International law on personal data protection and suggestions for Vietnam

As one of the countries with the highest speed of Internet development and application in the world with nearly 80% of the population using it, personal data of 2/3 of Vietnam's population is stored, posted, shared and collected in cyberspace in many different forms and levels of detail.

In 2022 and 2023, Vietnam prosecuted 5 criminal cases with thousands of GB of data and billions of personal information being bought and sold. This shows that it is urgent to improve the law on personal data protection based on research and reference to international law.

International law on personal data protection

GDPR is considered a major legal step forward, creating the strictest personal information protection mechanism in the world today.

European Union (EU) General Data Protection Regulations (GDPR). GDPR is considered a major legal step forward, creating the strictest personal information protection mechanism in the world today and is applicable to all organizations and businesses processing personal data of companies. people in the EU.

GDPR applies uniform penalties for corporate violations across the entire bloc. Specifically, the fine is a maximum of 2% of revenue or 10 million euros for minor violations, and 4% of revenue or 20 million euros for major violations. In addition to fines, businesses that violate GDPR may also be subject to other sanctions such as being forced to stop data processing activities or delete data that has been processed in violation of GDPR.

The EU's personal data protection authority is the EU Data Protection Supervisor (EDPS) – an independent body with a membership of lawyers, IT experts and experienced administrators. experience.

This agency has the main function of supervising the processing of personal data in EU agencies and organizations as well as advising on issues related to personal data. GDPR also requires the establishment of a Personal Data Protection Authority in each member state such as a National Commission for the Protection of Personal Data (France, Ireland...) or a Data Protection Ombudsman (France, Ireland...) Finland, Latvia...).

Along with the EDPS, the EU also established the European Data Protection Board (EDPB) consisting of representatives of the national data protection authorities of member states and representatives of the EU with the function of being an independent advisory body. Lead figure on personal data protection issues, responsible for the consistent application of GDPR across the union.

GDPR provides highly deterrent sanctions, both material and non-physical. In addition, the EU's personal data protection agency is implemented according to the Commission/Commissioner model, so it has great powers and independence when it comes to applying sanctions if organizations violate regulations. on personal data protection and have the ability to independently evaluate and decide on the processing of personal data.

China's Personal Information Protection Law (PIPL) promulgated in 2021 is considered the first comprehensive, national-level personal information protection law in China. PIPL offers a relatively unified view on personal data/Personal information as information intended to identify or identify a specific individual, targeting a narrow audience of individuals within the territory of China (Article 4 Chapter 1 PIPL). At the same time, regulations on sensitive personal data issues will establish regulations on the rights and obligations of parties regarding more specific data groups.

Sanctions for violations of personal data rights according to PIPL regulations are very strict, such as forced remediation, confiscation of illegal income, suspension of services, revocation of operating licenses. operation or business, a fine of up to 50 million yuan or 5% of an organization's annual revenue in the previous financial year. In addition, violations can also be recorded in the processor's “credit file” under the national social credit system.

Furthermore, processing units will be responsible for compensation if they violate the rights and interests of organizations and individuals. Criminal sanctions for these types of violations are also specifically stipulated by the Chinese Penal Code, which stipulates heavier criminal liability for those responsible for information security, supplementing In addition to confiscation of property, life imprisonment is the maximum penalty.

Singapore's Personal Data Protection Act (PDPA) adopted in 2012 (revised in 2020). Singapore law recognizes the right to protect personal data as well as the need for organizations to collect, use and disclose information for purposes appropriate to the given circumstances.

The PDPA also provides for stiff financial penalties for data breaches. Violators will be subject to fines or imprisonment. The fine level depends on the nature and severity of the act, with a fine ranging from 2.000 to 100.000 SGD (equivalent to 1,6 billion VND) or/and imprisonment for no more than 12 months, if serious, it can be up to 3 years1 ; Violating agencies and companies may be fined up to 10% of annual revenue.

The agency that plays an important role in ensuring enforcement of the PDPA is the Personal Data Protection Commission (PDPC). This is a specialized agency with great powers and broad enforcement capabilities when it has the right to request individuals and organizations to provide information and documents related to the processing of personal data, and impose financial penalties for violations. violations as well as handled by other measures.

With the establishment of a specialized agency, Singapore's Personal Data Protection Commission works independently and proactively in detecting and handling violations, and applying sanctions is also one of the conditions. so that personal data protection in Singapore is effectively enforced.

