Home    Practice    Violations of the law on personal information protection in Vietnam: Reality, cause and solution
Tuesday, 26 February 2019 15:23
1568 Lượt xem

Violations of the law on personal information protection in Vietnam: Reality, cause and solution

(LLCT) - In modern society, with technology and internet strongly developing under effects of Industrial Revolution 4.0, personal information will become an exchangeable and increasingly valuable asset. In addition to positive values of personal information provided to each person, in many cases, such information can be disclosed, traded, exchanged, etc., not following the desire of its owner, significantly affecting lives of each person. In this article, the author provides basic provisions of current law on personal information protection, actual situation of violations, causes of violations of the law and recommends some solutions to limit these violations occurring in practice.

Keywords: personal information, personal information protection, violations of the law on personal information protection.

1. Law provisions on personal information protection in Vietnam

Compared to previous constitutions, the Vietnamese Constitution 2013 has made a new progress in regulating privacy rights, which is focused in Article 21. Along with the current legal documents, some documents such as: Civil Code, Civil Procedure Code 2015, Law on Network Information Safety 2015, Law on Pharmacy 2016, Law on Statistics 2015, Law on Citizenship identification 2014, Law on Children 2016, Criminal Code in 2015, Criminal Procedure Code 2015; were amended and supplemented in the spirit of the Constitution 2013, contributing to develop a crucial law corridor for personal information (PI) protection which can be implemented in practice.

Firstly, it is clearly regulated by legal documents that PI protection is a human right respected and protected by the State.

Securing PI secrets of its subject is the optimal principle of the law on PI protection: Point d, Clause 1, Article 16 of the Law on Telecommunications 2009 specifies that telecommunication service users shall be ensured of private confidential information in accordance with the provisions of law; Point c, Clause 1, Article 91, of the Law on Pharmacy 2016 specifies that participants in clinical drug testing shall be kept secrets of related PI; Paragraph 2, Article 30 of the Postal Law 2010 specifies that postal service users shall be ensured with information privacy and security. Article 510 of the Civil Procedure Code 2015 specifies that denouncers shall have the right to request for the confidentiality of their names, addresses and autographs.

In order to protect PI, in legal proceedings, the law specifies to conduct closed trials to protect PI. The Vietnamese Constitution 2013, paragraph 3 of Article 103 states that: “People’s Courts shall conduct public trials. In special cases needing to un-disclose State’s secrets, fine customs and traditions, protect juveniles or un-disclose private secrets at the legitimate requests of concerned parties, the People’s Courts shall be able to implement closed trials”. The spirit of this regulation is reflected in Civil Procedure Code 2015, Criminal Code Procedure 2015, Administrative Procedure Law 2015 and other documents such as the Law on Denunciations, Ordinance on Organizing Military Courts, etc.

Secondly, legal documents defined the responsibility of subjects with obligation to protect PI as state agencies, enterprises and other individuals. Subjects shall be obliged to implement the principle of respect and confidentiality of PI.

Under the way of specifying what is not allowed, the provisions confirmed that the information protection is primarily a prohibition on implementation of such acts as citing, using, providing, disclosing, infringing information safety, etc. Paragraph 4, Article 15 of the Law on Technology - Information 2016 specifies that “organizations and individuals shall not cite contents of digital information of other organizations or individuals in case that owners of such information made warning or the citing information is not allowed by law”. Article 46 of the Law on E-Transaction 2005 specifies that “Agencies, organizations and individuals shall not use, provide or disclose information on private secrets or information of other agencies, organizations or individuals accessed to or controlled in e-transactions without their consent, unless otherwise provided by law”. Article 4 of the Law on Network Information Safety 2015 specifies that “Organizations and individuals shall not infringe upon information safety of other organizations and individuals”.

In the field of press, it is specified that press agencies shall protect the PI in the way in which information shall not be distorted or untruthful. If the information is untruthful, distorted, slandered, offending the prestige of agencies, organizations, honor and dignity of individuals, the author of article shall post and broadcast the correction, apologize in press and notify such agencies, organizations and individuals thereof in accordance with Article 42 of the Press Law 2016.

