National Assembly delegates from Nghe An discuss the Law on Personal Data Protection

Only sensitive personal data categories should be specified.in law

Speaking at the discussion, Mr. Hoang Minh Hieu - Member of the National Assembly, full-time member of the National Assembly's Committee on Law and Justice, delegate of Nghe An delegation expressed his high agreement with the promulgation of this Law.

“This is an important step in the process of perfecting the legal system to meet the requirements of protecting human rights, individual rights, as well as the requirements of digital transformation in Vietnam,” said the delegate from Nghe An. “Through research, we also found that the draft’s provisions are basically close to international standards.”

In addition, delegate Hoang Minh Hieu also contributed some contents to complete the draft Law. First of all, regarding the distinction between basic personal data and sensitive personal data, he said that the draft Law's distinction between types of personal data, including basic personal data and sensitive personal data, is extremely necessary because sensitive data requires stricter protection measures.

For example, according to the draft, the protection of personal data in the fields of health, insurance, finance and banking must apply regulations on the protection of sensitive personal data.

However, in terms of legislative techniques, the draft Law assigning the Government to list both categories of these two types of data, according to delegate Hoang Minh Hieu, will create a problem in that there will be situations where information that meets all the prescribed criteria but does not belong to one of the two categories will not be considered personal data.

Therefore, the delegate suggested that the list should only be specified for sensitive personal data. The remaining data that meets the criteria prescribed by the Law is of course considered basic personal data. Such a provision ensures scientificity, comprehensiveness, and ease of application.

In addition, according to the experience of many countries, sensitive personal data is important content, related to the rights of individuals, so the laws of many countries often stipulate some sensitive personal data in the law. For example, according to Japanese law, there are data such as social status, medical records, criminal records, etc.

China's law lists sensitive data as including biometric identification, religious beliefs, medical data, healthcare, financial accounts, location tracking data.

Therefore, he suggested that the drafting agency could stipulate some basic types right in the law, while the Government would regulate and supplement other information in accordance with the requirements of each period.

Add more provisions on how to de-identify data

Regarding the de-identification of personal data, the draft Law has provided a definition of de-identification of personal data and at the same time, the draft clearly states that personal data after de-identification is not considered personal data.

Delegate Hoang Minh Hieu assessed that this is an important and progressive point, creating a very favorable legal basis for the use of big data for research purposes and especially training artificial intelligence models.

However, through research, he found that the draft and regulations of related laws such as the Data Law and the Digital Technology Industry Law do not specify how to de-identify personal data and how to ensure that this data cannot be re-identified. In practice, if the criteria and implementation methods are not clearly defined, it is difficult for businesses to know when data has been fully and legally de-identified.

Therefore, Mr. Hoang Minh Hieu suggested that it is necessary to study and add more regulations on how to de-identify data to facilitate implementation. Here, we can refer to the list of data fields that need to be removed or encoded as prescribed by the laws of some countries. If not prescribed in the law, we can study the list prescribed by the Government.

The delegate of Nghe An delegation proposed to review and remove the provisions in the Draft Law on Digital Technology Industry on depersonalization of digital data because this concept overlaps with the concept of de-identification of personal data in the Law on Personal Data Protection, to ensure that there are no conflicts, overlaps, or bottlenecks in the process of law enforcement.

Regarding the classification of risks to personal data in the development of artificial intelligence, the draft Law stipulates the protection of personal data in the processing of big data, artificial intelligence, blockchain, virtual universe, cloud computing, including the requirement to classify the level of risk in the processing of personal data into 4 levels: unacceptable risk, high risk, limited risk and low risk.

Mr. Hoang Minh Hieu said that this regulation is unclear and may affect the use of data to develop artificial intelligence systems. Specifically, the draft has not clearly defined the criteria for assessing risk levels; it has not specified who is responsible for determining risks (enterprises, the State or a third party?).

Therefore, delegates suggested that there should be clear and specific regulations on assessing the risks of processing personal data in the development of artificial intelligence to facilitate the development of artificial intelligence systems.

In addition, delegates also proposed reviewing the provisions in Article 27 to avoid duplication with existing regulations on artificial intelligence development in the draft Law on Digital Technology Industry, which is also expected to be passed at this session.

Consider applying tiered compliance regulations

The draft Law has set out many obligations for data controllers and data processors, including obligations such as assessing the impact of personal data processing, updating periodically, providing early notification in case of violations, and having a personal data protection expert...

According to the delegate, although the draft has provisions allowing small businesses and startups to be exempted from regulations on personal data protection experts for the first 5 years... other obligations can still create a significant burden for businesses, especially for small and medium-sized businesses that do not operate primarily in the data sector.

Therefore, he recommended that the drafting agency continue to review and research to reduce the compliance burden for the parties, to both encourage the development of new industries and protect people's rights.

Accordingly, it is possible to consider applying compliance regulations in a tiered manner, based on the size of the enterprise, in particular, based on the volume and sensitivity of the data processed. Specifically, it is possible to exempt or simplify the personal data impact assessment process for small and medium-sized enterprises that process low-risk data and have a small volume of data processed, instead of applying the same set of rules to all enterprises.

"We realize that when this draft law comes into effect, it will have a huge impact on all individuals in society and businesses, especially when using digital platforms. Therefore, we propose that the Government soon have a plan to propagate and disseminate to create a habit of complying with the law when applying digital platforms," ​​the delegate of Nghe An delegation suggested.

Also on the morning of May 24, the National Assembly listened to the presentation and report on the review of the draft Law on Transfer of Persons Serving Prison Sentences; the draft Law on Extradition and discussed the draft Resolution of the National Assembly on piloting a number of specific mechanisms and policies for the development of social housing.