Human rights viewed from illegal sales of personal information
Illegally holding, trading, or transferring personal information of another person without authorization is infringement of privacy - one of the fundamental rights of human rights.
Privacy is one of the fundamental rights, closely related to self-esteem and human dignity. "Privacy gives each individual space to be himself without being unjustified by others, allowing each person to think freely without discrimination, as well as the ability to control who knows what about himself".
Privacy was noted in the 1948 Declaration of Human Rights (Article 12) and the Civil and Political Rights Covenant, 1966 (Article 17): "No one is arbitrarily or illegally interfered with in private life, family, housing, mailing, or other unlawful infringement of honor or prestige Everyone has the right to the protection of the law against similar interference or abuse".
Recently, in Vietnam, there were many cases of personal information disclosures caused by business entities and the illegal trading and transfer of personal information has been reported by the local media.
In this situation, Dr Nguyen Van Cuong, Director of the Institute of Legal Science, Ministry of Justice analyzed the achievements, pointed out the basic limitations of the current law on the protection of personal information in Vietnam and proposed solutions.
Current laws on the protection of personal information
According to Dr. Nguyen Van Cuong, in Vietnam, the term "personal information" was mentioned in the Pharmaceutical Law 2005 and the requirement of personal information security in the field of aviation was mentioned in the 2006 Civil Aviation Law. However, specific regulations on the protection of personal information only appears in the 2006 Law on Information Technology. However, the Law on Information Technology only stipulates the protection of Personal information in the cyber environment, not general provisions for the protection of Personal information.
Particularly in the field of e-commerce, Decree No. 52/2013/ND-CP on e-commerce contains many important regulations on the protection of consumers' Personal information. The Civil Code 2015 added regulations on "right to private life" (Article 38) in addition to the contents of "personal secrets" and "family secrets" which have already been prescribed in the Civil Code 1995 and 2005.
In 2015, the Law on Cyber Security was issued with many regulations on the protection of Personal information on cyberspace.
In the Law on Information Security, for the first time the term "Personal information" is explained by a law as "information associated with the identification of a particular person" (Clause 15, Article 3). This Law also explains the term "subject of personal information " (Clause 16, Article 3) with that meaning as "person identified from that Personal information".
This Law also clearly stipulates "principles of protecting Personal information online" (Article 16), the "collection and use of Personal information" (Article 17), the "update, amendment and cancellation of Personal information" (Article 18), and it required "ensuring safety of Personal information online" (Article 19) and "responsibility of state management agencies in protecting online Personal information" (Article 20).
In addition, the Civil Code, the Decree on handling of administrative violations related to e-commerce activities also initially contain provisions on sanctions measures for violations.
Violations of regulations on collection and use of Personal information may also be penalized according to the provisions of Article 84 of Decree No. 15/2020/ND-CP dated February 3, 2020, stipulating the sanctioning of administrative violations in the field of post and telecommunications, radio frequency, information technology and electronic transactions.
According to Dr. Nguyen Van Cuong, the law on protection of Personal information in Vietnam so far has some basic limitations as follows:
Firstly, the definition of Personal information is still inconsistent among relevant legal documents (reflected in both the regulated content and in legislative techniques).
For example, the definition of "Personal information" in the Law on Internet Security is brief, while the Government's Decree No. 52/2013/ND-CP on e-commerce provides specific, detailed points, which are difficult to see whether they are fully compatible with the provisions of the Law on Internet Security  or not. The Law on Consumer Protection 2010 uses the phrase "information of consumers" (Article 6) to imply "Personal information" of consumers, meanwhile, the Law on Internet Security and Decree No. 52/2013/ND-CP used the phrase "personal information" again.
Secondly, the current regulations only focus on regulating the protection of Personal information on the cyberspace, there are no specific regulations on the protection of Personal information in the traditional environment. This creates a division in the law regulation between real space and virtual space, which is inconsistent with the reality which has interconnection between the real space (physical space) and virtual space of the Fourth Industrial Revolution.
Thirdly, the law to protect Personal information has not caught up with the practice of using personal data such as personal image data (facial recognition technology), biometric data (for example finger print, iris)… Therefore, when enterprises use these data, there is a problem that whether the current Personal information protection regulations are applied to these enterprises or not. Is there a need for stricter measures for businesses that collect and use consumer biometric data? The reason is that, if a person's "address", "phone number" is also classified in Personal information, it is clear that the biometric data can also be considered as "data" or "Personal information" but the "sensitivity" of these data is much larger than information about "phone number" or "name", "age" of the subject of Personal information.
