Legal Reform Meeting the Need for Personal Data Protection in Digital Transformation

Vietnamese context of personal data protection policy

The process of shaping the fourth industrial revolution (Industry 4.0) has been creating new values, which are expected to bring prosperity and change the balance of social equality. This innovation is marked by the rapid development of modern information and telecommunications technologies, associated with the scale of their wide application in social life. For technology to function as expected, data must play a central role. Data is a key resource in the digital economy (European Commission, 2017).

Nevertheless, due to its value and potential, data has become the subject of cybercriminals. Among the data serving the process of economic development model innovation, besides industrial data, personal data is the most seriously compromised (Higham, 2016; Rob Sobers, 2021). In Vietnam, the situation of infringement, theft and sale of personal data online has been taking place openly and boldly on open forums, with increasing severity and scale besides bigger and more technically-sophisticated than ever (Anh Quan & Thanh Luan, 2021; Hackers sale dozens of GB data of Vietnamese citizen and business, 2021).

Facing the above situation, policy makers must continuously innovate methods of checking and monitoring personal data protection to meet the needs of industrialization and modernization in the new situation. Decision number 2289/QD-TTg dated December 31^st, 2020 of the Prime Minister on promulgating the national strategy on the fourth industrial revolution to 2030 clearly stated the guiding position, in which, the Regulatory reform in order to create appropriate standards of behavior in the digital environment, especially regarding the legal provisions on protection of personal information is extremely urgent.

Inadequacies of current Vietnamese personal data protection mechanism

The current Vietnamese law governing this issue has some shortcomings as follows: (1) Currently, Vietnamese law is choosing a ‘static’ approach, strictly stipulating the necessary measures and processes upon collecting personal information of users right at the input stage, when users have just started to register to use services and products. This approach exposes many inadequacies and creates significant obstacles to the digital transformation process; (2) There has been no unified framework of principles on personal data protection; instead, regulations are being scattered in diverse documents in different fields; (3) There has been no clear and unified definition of the concept of ‘personal data’; (4) There has been no mechanism to resolve the conflict between users’ personal privacy and business ownership in digital transformation activities.

The question is whether there is a cross-cutting principle to develop a legal framework on personal data protection in Vietnam and how to build a legal framework on personal data protection towards the privacy of data subjects so as to obtain the balance against the interests of data processing subjects?

The concept of ‘Personal data protection’

First of all, it is necessary to consider how the rights to personal information are perceived. Upon mentioning the rights of personal information in the digital environment, most current opinions believe that this is a derivative of the right to privacy, which is considered one of the fundamental human rights which are established in the Universal Declaration of Human Rights (UDHR, 1948) and the International Covenant on Civil and Political Rights (ICCPR, 1966). However, another viewpoint is that the right to data is not an extension of the right to privacy, rather, a right of its own. Specifically, the right to data is understood as the right of an individual subject to require other subjects to apply appropriate and legitimate procedures when transmitting their personal information (appropriate flow of information) (H. Nissenbaum, 2011; H.F. Nissenbaum, 2010). Understood in the above way, personal data protection does not refer to the act of giving the subject complete control over his personal information to be put to use in the digital environment, rather, protecting the accuracy of the personal information in the process of processing, empowering the data subject that is aware of the purposes, methods and objects of information processing and transmission, concurrently, creating the obligation of the processor to ensure the processing of legal personal information transmission in accordance with the rule of law and social ethics. Therefore, the law, instead of focusing too much on empowering individual users to intervene in the enterprise’s business database, should only create a cross-cutting set of principles for data processing and transmission, in which, concentrating on promulgating technical regulations and conduct codes for data processing subjects. (Tuomas Pöysti, 2019).