Thirdly, the law on PI protection also specifies remedies against violations of PI protection. In case of violation, depending on the serious level, individuals or organizations can be subject to administrative or criminal remedies in accordance with the law.

Criminal remedies

Under the provisions of Criminal Code 2015, the infringing PI of another person shall be subject to non-custodial probation of up to 3 years in accordance with Article 159 of the Code.

Civil remedies

The right of PI protection is a civil one, the protection of this right is considered a principle in Civil law. Paragraph 1, Article 9 of the Civil Code 2015 affirms: “All civil rights of individuals, legal entity and other subjects shall be respected and protected by law.” Paragraph 2 of this article recognizes 5 forms of civil remedies: When civil rights of a subject is infringed, then the subject has the right to defend himself or herself in accordance with the provisions of this Code or to request competent agency or organization to:

a) Recognize his/her civil rights;

b) Forced to terminate violations;

c) Forced to apologize, publicly correct;

d) Forced to implement civil obligations;

dd) Forced to compensate damages.

Administrative sanctions: in different fields, different levels of administrative punishment are stipulated specifically.

2. Violations of law on personal information protection

Firstly, personal data trading

The trading personal data has been quite easily taking place with low cost over many years in Vietnam. The information including parents’ name, phone number, number of houses, etc., of students from primary to highs schools in Ho Chi Minh City was sold for only VND 2.5 million(1). The “Candidate data trading”(2) has been taking place similarly to the above-mentioned case. Personal data such as name, old, position, telephone number of directors from enterprises in Hanoi, Ho Chi Minh City and other provinces and cities nationwide; VIP customers purchasing luxury apartments, insurance, cars, gold and silver, securities, etc., “have been quoted for sale at prices ranging from VND 400 thousand to several million, depending on the “importance” level of information”(3).

Dozens of types of customer information such as list of securities investors and list of high-income people in Hanoi; list of customers purchasing insurance, gold and silver, cars, high-end apartments; VIP customers at banks and VIP customers shopping at large supermarkets, trade centers in Ho Chi Minh City.

Secondly, disclosing personal information of celebrities in press, social networking websites

Cases such as disclosing birth certificates, inaccurate articles on press or articles without any interview, etc., related to celebrities with outstanding cases over the past time. The disclosure of information about marriage, birth certificate, even gender on the press and social networking websites of celebrities has caused direct impact in personal life as well as work and image, honor of artists.

Thirdly, disclosing personal information of some vulnerable social groups such as: children, people living with HIV/AIDS

Currently, publishing privacy information and images of children on social networking websites as well as newspapers and media has been not uncommon, even further developed at a “hot” level. Press information on kidnappings, child sexual abuse, children living with HIV/AIDS or providing images of mass murders in which the victim is the relative of children, etc., has been not rare in the media, social networking websites as well as other media means.

People living with HIV/AIDS are vulnerable social objects specified in the law on human rights. Despite the provisions of the Law on HIV/AIDS Prevention and Control 2006 and its implementing guidelines, stigmatization and discrimination against them still exist at schools, working offices, etc., affecting their life. One of the causes leading to this situation is the disclosure of information about people living with HIV/AIDS without their consent.

PI on gender and sexual orientation are considered as sensitive PI in many countries. With that sensitive information, disclosure of information about one’s gender is each individual’s rights. Not all people of LGBTI (Lesbian, Gay, Bisexual, Transgender and Intersex) want to publicize their gender because of the risk of discrimination and privacy right violation of the body possibly taking place in practice. Even in some countries where criminal penalties and remedies exist, this will endanger their lives.

Fourthly, collecting residential information which is not confidential and contrary to provisions of law

In accordance with Article 6 of the Government’s Decree No. 90/2010/ND-CP dated 18 August 2010 regulating on the National database of population, citizen information collected and updated in the National database shall include only 22 information items, Circular No. 10/2013/TT-BCA dated 22 February 2013 specifying the implementation of a number of articles in this Decree is issued and enclosed with a Form for collecting residential information by 21 required information items including: full name; date of birth; gender; place of birth; home town; ethnic; religion; nationality; identification number, date of issue, place of issue; academic level; professional, technical qualification; current occupation; workplace; place of permanent residence; current residence place; father’s full name and nationality; mother’s full name and nationality; spouse’s full name and nationality; the head of household’s full name; relationship with the head of household; family register; passport number, date of issue, agency of issue; health insurance card number, date of issue, agency of issue; personal tax code; marital status. In 2013, Hanoi City Police required people to list up to 32 information items of PI, being contrary to the above-mentioned legal documents. Additionally, the collection of these PI is manually conducted, the declaration form was handed out to many people. This can lead to the situation of people being infringed on the rights of PI protection.