Fourthly, the legal documents on the protection of Personal information have not yet foreseen the actual situations in the collection and assessment of Personal information such as: the collection and handling of personal information of children need to get the consent of who, how should the cross-border transfer of personal information be controlled, what are the legal obligations to anonymize Personal information etc.?
Fifthly, there is no regulation on right to be forgotten in necessary cases (a kind of human valuable power that the laws on the protection of Personal information in many countries have regulated).
Sixthly, there is no specific regulation on compensation responsibility for subjects who commit wrongdoing in collecting and using Personal information. This is also a legal gap that needs to be addressed.
Seventhly, between Decree No. 185 and Decree No. 15/2020/ND-CP on sanctioning of administrative violations in the information technology sector (Decree No. 15), although there is not too much difference in the level of fines. for the same violation (for example: illegally collecting Personal information) but the remedial measures are not completely the same. Specifically, Clause 84 of Decree No. 15 provides as follows: “A fine of between VND 20,000,000 and 30,000,000 for one of the following acts: a) Using Personal information for improper purposes under agreement when collecting or without the consent of Personal information subjects; b) Providing, sharing or distributing Personal information collected, accessed to, or controlled to a third party without the consent of the Personal information owner; c) Illegally collecting, using, distributing or trading other people's Personal information”. However, the remedy is only forcible cancellation of Personal information due to the violation.
Eighthly, the level of sanctions for violations of the law on the protection of personal information in Decree No. 185 and Decree No. 15 is still mild  compared to the practice of many countries in the world  and also have not yet met the requirements of fighting against law violations in this field (violations are often difficult to detect and handle).
Ninthly, the 2015 Penal Code, which was amended and supplemented in 2017, has only some initial provisions in Article 159 on the crime of infringing on the confidentiality or security of correspondence, telephone, telegram or forms of exchanging private information of others and Article 288 on the crime of giving or using illegally information on computer networks, telecommunications networks . However, these two crimes have not specified violations of the law related to Personal information. This is also a legal gap that needs to be addressed.
As of early October 2020, over 70% of ministries, agencies and localities completed a 4-layer cyberinformation security model (Photo: Information Security Operations Center of Binh Phuoc Province)
From these 9 shortcomings, Dr. Nguyen Van Cuong proposed: in the short term, in order to ensure the effectiveness and efficiency of the adjustment of the law on the protection of Personal information in Vietnam, it is necessary to overcome the above limitations. Specifically:
Firstly, dealing with the inconsistencies in the content and legislative techniques among relevant documents as pointed out above, and at the same time raising the level of administrative sanctions against violators (for enterprises with violations, the fine level can be determined according to the turnover or the size of the violating enterprise) to ensure general deterrence and prevention.
Secondly, there are clearer instructions on compensation (civil sanctions) for the subject that commits violations in the direction of creating favorable conditions for information subjects whose interests is harmed can sue to claim damage compensation.
Thirdly, criminalization study for the illegal collection, use, exploitation, and transfer of Personal information causing serious consequences or being carried out on a large scale, thereby supplementing the regulations on criminal in the current Penal Code (with sanctions applicable to both individuals committing the violation and commercial legal entities committing the violation).
Fourthly, study and build the Law on Personal information Protection, on the basis of inheriting some regulations on the protection of Personal information in the Law on Information Technology 2006, Law on Cyber Security 2015, Decree No. 52/2013/ND-CP on e-commerce but with more comprehensively adjustment than the protection of Personal information (not only limited to the protection of Personal information in cyberspace), especially the more complete regulation of principles of protection of personal information (the principle ensuring that there are subjects with clear responsibility for the violations in the process of dealing with personal information; ensuring transparency and fairness in dealing with personal information...), provisions on the collection and handling of Personal information with regard to children, more clearly define the responsibilities of entities involved in the process of collecting, storing, processing, exploiting, transferring personal information, the transfer of personal information across borders, and strict sanctions measures, responsibility for management, State management of personal information protection to handle many shortcomings in the practice of protecting personal information, contributing to maintaining people's trust about the security and safety of personal information when participating in the digital economy.
In addition, the Law on Protection of personal information also needs to stipulate an international cooperation mechanism in the protection of personal information in the context of the Fourth Industrial Revolution and the integration process which is having a very strong impact on Vietnam and other countries that are major partners of Vietnam.
Noted by Thuy Nguyen