Steps to ensure human rights in digital transformation

Personal data protection is the protection of fundamental human rights and freedoms in relation to data.

On April 17, 2023, the Government issued Decree No. 13/2023/ND-CP (Decree) on personal data protection, effective from July 1, 2023, meeting the requirements for protecting personal data rights; preventing acts of personal data infringement, affecting the rights and interests of individuals and organizations.

Highlights

The Decree is a legal document regulating the protection of personal data and the responsibility of relevant agencies, organizations and individuals to protect personal data.

Firstly, personal data protection is the protection of fundamental human rights and freedoms related to data. The provisions of the Decree on personal data protection when operating aim to prevent each person's personal rights and freedoms from being violated.

At the same time, the security of personal data is of particular importance because if data is stolen, it can cause economic and social losses, risks such as: blackmail, fraud, property appropriation, defamation, infringement of honor, dignity, sexual abuse..., causing both material and spiritual consequences, directly affecting the rights and legitimate interests of agencies, organizations, businesses and individuals.

Second, promote and respect the rights of personal data subjects. The rights of personal data subjects include the right to access, the right to consent or not to the processing of personal data, the right to be informed and the right to request data deletion...

Furthermore, data subjects also have the right to protect themselves from other subjects violating their personal data. Subjects have the right to request compensation for damages when there is a violation of the provisions of the Decree that causes damage to the right to personal data protection. The Decree also clearly stipulates that the collection, transfer, or purchase and sale of personal data without the subject's consent is a violation of the law.

However, the right of the subject to protect personal data is not an absolute right, but can be limited in emergency cases to protect the life and health of the individual or others; emergency situations regarding national defense, national security, social order and safety; performance of contractual obligations that have been determined, or serving the activities of state agencies that have been prescribed by specialized laws.

The provision of exceptions aims to implement the principle of ensuring the rights of individuals and organizations but not infringing upon the legitimate interests of other individuals, organizations, or national interests in order to exercise those rights.

Third, promote the process of international integration on the issue of personal data protection. The Decree is compatible with international practices and regulations on personal data protection. Many developed countries have legalized the issue of personal data protection, which is the basis for Vietnam to study and refer to.

In addition, international organizations of which Vietnam is a member or cooperates with Vietnam have issued conventions, recommendations and standards on privacy and protection of information and personal data. These include the privacy principles of the Organization for Economic Cooperation and Development (OECD), the Council of Europe Convention on the protection of individuals with regard to automatic processing of information and personal data, the UN guidelines on computerized personal data and information files, the Asia-Pacific Economic Cooperation (APEC) Privacy Framework, international standards on privacy and protection of information and personal data (Madrid Resolution), the EU General Data Protection Regulation (GDPR)...

In addition, in the process of promoting cooperation between our country and other countries and territories, more than 80 countries have issued legal documents on personal data protection, many of which have provisions applicable to Vietnamese organizations and individuals. Therefore, specific and detailed regulations on personal data protection aim to create an environment of equality and rule of law in Vietnam, including for foreign individuals and organizations.

The challenges

Currently, there are still significant challenges in implementing the Decree.

Firstly, the challenge in the management of employees of enterprises. Currently, many enterprises build a model of parent company, subsidiary companies with the same management ecosystem, employee information can be easily accessed from the common system.

However, under Vietnamese law, each company (including parent companies and subsidiaries) is considered a separate and independent legal entity, so the transfer of personal data of employees by companies in the same ecosystem to serve the internal management process of the enterprise can also be considered a violation of the enterprise's responsibility to protect personal data.

On the other hand, currently, many enterprises are facing difficulties in implementing the Decree, and have not yet completed the mechanism and regulations in managing and protecting employees' personal data in accordance with the Decree.

Second, it is not consistent with the legal regulations on the operations of credit institutions. Currently, the operations of credit institutions are regulated by specialized legal regulations such as: Law on Credit Institutions 2010 (amended and supplemented in 2014); Law on Anti-Money Laundering; Decree 117/2018/ND-CP on keeping confidential and providing customer information of credit institutions and foreign bank branches; Circular 09/2020/TT-NHNN of the State Bank regulating the security of information systems in banking operations at the level below the Law.

