parties, except for an agreement from the subject of this personal information or a State authority’s order.
- Commercial presence in Viet Nam: Article 26.3 of the LSC requires foreign organizations when providing service in the Vietnamese social network and have the activities of processing the personal information created by the service user in Viet Nam, must establish a brach or representative office in Viet Nam.
Currently, it can be seen that, although some laws have stipulated the organizations’ obligation in terms of data/personal information protection. However, these are still dispersed regulations in various laws without unification, so a unified document of the personal data protection is necessary. In addition, the enterprises also need to enhance their complying responsibilities of legal regulation of gathering, processing the personal information, and also ensure the right of the personal information’s subjects.