[Podcast] Data Law – Part 2: Applying the Functional Approach Model in Legislating Data Rights and Some Suggestions for Vietnam

28 May, 2024

Keywords: digital data, personal data, data rights, functional access

Through introducing the theoretical basis and practical significance of the functional approach model to data law in Part 1, the author group of Ho Chi Minh City University of Economics has proposed a number of directions for resolving limitations and providing some implications for synchronizing the legal system in Vietnam’s legislative strategy in the coming time.

To unify the management mechanism for big data in the digital economy, it is necessary to change the approach from management – prohibition (based on the nature of the data) to a more ‘open’ approach, in accordance with the balance of the rights of stakeholders to large volumes of data in the three relationship groups listed in the previous section.

For example, given the following piece of data: “B is a Vietnamese citizen, whose religion is Buddhism, and likes to watch documentaries”. This piece of data is not enough to reflect whether this is personal data, industrial data; nor can we tell whether this is electronic data, digital data, or industrial data and so on. Because we do not know what purpose this piece of data is used for or whether to satisfy which use, by whom, and how.

On the contrary, if the law regulates based on function, the problem becomes very simple. If this piece of data is held by a state agency to manage civil status and population, we determine that the state has the right to use this data for state administrative management purposes. If this piece of data is controlled by trader A for the purpose of market analysis and providing results for business expansion, this data is processed according to civil and commercial business regulations. If this piece of data remains in the hands of the individual and is shared with friends via messages in a closed conversation group on an online platform, this data sharing is governed by regulations on personal rights in civil law.

The functional approach requires a uniform legal framework, which clearly divides groups of regulated subjects and corresponding regulatory methods. In addition, adjustment methods must be consistent to resolve the conflicts among groups of rights in terms of the same unit or combination of data units; for example, the conflicts between moral rights and property rights in relation to the processing of data containing personal information or the conflict between individual moral rights and state power in collecting and processing population databases.

To do that, first of all, it is necessary to remove bias in the legal framework related to the moral rights of personal data subjects. Accordingly, instead of viewing this as a prerequisite, it is necessary to recognize the rights of personal information subjects (or personal data subjects) as an exception to the rights surrounding the exploitation and the use of personal information data in digital society in general.

When establishing legal relations related to digital data, legislatures and relevant entities should not focus on the nature of the data as personal or industrial data. If not, when used, data is simply data, without any properties. In other words, what purpose the data is used for and how it is used are what determine the nature of the data.

Upon signing policies and developing laws for data, lawmakers need to consider a combination of three criteria: (1) the uses of data; (2) the perceived harm from the use of data; (3) the prevention regarding the risk of damage.

  1. Uses: In the context of computing, data is created and used for many different purposes, performing different functions. Data law must create the conditions for the use of data so as to promote those functions.
  2. Damage: Damage here includes all damages that have been, are being, and have not occurred to the physical and mental health of organizations and individuals yet. The use of data carries a potential risk of harm. However, this use itself does not cause damage; rather, the damage comes from the actual and estimated losses to the property and morale of organizations and individuals. Data law must have measures to remedy damages with the mechanism to evaluate and to calculate damages in a reasonable manner.
  3. Risk: Risk provision is associated with predicting damage that will occur in the use of data. Data law must envisage the principles to minimize the perceived damages and to develop the regulations to overcome the consequences of data misuse.

In the context of Vietnam’s current legal framework, the functional approach application is being feasible with the following highlights in the upcoming legislative strategy:

Firstly, limit the specific recognition of data subject rights associated with any particular type of data, whether data or data belonging to business secrets. Instead, it is necessary to interpret and to clarify the legal principles governing personal relationships, property relationships and existing state administrative management relationships, creating a foundation for application towards the activities related to data processing.

Secondly, increase the responsibility and the risk prevention obligations of subjects related to digital data in legal relationships. For data under the control of state management agencies, management agencies need to handle this data in accordance with basic principles of law, listed as respecting the right to access information and the right regarding private life, personal secrets, family secrets, the freedom to do business and to use assets in business, in addition to the principles of state administrative management. In terms of the data that is not within the scope of state secrets, the exercising rights over them need to be in accordance with the right purpose, taking responsibility when violations occur and preventing risks with legal measures.

Thirdly, when applying laws related to data rights, it is necessary to take into account the characteristics of the industry, the profession, or the operation field of the organization or individual in that legal relationship. This is to ensure that the uses of digital data, possible harm as well as risks are fully assessed in the specific industry, and the same policies for all data processing activities should not be applied.

Fourthly, create a legal corridor for the relevant parties that participate in building a code of conduct based on systematic risk assessment. Stakeholders will participate in predicting and evaluating potential risks corresponding to their relevant fields. These risks, along with legal measures to prevent and control them, will be compiled by a specialized agency (not necessarily a state agency) and built into a set of “systematic risks” related to digital data.

On that foundation, each stakeholder will participate in developing components of the Code of Conduct corresponding to their field. This code of conduct can be adopted by a decision of state power, and serves as a “soft” law providing general guidance for industries and different data processing contexts. The development of a code of conduct based on these stakeholders is consistent with the proposal to develop a general law on data protection that is uniform, and can be applied to all contexts in social-economic lìe.

Fifthly, regulate the obligation to periodically inspect and self-audit risks for organizations and businesses. At the same time, regularly create forums for organizations, businesses, and individuals to make suggestions, adjustments, and develop terms and conditions of service use, advertising and communication, as well as other services that pose a systemic risk to data.

Sixthly, it is necessary to move from a pre-inspection model to a post-inspection model for the functions of the existing data protection agency. With the post-audit model, regulators only need to conduct periodic reviews and inspections of compliance activities and data protection practices of organizations and individuals. The content of assessment and inspection will be compliance with data protection laws and the compliance level with the Code of Conduct previously developed by organizations and individuals on a voluntary basis. However, a single test should not be applied to all subjects in different industries, occupations, and fields; rather, subjects should be encouraged to voluntarily and proactively propose appropriate tests with the realities of their field of activity.

Please refer to the full research Legal approach towards digital data and mechanism to adjust the right regarding digital data in Vietnamese laws HERE.

Author group: MSc. Huynh Thien Tu, MSc. Le Thuy Khanh, School of Law – University of Economics Ho Chi Minh City (UEH).

This is an article in the series of articles spreading research and applied knowledge from UEH with the “Research Contribution For All – Nghiên Cứu Vì Cộng Đồng” message, UEH cordially invites dear readers to look forward to the upcoming UEH Research Insights ECONOMY No. #112.

News & photosGroup Author, UEH Department of Marketing & Communication