On the other hand, for banking activities, data processing affects personal data, such as: Collecting, recording, analyzing, confirming, storing, editing, publicizing, combining, accessing, retrieving, recalling, encrypting, decrypting, copying, sharing, transmitting, providing, transferring, deleting, destroying personal data or other related actions are essential to provide services to customers and manage risks in banking activities, ensuring the safety and security of the monetary system, so many activities of processing personal customer data cannot and do not require the consent of customers, while Clause 2, Article 3 and Clause 1, Article 9 of the Decree stipulate that subjects have the right to know about the processing of their personal data, except in cases where other Laws provide otherwise.

Or in Clause 2, Article 9 stipulates that the subject has the right to not consent to the processing of his/her personal data; the subject has the right to delete, access, request restriction of data processing, and object to data processing, except in cases where other Laws have other provisions in Article 9. Thus, it will be confusing and inappropriate if the Decree is applied rigidly and without unified guidance.

In addition, the provision of services and products by credit institutions is carried out according to many processes on one product, each process on one product includes many different steps and is related to the collection, evaluation, analysis, and provision of data on very large customer files, while the Decree requires the Personal Data Controller and Processor to obtain the consent of the data subject (customer) in all processing procedures when conducting any data processing activities (Article 11); and before conducting data processing activities, the personal data subject must be notified (Article 13). This continues to be another obstacle to the operations of credit institutions.

Furthermore, credit institutions must adjust their information technology systems and other sub-law documents related to the operations of credit institutions; contract and agreement templates must be revised to comply with the Decree, creating significant difficulties for banking operations.

Third, a part of the population does not understand and is not aware of protecting their personal data, so they easily share personal information on social networking platforms, unintentionally allowing bad guys to take advantage of it for bad purposes.

Some people do not clearly see the value of personal data protection as ensuring personal privacy, and are also afraid to provide personal information, making it difficult for authorities to carry out state management of personal data protection as well as serve the investigation and handling of violations of the law on personal data protection.

In addition, the situation of buying and selling personal data, the risk of information leakage, creates major consequences, affecting socio-economic issues. Fraudulent phenomena, spam advertisements via calls and messages are still complicated, affecting people's lives.

Personal data security is of particular importance because if data is stolen, it can cause economic and social losses, directly affecting the rights and legitimate interests of agencies, organizations, businesses and individuals. (Source: Shutterstock)

Putting the Decree into practice

Vietnam is one of the countries with the highest Internet development and application speed in the world with more than 70 million users. Personal data of more than 2/3 of our country's population has been and is being stored, posted, shared and collected in the digital environment, cyberspace with different forms and levels of detail.

The Decree is a breakthrough in ensuring human rights in digital transformation, overcoming shortcomings and inadequacies in the practice of ensuring, protecting and securing personal data, and increasing responsibility for domestic and foreign agencies, organizations and individuals directly involved in or related to personal data processing activities in Vietnam.

In order for the Decree to be truly effective in practice, it is necessary to focus on the following issues:

Firstly, increase the responsibility of enterprises in protecting the rights of workers. In the use of labor, enterprises must collect and store information of employees. To serve the purpose of labor management, employers and enterprises receive and manage a lot of personal information from employees, but if the management and processing of information is careless, it will lead to unpredictable consequences.

Enterprises need to carefully study and evaluate the overall impacts of the Decree, promptly review and update procedures and instructions for handling personal data in accordance with the new regulations; consider establishing mechanisms and building governance regulations based on the provisions of the Decree; maintain and comply with those mechanisms and regulations throughout the operation process.

Second, remove difficulties for credit activities of credit institutions . The State Bank needs to closely coordinate with relevant ministries, especially the Ministry of Public Security, to provide unified guidance on personal data protection in the credit sector, both ensuring the promotion of the operational responsibility of credit institutions in protecting customer data and meeting specialized requirements and tasks.

Third, in order for the Decree to truly come into effect, it is necessary to do a good job of disseminating and educating the law. In particular, it is necessary to highlight the need to issue the Decree with the highest purpose of respecting and protecting civil rights and human rights. And above all, the personal data subject must himself/herself thoroughly understand and raise his/her awareness and responsibility in protecting personal data.