Vietnamese law on the right to personal data protection in the context of artificial intelligence (AI) development

Regarding the State's responsibility: In the context of strong development of artificial intelligence, the Ministry of Information and Communications (now the Ministry of Science and Technology) issued Decision No. 2259/QD-BTTTT on the strategy for applying artificial intelligence until 2030, emphasizing the viewpoint that the development of artificial intelligence must ensure safety, protect human rights, and not violate ethics or social norms. In addition, Decree No. 13/2023/ND-CP specifically stipulates the State's responsibility in protecting DLCN, including promulgating policies, implementing guidelines, disseminating laws, inspecting, examining and cooperating internationally on data protection.

In addition to the above documents, the State's responsibility in protecting private life is also stipulated in the Civil Code, Penal Code, Criminal Procedure Code, Civil Procedure Code, Publishing Law, Law on HIV/AIDS Prevention and Control, etc. In particular, the 2015 Law on Cyber ​​Security and the Law on Network Information Security add a layer of protection for personal information in cyberspace, requiring state agencies to coordinate with organizations and individuals in processing personal information to ensure data security.

Regarding the rights of individuals: The right to personal data protection is not only the responsibility of the State through the duties and powers of state agencies, but individuals themselves also need legal regulations to proactively exercise the right to personal data protection. Specifically, legal regulations on the right to personal data protection in the context of artificial intelligence (AI) include many important contents. Individuals have the right to be informed about the collection and use of personal data, including the purpose and scope of use; the right to access, request modification or deletion of data if the information is inaccurate or no longer necessary; the right to object to data processing in some cases, especially when used for marketing purposes or automated analysis. The law also requires ensuring data security, preventing unauthorized access and abuse of information.

The 2013 Constitution recognizes the right to protect personal information as a human right. Article 21 emphasizes that everyone has the right to inviolability of private life, personal and family secrets. The 2015 Law on Network Information Security also specifies this right, requiring that information collection must have the consent of the subject, limit the scope of use according to the original purpose, and that information cannot be arbitrarily shared unless there is the consent of the subject or at the request of a competent authority.

Regarding the right to be informed and consent when collecting and using personal information, the 2013 Constitution stipulates that individuals must be informed and have the right to consent or withdraw consent. Article 21 of the 2006 Law on Information Technology prohibits the disclosure of personal information unless otherwise provided by law. In addition, Decree No. 13/2023/ND-CP requires organizations and individuals processing personal information to clearly notify the purpose, type of data, processing method as well as possible risks. Consent must be clearly expressed in writing, voice or confirmation action.

Acts of infringement of intellectual property rights and remedies: Determining acts of infringement of intellectual property rights is an important factor for the State to identify the time and method of protecting intellectual property rights, as well as for individuals to have grounds to request the State to exercise their right to intellectual property rights protection. In reality, artificial intelligence control systems are increasingly used, leading to violations of privacy rights and intellectual property protection. Currently, regulations related to intellectual property rights infringement are scattered in many different legal documents, including Decree No. 13/2023/ND-CP, the Penal Code, the 2018 Law on Cyber ​​Security, and decrees on administrative sanctions.

Firstly, the 2018 Law on Cyber ​​Security is an important basis for regulating acts of violating national security in cyberspace. Clause 1, Article 17 of this Law lists acts of cyber espionage that violate state secrets, business secrets, personal secrets, family secrets and private life. Specific acts include illegal appropriation, purchase and sale, disclosure of information; deletion and damage of data; sabotage of technical measures to protect information; illegal eavesdropping, recording, and filming, and other acts that violate personal privacy.

Second , the 2015 Penal Code (amended and supplemented in 2017) has stipulated related crimes, including: Article 159 deals with the act of violating the confidentiality of correspondence, telephone, and telegrams; Article 288 stipulates the crime of illegally providing or using information on the Internet; Article 291 mentions the crime of illegally collecting and trading bank account information.