Fifthly, disclosing personal information of customers in online trade transactions

Although PI is encrypted, stored in the database of websites, if the enterprise’s data system is not secured, it is likely to be attacked by hackers leading to losing database. The Law on Network Information Safety 2015 specifies that the units providing the service of storing and collecting PI shall apply management measures in accordance with standards and technical regulations to protect PI as an asset of the customers; shall come up with measures, bind staffs not to disclose customer information. However, because material facilities of enterprises have not met the requirements or their staffs still illegally provide PI, resulting in losing consumers’ PI in trade transactions.

Sixthly, collecting unauthorized personal information by malicious software

The use of malicious software to collect PI has become increasingly serious in the internet environment through computers and mobile phones. Malicious software is a type of software that is developed and secretly inserted into any system to infiltrate, destroy computer systems or steal information, interrupting or harming to confidentiality, integrity and availability of the users’ computers. The case of Huynh Ngoc Den (35 years old) providing COPYPHONE software with function of managing cell phones by recording messages and calling logs for making profit was prosecuted for trial by the Ho Chi Minh City People’s Court for illegal access to computer network, telecommunications network, internet or digital devices of other people for making profit(4). Another case is that more than 14 thousand cellphones in Vietnam being installed eavesdropping software namely Ptracker by Viet Hong Technology Company, which silently collects information from installed phones such as text messages, contacts, call recordings, phone positioning, video recording, photography, 3G/G switch. Additionally, there a series of software such as LG-SPY, SPY PHONE, VCTEL, etc., with similar functions to COPYPHONE has shown that the collection of PI via internet network has become serious(5).

3. Causes of current situation on violation of law on personal information protection

Firstly, limitations of law on personal information protection

First of all, the law on personal information protection has not provided a consistent concept of personal information resulting in difficulty for applying in practice. Current legal documents have not provided a consistent and complete concept that leads to confusing and make it difficult to apply the law on PI protection. In addition to the concept of PI, some legal documents also use the concept of private information, private secret information. After the Vietnamese Constitution 2013 issued, the concept of information on private life, personal secrets, family secrets have been used in the Civil Code 2015, Law on Information Access 2015, Law on Children 2015, however, none all of these documents has provided definition for such concepts.

Secondly, the deterrence of remedies, sanctions against violation of the law on private information protection has not been adequately strong.

Through regulations on handling remedies of violations above-mentioned, it can be seen that remedies applied in the field of PI protection have not been really detrimental.

Criminal sanctions: In cases that the disclosure of a person’s PI resulting in suicide of another, the penalty shall only be limited to a maximum of 3 years in accordance with the Criminal Code.

Administrative penalty sanctions: Violations shall be applied with a penalty of up to VND 50 million. In the era of e-commerce in considerable development, the disclosure of a person’s PI often gives huge benefits to enterprise or other subjects, so after disclosing information they are ready to accept the penalty.

Thirdly, there have been no specific regulations on processing PI in accordance with the law

Article 17 of the International Covenant on Civil and Political Rights (ICCPR) and General comment No. 16 assert that there shall be no acceptable interference in private right unless otherwise provided by law. Article 14 of the Constitution 2013 clearly specifies that: “Human rights and citizen rights shall be only restricted by the law in cases of necessity for reasons of national defense, security, social order, safety and morality, community health”. These regulations require handling PI of a person of State, agencies, organizations or individuals to comply with the provisions of law on cases to be handled, handling order and procedures of PI. In the current laws of Vietnam, these exceptions are mainly specified in specialized legal documents and in the field of commercial and telecommunications transactions and some of provisions under the Criminal Law and Criminal Procedure Law. The basics limited in law documents often refer to: “other relevant provisions” or: “except as otherwise provided by law”.

