A couple weeks ago I wrote about Vietnam’s new draft data protection regulations. Part of those regulations cover the protection of children’s data in the online environment. That is not the first instance of regulations for data privacy for children in Vietnam, however. As approximately 36% of Vietnam’s population is under 24 years old and 22% under 14, there are a large number of children using the internet in Vietnam. I thought it important, therefore, to discuss the current and proposed legislation regarding data privacy for children in Vietnam.
Existing Regulations on data privacy of children in Vietnam
First and foremost, internet service providers should understand that general data privacy rules apply to children as well as adults. I wrote about the data protection obligations of internet service providers some time ago and you can see that post for a full understanding of those obligations. But there are additional obligations imposed when dealing with the data of children.
Age of Consent
Children capable of giving consent for the use of their data are older than seven years old. There are no regulations for children under seven and we can assume that they are too young to be able to consent and therefore their data should not be published at all. Children from seven, however, are capable of giving consent for the use of their data. Before internet providers can publish the private data of children over seven, however, they must not only obtain the consent of the child but also of the child’s parent or guardian.
The upper limit to this requirement is relatively clear. The law on children specifies that children are anyone under 16 years old. According to the civil code, however, minors from 15 to 18 years old can enter into civil transactions without the consent of their parents except for those related to immovable property and as otherwise prescribed by law that requires parental consent. The law on children and the civil code, therefore, can be deemed not to be in conflict. Even though children who are 15 years old–old enough to enter civil transactions independently of their parents according to the civil code–may enter into many civil transactions, because the law on children requires parental consent for the publication of their data, it falls under the exception of the civil code.
But that consent is only required for the publication of private information, not the collection or analysis or other use of that information. The law on children does not address these other potential actions as regards data. The civil code would then presumably be the guide. For all other acts besides publishing data, therefore, the consent of the parents would seem to only be required for minors under 15 years old. This may be a moot point as most children under 16 are using the internet for the purposes of social media which does involve the publication of private data and therefore seems to require the consent of parents for children under 16 years old. It makes little sense to apply a separate standard to distinguish minors capable of entering into civil transactions from children.
In general, however, we advise clients that all matters of data collection, use, or publication involving children would impose the 16 years old limit rather than the younger 15 years that could arguably apply. The law on children is controlling in most cases when dealing with minors under 16 years old and splitting hairs with the authorities is less effective than simply eliminating the collection and non-publication use of 15-year-old children without parental consent.
What is Private Data
Obtaining the consent of the child and the parent–both of which are required to publish private data of the child–is only the first step in treating a child’s data. Internet providers must also understand what that private data is, as the definition of private data is different for children than for adults.
Private data of children is information on:
name, age and characteristics for personal identification; information on health status and privacy written in health records; personal images; information on family members and caregiver of the child; personal property; telephone number and mail address; address of and information on residence place and native place; address of and information on school, class, learning result and friends of the child; and information on services provided for the child.
This definition is more inclusive than the current definitions of private data for adults, even for those definitions of private data contemplated by the draft individual data protection law. Data privacy for children in Vietnam, therefore, covers not only the child but the child’s caregiver and parent or guardian. Anything that might provide someone seeing the published data enough information to locate the child.
There are only two additional obligations that are distinct to the treatment of data privacy of children in Vietnam. Internet providers must deliver warnings to children when they change their private information. They must also remove the private data of a child upon the request of the parent or caregiver of the child, organizations and individuals with child protection responsibilities as prescribed by law, and the child herself. Otherwise, the rules applicable to data protection in general apply.
Regulations in the Draft Decree
The draft decree on individual data protection includes some provisions treating the “processing” of the personal data of children. There are several provisions that do little to change existing rules on the age of consent but do supplement the provisions on actions requiring consent and termination of processing activities.
Firstly, the draft decree requires consent to be obtained by parents for all “processing” of children’s personal data, not just for the publication of that data. Processing includes:
any action(s) to do with personal data, including collection, recording, analysis, storage, alteration, disclosure, granting of access to personal data, retrieval, recovery, encryption, decryption, copy, transfer, deletion, or destruction of personal data or other relevant actions.
Therefore, consent of the child and the parent or guardian would be required for any of these actions on the part of the data processor. And as the treatment of children’s personal data does not stretch to include sensitive personal data, the scope of included data types is less broad than that in the law on children. The data for which processing requires consent includes:
- Surname name, middle name, and birth name, alias (if any);
- Date of birth; date of death or date of going missing;
- Blood type & gender;
- Place of birth, place of birth registration, permanent residence, current residence, hometown, contact address, email address;
- Phone number;
- ID card number, passport number, citizen identification number, driver’s license number, plate number, personal tax identification number, social insurance number;
- Marital status;
- Data reflecting online activities or activity history.
It is unclear at this point whether the draft decree would supersede the requirements of the law on children as regards the processing of children’s data or whether the existing regulations will remain in effect. It is possible that these regulations will be seen as supplementary to the law on children rather than replacing the relevant provisions of that law. If so, consent would be required for all of this data as well as the data regarding the caregivers and parents of the child.
Data processors must conduct the following actions when processing children’s data: they must correct inaccurate or misleading personal data; update inadequate personal data; update and handle outdated personal data; and delete personal data that is no longer needed for the purpose of data processing. All data processing of personal data of children must be terminated if the collection of data has been completed or is no longer necessary for the purpose which was stated in obtaining consent and when required by the child and guardian in accordance with the law; parents or guardians withdraw their consent for the processing of the child’s personal data; and at the request of a competent authority when there are sufficient grounds to prove that the processing of personal data affects children’s legitimate rights and interests.
The treatment of data privacy of children in Vietnam is a sensitive issue. Children are treasured in Vietnam as they will grow up to take care of aging parents. They will also be responsible for seeing their parents safely at rest in the afterlife and appeasing the needs of their spirits. Children are vital, then, to the lifecycle of the Vietnamese. To protect them, and their data is an important part of seeing those children grow successfully into adults capable of fulfilling their filial duties. Unfortunately, the laws regarding the collection, processing, and publication of children’s data are minimal. It is very easy for internet providers to run askance of the rules without realizing it. Care is required, therefore, in treating the data of children and in deciding who, exactly, is a child. But the market for children users of internet services in Vietnam is huge with from 25 to 30 million children in the country. It is an attractive market and internet providers must be wary when approaching it. Minimum standards should be applied to ensure that the laws are complied with and the interests of children protected.