Third, Decree No. 15/2020/ND-CP stipulates administrative sanctions for acts of collecting, using, and sharing personal information illegally, without the consent of the subject, or violating regulations on personal information security. These regulations help protect privacy and personal information, but to ensure effectiveness, it is necessary to continue to improve the law, raise public awareness, and strengthen the enforcement capacity of competent authorities.

Fourth, some other specialized legal documents also recognize DLCN as a subject of personal rights and provide measures to prevent violations, such as: The Law on Medical Examination and Treatment 2023 stipulates the right to respect for privacy as stipulated in Article 10. Accordingly, information about health status and privacy recorded in the patient's medical record is kept confidential. In addition, the Law on Medical Examination and Treatment also strictly prohibits the act of erasing or modifying the patient's medical record.

In addition to national law, personal data is also protected by technical measures or regional laws, international treaties (Regional laws such as: European Union Personal Data Protection Regulations, conventions related to human rights). Technical measures to protect data, handle and prevent illegal collection, processing and disclosure of personal data, such as: setting passwords; tightening security; restricting and blocking access; using security software; encrypting data, etc. to prevent risks to personal data. These measures are mainly of a self-protection nature and can be widely and popularly applied by all entities related to personal data.

Artificial intelligence (AI) is considered one of the key technologies in the 21st century, creating a breakthrough in production capacity and improving national competitiveness. Photo: Document

Applying current laws on the right to personal data protection

In 2023, the Government will complete Decree No. 13/2023/ND-CP on the protection of DLCN. By 2024, the Government will continue to issue Decree No. 26/2024/ND-CP on the management of international cooperation on law and judicial reform. The Law on DLCN Protection is also being developed and is expected to take effect from January 1, 2026. In reality, there has been a certain delay between the legislative work and the actual situation of DLCN infringement in Vietnam; it has not yet been timely developed and promulgated full legal regulations on DLCN protection, and existing documents are only at the sub-law level (issued by the Government). This creates a legal gap, causing difficulties in handling violations. Personal rights are affected, people's trust in the law and authorities is reduced, and at the same time, it creates conditions for hostile forces to distort and sabotage the Party and the State.

On the Government side, many management activities have been carried out, typically Decree No. 13/2023/ND-CP, contributing to building a legal framework and promoting international cooperation. Agencies and units directly responsible for implementing management of law compliance activities on DLCN protection in recent times have made efforts and achieved certain results. According to statistics from the Ministry of Public Security , from 2015 to 2021, more than 350 cases of disclosure and loss of state secrets on cyberspace were discovered. Of which, the most common cause is that confidential information is publicly posted on websites and electronic information portals of state agencies, accounting for 57.7%. The disclosure of secrets through social media such as Facebook and Zalo accounts for 9.3% and tends to increase. In addition, some cases were leaked through email services such as Gmail and Yahoo, accounting for 1.6%. These figures show that the risk of information security loss is still complicated, requiring tighter management and increased awareness of security in agencies and organizations.

Ministries and management agencies have not effectively applied new security technologies, leading to legal gaps and risks of violating DLCN. Although Decree No. 13/2023/ND-CP has been issued, its implementation is still limited, many individuals are not fully aware of their rights, leading to silence when they are violated, such as threats to release sensitive information, fraud and property appropriation. Some individuals have proactively reported or sued when their rights are violated, but this number is still low. Many people are not fully aware of their rights in protecting personal information, leading to them not knowing how to take measures to protect their legitimate rights, often remaining silent in the face of violations (threats to release sensitive images/information; fraud and property appropriation, etc.).

The act of intruding and disseminating information not only violates the right to privacy but also seriously damages the honor of individuals. This reality requires strengthening management measures, tightening sanctions for violations and raising people's awareness to protect personal rights in the digital age ⁽¹⁾ . The act of intruding and disseminating sensitive information not only violates the right to privacy but also seriously damages the honor of individuals. These acts need to be handled more severely and effective preventive measures are needed.

Handling violations of DLCN currently faces many difficulties due to the insufficient legal framework. Although there are specific regulations, the penalties for violations are still light compared to the consequences they cause. For example, in some cases, violators are only subject to administrative penalties with fines that are not enough of a deterrent, causing violations to continue.