Recommendations to improve personal data protection laws in Vietnam

Currently in Vietnam there are 69 legal documents directly related to the issue of personal data protection stipulated in different documents including the Constitution, Code (4), Law (39). , Ordinance (1), Decree (2), Circular/Joint Circular (4), Decision of the Minister (1).

These documents basically approach the issue of personal data protection in the direction of promoting the principle of ensuring the privacy of the subject's private life, however, there are different regulations on data-related information. individuals, addressing issues of rights and obligations of subjects, information processing, and personal data protection methods. Vietnam's laws regulating personal data protection have achieved some remarkable results, especially on April 17, 4, the Government issued Decree No. 2023/12/ND-CP on personal data protection - this is a separate document regulating this issue in our country. These legal documents have created a legal corridor in the protection of personal data; Specify the rights of data subjects as well as processing parties, stipulate sanctions for violations of personal data protection as well as identify specialized agencies for personal data protection. The person is the Department of Cyber ​​Security and High-Tech Crime Prevention under the Ministry of Public Security...

Vietnam is having to deal with many risks, challenges, and dangers from cyberspace, especially the leak and appropriation of personal information and data, causing many harmful effects to citizens and society.

However, the actual implementation of these documents has also revealed many limitations such as the current separate legal documents are only at the Decree level, not meeting the importance of protecting personal data. Many contents are currently regulated in a general and unclear manner, causing the application to not have specific instructions for each specific case, and sanctions are still light and not enough to deter...

Faced with this situation, continuing to improve the law on personal data protection in Vietnam has been an issue that needs attention and research based on reference to experience from other countries. Specifically:

First, develop a Law on personal data protection. In the context of the 4.0 industrial revolution, on a regional and national scale, 80 countries have issued their own legal documents protecting personal data. Vietnam needs to soon research and promulgate a general, specialized law on data such as the Data Privacy Law like the EU, China or Singapore, which defines the basic issues and principles for data protection. individual. The promulgation of a separate law on personal data will be an important legal basis for protecting personal data when currently there are no legal documents related to this issue in our country. Consistent even in the use of terminology as well as content regulations.

Second, amend and supplement sanctions to handle personal data violations in a more aggravating manner to commensurate with the nature and extent of the violation. Although sanctions for personal data violations have been prescribed in our country, including administrative, civil and criminal, they are generally quite light and do not have a high deterrent power. The main method today is still to apply sanctions for administrative violations, but the regulations are scattered in many Decrees with quite low fines, the highest being: 100 million VND for individuals and 200 million VND for individuals. with the organization.

While the damages that administrative violations of personal data can cause are not only material damages but also honor and dignity. In addition to administrative sanctions, criminal sanctions for violations of personal data are only shown in regulations on privacy and the field of information technology and network security in Article 159, Article 288 of the current Penal Code has a relatively low prison sentence of no more than 7 years in prison and a fine of no more than 1 billion VND. This fine, when compared to the EU's 20 million Euro, Singapore's 1 million SGD or China's life sentence, is still very low and not commensurate with many violations.

At the same time, it is necessary to regulate more groups of behaviors that are not currently mentioned in the law such as large-scale data trading, setting up systems to violate data, violations in marketing service business...

Third, about the model of personal data protection agency in Vietnam. Currently, the Department of Cyber ​​Security and High-Tech Crime Prevention and Control under the Ministry of Public Security is a specialized agency in personal data protection. With reference to international regulations, we can consider building an independent personal data protection agency responsible for implementing the Personal Data Protection Law, conducting inspections, testing, and issuing instructions. Provide guidance and recommendations as well as apply sanctions for violations, if any.

We can refer to these models in the EU or Singapore... for highly effective law enforcement to protect personal data, balancing the protection of individual rights and ensuring network security.

Protecting personal data is not a simple issue, especially when it is placed in the context of integration, when surveillance and personal data collection activities are taking place on a large scale as well as the legal system. Vietnamese law regulating this issue is still in the process of being developed and completed.

Researching international law on this issue with reference to the practical situation in Vietnam will help us soon build a legal framework for comprehensive personal data protection, compatible with international law and international law. effective implementation.

1 https://nhandan.vn/chu-trong-bao-ve-du-lieu-ca-nhan-post780834.html