Legal inadequacies
Many countries across the world have set legal standards for accessing and using personal information of transactions between individuals and businesses with public authorities. In Vietnam, the term for personal information was mentioned in the Law on Pharmacy 2005. Security requirements for personal information in the aviation sector are also mentioned in the Civil Aviation Law 2006. However, specific provisions for the protection of personal information only appeared in the Law on Information Technology 2006. Nonetheless, the Law on Information Technology 2006 just regulates the protection of personal information in the internet environment, and not in general terms for the protection of personal information.
Although Vietnam has legal provisions for protecting personal information in various laws, most of these laws are inadequate and have several limitations. First of all, the definition of personal information is not consistent in all the legal documents. For example, the definition of personal information in the Law on Network Information Security is far too brief, while Decree 52/2013/ND-CP of the Government on e-commerce is specific, detailed, and has points that are difficult to assess whether they are compatible with the provisions of the Law on Network Infomation Security or not. On the other hand, the Law on Protection of Consumer Rights 2010 talks about consumer information in Article 6, while the Law on Cybersecurity and Decree 52/2013 /ND-CP refers to consumer information as personal information.
The new current regulations focus on the protection of personal information in the cyber environment, but there are no specific regulations on the protection of personal information in the ordinary day to day traditional environment. This creates a division in legal regulations between real life and virtual world, which is inconsistent with the future reality of the 4.0 revolution era.
In addition, the Personal Information Protection Law has not kept pace with the practice of using personal data, such as data on personal images like facial recognition technology, biometric data such as fingerprints or iris imagery. Therefore, when enterprises use this data, the question is whether the current regulations on the protection of personal information are applied or not. Hence, stricter measures are needed for businesses that collect and use consumer biometric data.
The reason is that if a person's address and phone number are also classified as personal information, then biometric data although considered personal information, is much more sensitive than information about a phone number or name and age of the person concerned. In many countries, there is a provision in the law on the right to overlook some cases, while Vietnam does not have this provision. Vietnam also does not have specific regulations on liability to compensate for damages by person who such a crime of misconduct in the collection and misuse of personal information.
Another limitation is that between Decree 185 and Decree 15/2020/ND-CP on sanctioning administrative violations in the IT field, there is not much difference in the level of fines for the same violation. Although the 2015 Penal Code was amended and supplemented in 2017, basically, there are only some initial provisions in Article 159 on crime of infringement of secrets, security of correspondence or telephones, or other private information exchange in Article 288 on crime of illegally giving or using information on computer networks and telecommunications networks. However, these two crimes have not been specifically and directly regulated on the current violations of the law related to personal information.
Protecting personal data
In 2016, the European Union (EU) issued the General Data Protection Regulation (GDPR), which came into effect on 25 May 2018. It imposed obligations on all organizations anywhere from collecting data related to people in the EU. The GDPR set harsh fines against those who violated privacy and security standards, with a very high penalty of upto 4% of revenue of entire financial year prior to the violation. Many European countries have also enacted Laws on the Protection of Personal Information on the basis of the provisions of the GDPR.
In ASEAN, the Personal Data Protection Act was enacted by Malaysia in 2010, Singapore in 2012, and Thailand in 2019. In Northeast Asia, Japan promulgated the Law on Protection of Personal Information for the first time in 2003, fundamentally amending and supplementing it in 2016. South Korea first promulgated the Law on Protection of Personal Information in 2011, and since then this law has been continuously amended and supplemented in 2013, 2014, 2015, 2017, and 2020 to flow with the development of South Korea's rapid pace towards a complete digital economy. In China, on 8 May 2020, the National Assembly promulgated the Civil Code with 1,260 articles divided into 84 chapters, including a separate chapter that stipulated the right to private life and protection of personal information, under Articles 1032 to 1039, along with many other such regulations.
The above facts show that it is time for Vietnam to study and develop a Law on Protection of Personal Information, by amending several provisions on personal information protection already in the Law on Information Technology 2006, Law on Cyber Information Security 2015, and Decree 52/2013/ND-CP on e-commerce. Accordingly, more comprehensive adjustments for the protection of personal information, not only limited to the protection of personal information in cyberspace, must be set and implemented. Along with this, there must be strict sanction measures and state management responsibility for the protection of personal information. This will contribute to gaining people confidence when developing a strong digital economy in the near future.