Thus, in reality, the process of perfecting and applying the legal system on protecting DLCN still has many shortcomings, leading to difficulties and obstacles in ensuring privacy and data security in the face of the explosion of artificial intelligence technologies.

Firstly, the legal framework is not complete in the context of artificial intelligence (AI) development in Vietnam.

Regarding the system of legal documents: The current system of regulations on the protection of personal information in Vietnam is contained in many different legal documents, such as the Law on Network Information Security 2015, the Law on Cyber ​​Security 2018, the Law on National Security 2004, the Civil Code 2015, the Penal Code 2015, the Law on Handling of Administrative Violations 2012, the Law on Judicial Records 2009, the Law on Protection of Consumer Rights 2023, the Law on Credit Institutions 2024... In reality, the regulations related to the protection of personal information in these documents lack consistency, each document approaches the issue from a different perspective. This lack of consistency has given rise to overlaps and conflicts between legal provisions, causing many difficulties in applying and enforcing the regulations in practice.

Regarding comprehensiveness in legal regulations: Relevant regulations are largely lacking in specificity and are of a principled or directional nature, creating many challenges for stakeholders, including management agencies and businesses, in interpreting and applying the law effectively. Specifically, the content of "data privacy" has not been clearly defined in a number of legal documents, making it difficult to determine legal responsibility when disputes arise. In addition, standards on network security or the responsibilities of organizations and businesses in collecting and storing user data are still vague, easily leading to legal evasion or violations that are difficult to prosecute. In addition, the structure of regulatory documents and specialized terminology are still inappropriate when they do not specify the obligations of organizations and businesses processing data.

Regarding sanctions for violations: Legal liability for violations of DLCN under current Vietnamese law is still not strong enough to provide a high deterrent. Low penalties not only affect the effectiveness of preventing violations but can also make the issue of protecting users' rights a difficult problem to solve when faced with serious violations in practice.

Vietnam has yet to issue regulations to establish a specialized monitoring agency for the protection of DLCN. This leads to a lack of organizations with sufficient capacity and authority to inspect, handle and monitor compliance with DLCN regulations, causing a large gap in this protection mechanism. In addition, the current Vietnamese legal system also lacks detailed regulations on remedying the consequences of DLCN infringements. In particular, the right to be forgotten in necessary situations has not yet been included in the legal framework, creating a gap in protecting individuals' rights against these infringements.

It is necessary to establish a specialized personal data protection and monitoring agency capable of effectively coordinating and managing data. It is necessary to take advantage of resources from existing units to limit the expansion of the cumbersome state apparatus. This agency will play a central role in building a legal framework for personal data management, providing clear and practical standards for storing, processing and sharing information. At the same time, it must become a trusted address for people to send their support when they need support to resolve issues of violations or abuse of personal information. This agency is also the focal point for coordinating with the police and functional units to detect crimes related to personal data, thereby enhancing the ability to detect and handle violations of the law.

Second, people's awareness and vigilance are still limited while artificial intelligence (AI) makes DLCN violations increasingly sophisticated.

Awareness of personal information protection is not yet met, DLCN subjects often unintentionally show carelessness when easily providing personal information. Currently, most applications and websites have clear warnings about privacy policies. However, most users do not read this policy carefully due to limited time. As a result, individuals implicitly accept all terms without clearly understanding how their data is collected, processed or shared.

In fact, users often agree to let organizations freely process personal data without fully understanding the mechanism of information collection, storage or use. Furthermore, when there is a notification requesting access to contacts, collections or other data files on the device, many users also quickly allow without consideration, unintentionally giving access to all content to that application or website. This is the cause of leakage, appropriation or sale of personal data. Important information such as biometrics, personal history, relationships, health status or finances are often made public, creating conditions for data collection software to exploit. In addition, some officials, civil servants and public employees still do not fully understand the provision and management of personal records or related data, leading to a lack of attention in directing, guiding and performing archiving tasks at agencies and units.

