Asian-mena Counsel: Data + Cyber Security Special Report 2020Published in
By Sungdo Choi and Ha Thi Tinh, Yoon & Yang
Industry 4.0 era with the rapid growth of advanced technologies and smart digital devices has facilitated the advent of the ‘untact’ (ie, non-contact’) business which requires less in-person interaction. Although the untact business brings huge conveniences in sharing of and access to information, time-saving services and free-distance connection, it has entailed the issue of how to protect personal data and ensure cyber-information security. Most of online service users express their concern about unauthorised disclosure of their personal data and cyber-attacks while using online services.
The Constitution of Vietnam and the Civil Code recognise the inviolable right to personal data protection, and declare principles on protection of private life, personal privacy, family privacy and private communication. However, technical and legal framework designed to ensure prevention of unforeseen, unintended or malevolent use of personal data appears retarded to provide sufficient protection, mainly due to the fact that legal frameworks normally lag behind economic realities.
There are a number of laws and regulations having provisions to protect personal data privacy. These laws include Law on Cyber Information Security, Law on Cyber Security, Law on Information Technology, Law on Electronic Transactions, Law on Consumer Rights Protection, etc. These laws provide regulations on rights of the data subject to store, check, correct or erase personal information in a network environment, security requirements for data processing, obligations of data processors, responsibility of regulatory authorities, exemptions from the data protection rules, and measures required to be taken to protect cyber security. However, the application of these rules in practice is not always clear.
With the increasing number of personal data leakage cases being reported, the goal of the Vietnam Government to develop a more comprehensive legal framework in respect of data protection is explicitly expressed in Resolution of Government No.138/NQ-CP dated 29 September 2020 which approves the proposal of Ministry of Public Security to prepare a Decree on data protection. Accordingly, the proposed Decree will be submitted to Government for review by 1st Quarter of 2021.
The most updated proposed Decree consists of eight (8) chapters, while the specific contents of each chapter and articles have yet to be prepared. The proposed Decree sets out the seven (07) principles of personal data protection, specifically as follows:
- Principle of Lawfulness: Personal data shall be lawfully collected.
- Principle of Purpose: Personal data shall be collected for the limited purposes as consented or registered
- Principle of Simplification: Personal data shall be collected only to the extent of such amount as is necessary to serve for a pre-determined purpose
- Principle of Restricted Use: Personal data shall be used only after obtaining the data subject’s consent or at the request of competent authorities
- Principle of Data Quality: Personal data shall be updated as sufficient and necessary to serve the purpose of processing such data
- Principle of Security: Security measures shall be applied to protect personal data
- Principle of Individuality: The data subject shall be notified of all activities pertaining to their personal data
Non-compliance with the data protection laws can be subject to both administrative sanctions and criminal sanctions under the current laws. Penal Code regulates the criminal sanctions on infringement upon secret information, mail, telephone, telegraph privacy, or other means of private information exchange and illegal provision or use of information on computer networks or telecommunications networks. The administrative sanctions spread across various legal documents depending on the nature of the violation. For example, Decree 15/2020/ND-CP regulates monetary sanctions imposed to violations against regulations on cyber information security, and Decree 185/2013/ND-CP regulates monetary sanctions imposed on violation of consumer rights in e-commerce activities. The proposed Decree shall have one chapter which covers a sanction imposed on violation of personal data protection.
At present, many countries have been suffering the outbreak of Covid-19 pandemic, and untact business would become more indispensable to sustain economic activities and to aid economic recovery. Daily operations have been transforming from offline to online and companies have been utilising cyber space in an alternative way to serve their customers. Obviously, the untact business model will continue to develop even after the pandemic finally ends, and legal frameworks for privacy protection and cyber-attacks are expected to continuously evolve with the increasing use of online services.