International Legal systems protecting personal data

It is a shortcoming not to mention the leading legal system in protecting personal data today: the European Union’s General Data Protection Regulation (GDPR). The Principles set forth four main principles: (1) The principle that data processing must be conducted lawfully; (2) The principle that the information subject is aware of the processing; (3) The principle of minimizing data processing; (4) The principles of safety and confidentiality for data. These principles are currently considered as the legislative model for personal data protection regulations globally, including those in the ASEAN region (The EU GDPR’s Impact on ASEAN Data Protection Law, 2019). In particular, these principles are also reflected through new provisions in the Seventh Chapter of the Civil Code of China (Civil Code of the People’s Republic of China, 2020). In particular, these principles are also reflected through new provisions in the Seventh Chapter of the Civil Code of China (Civil Code of the People’s Republic of China, 2020). Both the EU’s common legal framework and Chinese law define the processor’s obligations and responsibilities for personal data processing and give the information subject the right to intervene in the process as well as how the data is handled by the subject matter. On the other hand, the current giving of too much power to the subject has created the phenomenon of ‘Consent-inflated’, causing the subject to become too ‘obsessed’ with the consultation procedures to the point where the efficiency and significance of the consent procedure can no longer be achieved (H. Nissenbaum, 2011; Tuomas Pöysti, 2019). In other words, the validity of the principle of the subject’s will become weaker; in addition, the compulsion to obtain the will of the subject through the procedural transactions set out in the law will create unnecessary obstacles, affecting freedom of business and developing under a new growth model during the fourth industrial revolution (Tuomas Pöysti, 2019).

The starting point of the legal framework on personal data protection in Europe and China is to protect the privacy of individuals, on the foundation of promoting the protection of personal information in the face of paradigm changes towards information technology application in Industry 4.0

Legislative proposal on personal data protection needs in Vietnam

From our selective reference to the laws of other countries, this study proposes two groups of general principles to develop a legal framework for personal data protection in Vietnam: (1) Ensuring the rule of law in the society meaning, synchronizing the legal system; (2) Ensuring national sovereignty, balancing interests among entities on the basis of upholding the free will of the involved parties in legal relations.

From the above two main principles, this article presents specific recommendations for future legislative work and policy implementation as follows:

In terms of the legislative work of Vietnamese National Assembly: First is to recognize the moral rights of individuals to personal information through clear, precise, one-meaning provisions in Vietnamese Civil Code. Second, it is necessary to issue a separate law on the protection of personal data, in which, to develop clear and accurate criteria for classifying personal data to have a suitable adjustment method for each type of data. Third is to build a correct, concise and clear system of rights and obligations, upholding the equal method of agreement in data processing relationships, which includes: (1) The right to clear and accurate information in connection with its personal data processing; (2) The right to be aware of who is responsible for the processing of his data (3) The right to the extent reasonable to request correction, rectification and cessation of processing rights to the data processor his personal data; and (4) The right to complain, reflect, and express opinions regarding the processor’s data processing and the right to request an audit certificate of the safety of the data processing.

In terms of the work of making regulations and management agencies: First is to develop a mechanism to allow and encourage enterprises and organizations to self-develop a set of technical, safety and security regulations for the process, the technology and database systems used for data processing and to create a proactive basis for businesses to fulfill their obligations with respect to the data they process. Second, it is necessary to set up a specialized department to receive reports and complaints regarding cases of breach of obligations in handling personal data or cases of system data leakage.

In terms of additional enterprises, organizations and individuals that process personal data:

It is necessary to actively comply with the above principles right from the beginning of setting up the system and business model so that Privacy protection principle is integrated by default into the technology and business model design from the outset; in addition, a risk-prevention mechanism and safety measures should be established so that personal data, in case cybersecurity incident occurs, is guaranteed to be fully updated and safe in a backup system.

To sum up, this article has affirmed that the privacy protection approach based on giving absolute rights to data subjects in keeping confidential and disposing of personal data is ineffective, without our proper awareness of privacy in terms of this Industry 4.0 context and a clear set of principles in handling personal data as the foundation. Instead of stipulating a list approach with more efforts for assumptions, the future Personal Data Protection Law needs to focus on providing premise and guiding principles for the rights delimitation and parties’ obligations, creating an open and flexible legal corridor and accountability mechanism for the parties to actively promote their rights related to personal data.

Please refer to the full research “Legal Reform Meeting the Need for Personal Data Protection in Digital Transformation” here. Author group consists of: MSs. Huỳnh Thiên Tứ, Dr. Dương Kim Thế Nguyên, MSc. Lê Thùy Khanh, MSc. Mai Nguyễn Dũng – Law Department, UEH School of Economics, Laws and Governmental management.

This writing is in Series spreading research and applied knowledge from UEH with “Research Contribution For All – Research for the Community” message, UEH would like to invite dear readers to look forwards to Newsletter ECONOMY NO. #30 “DIGITAL TRANSFORMATION IN AGRICULTURE AT VIỆT NAM ”.

News, photos: Author group, UEH Department of Marketing – Communication.