Data storage, preservation and processing have revealed many limitations in the context of the increasingly developing scientific and technological revolution. Updating and using DLCN in state agencies and organizations is done through many different storage methods, including storing data abroad (such as in the US and Singapore) ⁽²⁾ . However, there are still no specific regulations on the responsibilities and management processes for storing and using DLCN from organizations providing rented storage services. At the same time, there is also a lack of supervision from competent authorities for these activities. This negligence has led to an increasing risk of archival documents being degraded or damaged; many documents that are not properly protected have been seriously damaged by insects or environmental factors, causing loss of recovery. For electronic data, the lack of regular updates and backup and preservation options has made it difficult or impossible to exploit data when needed.

In addition, many agencies and units only arrange temporary storage, rudimentary storage equipment, not meeting the State's standards for preserving records and archives. Document and archive work plays a very important role in the activities of units and organizations ⁽³⁾ . Notably, DLCN when encrypted and stored in the databases of e-commerce sites has become the target of cyber attacks. The failure of enterprises to ensure system security has led to the loss of important databases, posing a major challenge in the management and preservation of digital information.

The dissemination and popularization of legal regulations on the protection of personal information lags behind the development of science and technology. State agencies and organizations have not focused properly on raising awareness and responsibility in protecting personal information. Users are not aware of the importance and lack measures to protect personal information.

DLCN has not yet been exploited and its value has not been maximized in building e-Government, reforming public administration, state management as well as contributing to socio-economic development. The storage of DLCN in state administrative agencies still lacks uniformity. Many documents are in a state of being "unpackaged", "piled up", and have not been fully exploited to create real value. The need to connect, share and use shared databases between ministries, branches and localities has not been effectively met. In addition, although investment projects have been established and included in the plan, up to now, the funding for building a shared database system in the fields of culture, sports and tourism has not been approved. This leads to the fact that state agencies have not been able to exploit, process and analyze DLCN to produce refined data to effectively serve comprehensive socio-economic development.

Data storage, preservation and processing reveal many limitations in the context of the increasingly developing scientific and technological revolution_Photo: nld.com.vn

AI Strategy 2030 and the revolution of personal data protection in Vietnam

Vietnam's strategy for developing artificial intelligence (AI) with a vision to 2030 not only marks remarkable innovation but also demonstrates a steadfast determination to promote the future of AI. However, along with the explosion of AI, the issue of protecting DLCN becomes more urgent when the current legal framework is not comprehensive and effective enough to handle related violations. Based on practice and lessons from other countries, it is necessary to note the following contents:

First, develop separate legal documents on personal data protection.

Vietnam is in the process of drafting the Law on Protection of Personal Data based on references from the laws of other countries and public opinion. The draft law addresses many core points including:

- Scope of application: Protecting data of Vietnamese individuals, organizations and agencies, as well as foreigners operating, living or participating in data processing in Vietnam.

- Protection objects: Including location data, direct identification numbers (such as ID number, CCCD, passport, email), biometric data (fingerprints, DNA), financial information, family and behavioral data, and other types of data that can identify the subject.

- Principles of protection and rights of data subjects: Set out principles such as legality, transparency, and purposefulness; ensure the rights of access, transfer, correction, deletion, and the right to be “forgotten”.

- Regulations on responsibility and handling of violations: Determine the duties and powers of relevant entities (controllers, processors, data protectors and experts) along with sanction mechanisms including compensation for damages, administrative and criminal handling.

- Legal synchronization: The drafting agency needs to closely coordinate with relevant parties, review current documents and clarify the relationship with the 2024 Data Law to avoid duplication and overlap between regulations.

Second, add penalties for violating organizations.

While current laws mainly prescribe penalties for individuals who violate the law, in reality, businesses with the goal of profit have been illegally buying, selling, and collecting DLCN through specialized technical systems. Expanding the form of penalties for violating organizations is necessary to deter and prevent acts of violating people's privacy. If only penalizing individuals, the law may be creating loopholes for legal entities to violate, which is not enough of a deterrent. To have a deterrent effect, for administrative violations of DLCN protection rights, "the illegal profits gained from committing administrative violations will be forced to be returned", for criminal violations of DLCN protection rights, in addition to the above penalties, there should be an additional form of "forced cessation of operations" or "temporary suspension of operations" for violating organizations. Thereby, Vietnam aims to build a comprehensive and synchronous legal system for personal data protection, not only ensuring citizens' rights but also creating favorable conditions for the sustainable development of artificial intelligence in the future.

