Over the years, protecting children’s informational privacy has become a controversial issue. From a legal perspective, there are two questions: to what extent does it depend upon parental control and consent, and how is this factor incorporated into the law seeking to protect children’s informational privacy?
Under the Law on Children 2016 (LoC), a child is defined as any person below the age of 16. Personal information, as prescribed by the Law on Cyberinformation Security 2015 (LoCS), is any information associated with the identification of a specified person. The LoCS also defines personal information processing as the performance of one or more of the following activities: collecting, editing, using, storing, providing, sharing, or spreading personal information in cyberspace for commercial purposes.
The draft Personal Data Protection Decree (Draft PDPD), even though employing a relatively similar definition of personal data, adopts a more extensive definition concerning personal data processing which is any action(s) to do with personal data, including collection, recording, analysis, storage, alteration, disclosure, granting of access to personal data, retrieval, recovery, encryption, decryption, copy, transfer, deletion, or destruction of personal data or other relevant actions.
As a general rule, personal data processors shall only collect one’s personal data after obtaining the data subject’s consent regarding the scope and purpose of the collection and use of such data. Some pieces of legislation, however, accord consent-based protection to specific categories of information only, such as those on private life and/or personal secrets.
Due to physical and mental vulnerabilities, children are safeguarded by, in addition to general protection measures, uniquely tailored defense mechanisms. Specifically, the LoC prohibits any acts of announcing or disclosing information about the private life or personal secrets of the child who is seven years old or older without his or her consent, and the consent of the child’s parents or legal guardian. Implementing this principle, Decree No. 56/2017/ND-CP (Decree 56) requires such consents to be obtained in the case of “uploading the information of the child’s private life to the internet”.
However, given that the existing and proposed definitions of data processing is broader than the acts currently regulated under the LoC and Decree 56, the requirement for consent when the processing of children’s data is performed under methods other than announcing or disclosing has yet to be clear.
Although the Draft PDPD provides for the specific requirement for parent or legal guardian consent for the processing of any personal data of children, as it has not been passed, the issue remains unresolved.
Since children may be less aware of the risks, consequences, and safeguards concerned and their rights in relation to the processing of personal data, their consents are not legally recognized to have equal validity to that of an adult. Therefore, the general rule under the LoCS applying to all data subjects as demonstrated above, without any provisions customized for children, should not be perceived as an exhaustive legal basis for the processing of children’s data.
Given the complications, certain prescriptions under Vietnam’s Civil Code 2015, which establishes the most general fundamentals in handling all civil matters, would then be the guide. Specifically, in cases where an issue arises under the scope of civil law that is neither provided for by law nor agreed upon by the parties nor regulated by practices, the analogy of law shall apply.
Accordingly, civil transactions of any persons under six years old shall be established and performed by their legal representative; and that any persons 6-15 years old shall have the consent of their legal representative to establish and perform civil transactions, except for civil transactions performed to meet the needs of daily life suitable for the age group. Also, any persons 15-18 years old shall be entitled to enter in and perform civil transactions by themselves, except for civil transactions relating to real estate or registration-required movable properties and other civil transactions as prescribed by law that are subject to the consent of their legal representative.
Nevertheless, these prescriptions should be strictly limited to the processing of children’s data that solely relates to the establishment and performance of civil transactions with minors (persons under 18), instead of being generalized as a catch-all principle underpinning the concept of their consent to the processing of their data. The rationale is that if this were the case, implied consent would then be justified, which is inconsistent with global best practices.
Although Vietnam’s prevailing data protection laws do not expressly require such consent to be affirmative or implied, the Draft PDPD has proposed that consent must be voluntary, based on full information, and that the failure of the data subject to respond does not necessarily constitute consent, meaning that if the Draft PDPD is passed according to how it is currently formulated, consent must then be explicit.
In addition, the Law on Information Technology 2006 prescribes that the processing of personal data for the purpose of signing, amending, or performing a contract [using information, products, services in cyberspace] shall be valid without the consent of the data subject. What can be inferred from this provision is that by entering into a contract, the data subject is not deemed to have given his or her consent to the processing of data; instead, this is where no consent is either given or needed.
Given the demonstrated obscurity and decentralization of data protection laws, it is expected that the Draft PDPD will be the first-ever comprehensive legal instrument guiding the implementation of personal data protection regimes and harmonizing conflicting interest of different stakeholders.
(Published with Vietnam Investment Review, co-authored with Tan-Dung Truong)