Secondly, awareness of the community about personal information protection has remained limitations

Individuals themselves should understand their rights with PI as well as their obligations to protect PI of others. Many people, including journalists, doctors, lawyers, etc., are those who shall be obliged to protect the rights of PI protection but have unintentionally or intentionally violated these rights. Many officials and civil servants also have not really understood their rights and obligations to PI of others, in many cases, they abuse their rights and violate the PI protection rights without awareness.

Thirdly, science and technology have not yet met personal information protection

The PI protection is not only ensuring human rights in papers, but also requiring supportive scientific and technological measures. Although Vietnam is in the process of industrialization and modernization, it has not timely met the high development of science and technology in the era of industrial revolution 4.0 currently. Therefore, the PI protection has not been properly implemented because of lacking measures, forms and methods of modern technology to meet the people’s demands.

4. Some solutions to prevent violations of law on personal information protection

Firstly, developing Law on Personal Information Protection

It is time for Vietnam to develop a common law on PI protection rights that can provide a comprehensive system from concept, principle to institution and method for PI protection. In the world, in addition to the recognition of PI protection rights in Constitutions as a basic human right, many countries have incorporated this right in the Law on PI Protection or Law on Personal Data Protection, accordingly, this law regulates on the principles of PI protection; regulates rights of PI owners, obligations of PI owners; regulates rights and obligations of subjects who shall be responsible for protecting PI; regulate on processing personal data; regulates on specific remedies for violations of PI protection; regulates on agency that shall be responsible for managing the implementation of personal data protection in a clearer and more detailed manner. The legalization of regulations on PI protection will be a strong legal basis in the conditions of developing a legitimate state in the country currently.

Secondly, amending and supplementing information security regulations into specialized laws

In addition to studying to build up the Law on Personal Data Protection, competent state agencies should systematically review the existing legal documents on the PI, accordingly it should:

Firstly, unify the concept of PI, thus updating and supplementing PI in each sector and field, ensuring adequate regulation of PI to be protected.

Secondly, remove regulations on restricting the rights of PI protection, which are contrary to the provisions of the Constitution and the Common law due to the form violation from the issuance under the form of sub-law documents and content violation in restricting other rights with 4 cases as specified in Paragraph 2, Article 14 of the Constitution 2013.

Thirdly, continue to develop and complete methods of PI protection in each sector, each field such as methods of credit information security; anonymizing, encoding information in the field of education, medical examination and treatment; technology conditions for e-commerce, telecommunications, etc.

Fourthly, educating to raise awareness and knowledge on right of personal information protection and improve technology solutions

In order to bring positive efficiency for ensuring the implementation of PI protection right, the object that should be firstly paid attention to in PI protection is each individual in society. People should understand and respect the law on PI protection and related international treaties on human rights, through various forms such as advertising, television, boards, posters, etc., especially incorporating them into the curriculum at all levels. Individuals must have aware of PI self-protection and self-responsibility in providing such information and have the obligation to respect PI of others at the same time, not to disclose, provide, etc., without their consent. Additionally, each citizen should be propagandized to gain right and sufficient awareness of their right on PI protection, infringement acts of PI protection rights as well as measures to protect this right. The communication should serve not only each individual, but also enterprises and other subjects, officials and public servants. Ensuring human rights in general and PI protection rights in particular are firstly the responsibility of the State. But it does not solely depend on State agencies, branches but the role of the community is particularly significant.

Additionally, the PI protection should be supplemented and updated with measures, forms and methods of modern technology to meet the needs of information security and encryption, particularly in areas such as medicine, banking and financing.



(1) Duc Tien: “Investigating the trading group of personal information”, http://thanhnien.vn.  

(2) My Quyen: “Trading data of candidates”, http://thanhnien.vn.

(3) Huyen Thanh: “Ridiculous advertising for sale of personal data on the Internet”, http://cand.com.vn.

(4) Getting depressed at suicide cases originated from videos posted on social networking websites, http://www.doisongphapluat.com.

(5) Duc Son, L.Huong, over 14,000 cell phones are eavesdropped by Viet Hong Company: Telecommunications service providers are also be responsible https://baomoi.com.


Institute of Human Rights

Ho Chi Minh National Academy of Politics

Related Articles

Contact us