Third, establish a specialized personal data protection and supervision agency capable of effectively coordinating and managing data. In the world, many countries in the European Union (EU) have established independent data protection agencies and achieved many positive results. These agencies not only assume the role of supervising domestic data processing but also create a bridge for international cooperation, helping to manage and control data related to their citizens when that data is processed abroad. This model not only ensures transparency but also increases the effectiveness in protecting the rights of each citizen against the risk of loss, abuse and infringement of personal data. Vietnam should refer to the experience of these countries to establish an independent data protection agency.

Fourth, increase the level of administrative and criminal penalties for personal data violations. Expanding the penalty framework could include measures such as requiring the return of all ill-gotten gains from the violation. At the same time, applying more severe sanctions, such as imprisonment for serious or repeated violations, to enhance the effectiveness of law enforcement. This not only ensures fairness for the affected parties, but is also a drastic approach to raising awareness of law enforcement and privacy protection in the digital age.

Fifth , develop principles for identifying violations instead of listing violations. Currently, the law mainly approaches violations by listing violations, however, in reality, DLCN and issues surrounding DLCN are very diverse and unlimited. Instead of trying to list or make specific assumptions, the future DLCN Protection Law should shift to building guiding fundamental principles. These principles need to help clearly define the rights and obligations of relevant parties, identify violations, create a more flexible legal framework and a clear accountability mechanism. This will encourage parties to proactively promote their interests in DLCN protection, while being consistent with the dynamic development of society and technology.

Sixth, regulate the application of high encryption technology in protecting data of state agencies. It is recommended that Blockchain data encryption technology ⁽⁴⁾ can be applied in the management and protection of personal information of users in the public data system. For data when individuals and organizations use it in the process of performing public services, it can still become a potential attack by cybercriminals. Blockchain is currently a new technology, with high applicability and security, suitable for the 4.0 technology transformation process for public administrative agencies. Encryption technology not only helps secure information but also ensures that only authorized individuals can access sensitive data of individuals and organizations stored. In the context of rapid technological development, the application of advanced technologies in the management of personal information is inevitable. Online surveillance systems, artificial intelligence (AI) technology and big data can be used to monitor system access activities, detect and prevent illegal acts in real time. The combination of law and technology will increase management efficiency, while minimizing potential risks. This encryption also needs to be based on biometric characteristics to limit the leakage of personal information for malicious purposes./.

----------------------

(1) See: "Van Mai Huong's series of sensitive clips from security cameras in her private home were leaked?", VietNamnet electronic newspaper, https://vietnamnet.vn/soc-van-mai-huong-bi-lo-loat-clip-nhay-cam-tu-camera-an-ninh-trong-nha-rieng-i39562.html, 2019
(2) Hoang Thi Hoai Tho, “Protection of personal data in the context of the fourth industrial revolution under Vietnamese law”, Master's thesis in law, University of Law - Vietnam National University, Hanoi, 2023
(3) See: Vu Thi To Nga, "Some solutions to improve the efficiency of document and archive work at the People's Procuracy of Son La province", Supreme People's Procuracy's electronic information portal, https://vksndtc.gov.vn/tin-tuc/cong-tac-kiem-sat/mot-so-giai-phap-nang-caohieu-qua-cong-tac-van-th-d10-t7194.html, November 15, 2019
(4) Blockchain is a distributed database system that operates on the blockchain mechanism, in which information is stored in blocks and tightly linked together into a continuous chain, with information encrypted using complex algorithms.

Source: https://tapchicongsan.org.vn/web/guest/nghien-cu/-/2018/1088002/phap-luat-ve-quyen-duoc-bao-ho-du-lieu-ca-nhan-trong-boi-canh-phat-trien-tri-tue-nhan-tao-%28ai%29-tai-viet-nam-va-mot-so-kien-nghi.aspx