Ensuring protection of children’s personal data

Manh Hung Tran Partner, BMVN(left) & Tan Dung Truong Legal assistant, BMVN

Under the Law on Children 2016 (LoC), a child is defined as any person below the age of 16. Personal information, as prescribed by the Law on Cyberinformation Security 2015 (LoCS), is any information associated with the identification of a specified person. The LoCS also defines personal information processing as the performance of one or more of the following activities: collecting, editing, using, storing, providing, sharing, or spreading personal information in cyberspace for commercial purposes.

The draft personal data protection decree, even though employing a relatively similar definition to what has already been provided for by the LoCS, adopts a more extensive definition concerning personal data processing which is any action(s) to do with personal data, including collection, recording, analysis, storage, alteration, disclosure, granting of access to personal data, retrieval, recovery, encryption, decryption, copy, transfer, deletion, or destruction of personal data or other relevant actions. At present, the concepts of data and information appear to have no distinction and are used interchangeably.

As a generally applicable rule, personal data processors shall only collect one’s personal data after obtaining the data subject’s consent regarding the scope and purpose of the collection and use of such data. Some pieces of legislation, however, accord consent-based protection to specific categories of information only, such as those on private life and/or personal secrets.

Due to physical and mental vulnerabilities, children are safeguarded by, in addition to general protection measures enjoyed by all human beings, uniquely tailored defence mechanisms recognised by laws. Specifically, the LoC prohibits any acts of announcing or disclosing information about the private life or personal secrets of the child who is seven years old or older without his or her consent, and the consent of the child’s parents or legal guardian.

Implementing this principle, Decree No.56/2017/ND-CP guiding the LoC requires service providers to obtain consent of both the child who is above seven and his or her parent or guardian in the case of “uploading the information of the child’s private life to the internet”.

Reading the provisions of the LoC and Decree 56 in conjunction with the existing and proposed definitions of data processing, it is apparent that the scope of those actions under the former is more limited than that of the latter, meaning that the requirement for consent when the processing of children’s data is performed under methods other than announcing or disclosing has yet to be clear.

Although Article 14.1(b) of the draft personal data decree provides for the specific requirement for parent or legal guardian consent for processing of any personal data of children, as the draft decree has not been passed, the issue at hand remains unresolved.

As a principle of law application in Vietnam, when there is no specific regulation to deal with an issue, general rules prescribed by other legislation will be applied. Straightforward as the principle seems, it is not always an undemanding task to determine what these general rules encompass.

Since children may be less aware of the risks, consequences, and safeguards concerned and their rights in relation to the processing of personal data, their consents are not legally recognised to have equal validity to that of an adult.

Therefore, the general rule under the LoCS which applies to all data subjects as demonstrated above, without any provisions customised for children, should not be perceived as an exhaustive legal basis for the processing of children’s data.

Given the complications, certain prescriptions under Vietnam’s Civil Code 2015, which is deemed to establish the most general and inclusive fundamentals for the handling of all civil matters, would then be the guide.

Specifically, in cases where an issue arises under the scope of civil law that is neither provided for by law nor agreed upon by the parties nor regulated by practices, the analogy of law shall apply.

The law provides that civil transactions of any persons under six years old shall be established and performed by their legal representative; and that any persons 6-15 years old shall have the consent of their legal representative to establish and perform civil transactions, except for civil transactions performed to meet the needs of daily life suitable for the age group.

Also, any persons 15-18 years old shall be entitled to enter in and perform civil transactions by themselves, except for civil transactions relating to real estate or registration-required movable properties and other civil transactions as prescribed by law that are subject to the consent of their legal representative.

Nevertheless, these prescriptions should be strictly limited to the processing of children’s data that solely relates to the establishment and performance of civil transactions with minors who are any persons under 18 years old, instead of being generalised as a catch-all principle underpinning the concept of their consent to the processing of their data. The rationale is that if this were the case, implied consent would then be justified, which is inconsistent with global best practices.

Although Vietnam’s prevailing data protection laws do not expressly require such consent to be affirmative or implied, the draft personal data protection decree has proposed that consent must be voluntary, based on full information, and that the failure of the data subject to respond does not necessarily constitute consent, meaning that if the draft decree is passed according to how it is currently formulated, consent must then be explicit.

Moreover, the Law on IT 2006 prescribes that the processing of personal data for the purpose of signing, amending, or performing a contract shall be valid without the consent of the data subject. What can be inferred from this provision is that by entering into a contract, the data subject is not deemed to have given his or her consent to the processing of data; instead, this is where no consent is either given or needed.

Given the demonstrated obscurity and decentralisation of data protection laws in Vietnam, it is expected that the draft personal data protection decree will be the first-ever comprehensive legal instrument guiding the implementation of personal data protection regimes as well as balancing it with the legitimate interest of relevant stakeholders.