LIST OF ABBRE VIATIONSCNIL : Commission nationale de l’informatique et des libertésCoE : The Council of Europe COPPA : The Children’s Online Privacy Protection Act of 1998 DPA : The Data
The European law on children’s data profection
The Chinese law on children’s data profecfien 3l
In China, children's personal data is safeguarded by both data privacy and family law The 2019 Regulations on the Protection of Children’s Personal Information Online was the first dedicated framework for children's data protection, outlining responsibilities for states, data controllers, and parents However, the 2021 Personal Information Protection Law (PIPL) significantly enhances children's data protection, incorporating specific child-centered provisions applicable to all personal information processing Additionally, the Minors Protection Law (MPL), originally adopted in 1991, established a legal foundation for children's protection, with its 2021 amendment introducing a chapter on "Protection on the Network," which includes specialized regulations for safeguarding children's personal data online.
From these, there are some outstanding points:
Children can consent to the processing of their personal data at the minimum age of 14, while parental consent is required for those under this age This age threshold of 14 is chosen to align with existing Chinese regulations, ensuring stability and uniformity in the law, particularly regarding the minimum age of criminal responsibility and the age of consent for sexual activity.
Parental consent is mandatory for all services that handle children's data, distinguishing this requirement from other countries where consent is only necessary for services aimed directly at children Consequently, even services targeting adults must secure parental consent if they process any data related to children.
Children's data is classified as sensitive under Article 28 of the Personal Information Protection Law (PIPL), alongside biometric information, religious beliefs, health care, financial accounts, and personal location This classification underscores the necessity for heightened protection measures for sensitive data compared to general data, ensuring the privacy and security of children's information are prioritized.
To process children's data in China, it is essential to have specific purposes and sufficient necessity, along with stricter protection measures than those applied to general data Consent must be obtained separately from general data processing, and detailed information about the data processing must be provided Additionally, children must be informed about the necessity of the processing and its potential impacts before any data is collected.
In the article by Lu ung and Konrad Kolhug (2023), published in the International Data Privacy Law, the authors emphasize the importance of protecting children's personal information They highlight the need for a personal data protection impact assessment that evaluates the legality, necessity, and legitimacy of data processing methods This assessment should consider the potential impacts on children's rights and interests, as well as security risks, ensuring that protective measures align with identified risk levels Additionally, it is crucial that this impact assessment is documented and retained for at least three years to ensure accountability and compliance.
The European Union and its Member States adopt a distinct approach to processing children's data compared to China, which implements more stringent protections due to the sensitive nature of such information.
Evaluation of law on children’s data protection under foreign law
Children's data protection is governed by specialized laws designed to safeguard their personal information Many countries have established legal frameworks that include provisions specifically aimed at protecting children's data In the UK, a unique code serves as the only legally binding instrument focused on children's data protection Additionally, various recommendations and guidelines further enhance the protection of children's data by offering detailed implementation strategies for these legal provisions.
Countries worldwide are increasingly focused on enhancing the protection of children's personal data, establishing specific consent requirements for data processing These regulations typically set an age threshold, allowing children to consent independently or with parental assistance While the exact age limit varies by country, it generally aligns with the GDPR's stipulated range of thirteen to sixteen years.
Each country has unique mechanisms to protect children's data, ensuring the highest possible level of safety for their personal information In France, there is a strong emphasis on collaboration between data controllers and parents, who share specific responsibilities in safeguarding children's data Conversely, the UK prioritizes legislation that serves the best interests of children regarding data protection Meanwhile, China categorizes children's data as sensitive, granting it a high level of protection similar to other sensitive information.
The second chapter shows how some various regions provide data protection for children.
The dissertation emphasizes the key provisions of the GDPR regarding the protection of children's personal data While the GDPR is directly applicable across all Member States, many have enacted national legislation to implement its principles To demonstrate the commitment of European countries to enhancing the legal framework for children's data protection, the dissertation examines the relevant laws in France and the UK, despite the UK no longer being a Member State.
The EU has integrated the GDPR into its national legislation through the Data Protection Act 2018 Furthermore, it established a framework called "retained EU legislation" to incorporate all EU laws, ensuring legislative continuity following its departure from the EU.
In addition to the legislation in some selected countries from the EU and that of the
The dissertation examines the contrasting approaches to children’s personal data protection between the EU and China, highlighting significant differences in how each jurisdiction processes such data.
CHILDREN’S DATA PROTECTION IN VIETNAM AND SOME RECOMMENDATIONS ESRI RRR SR SO
Overview of the legal framework for personal data protection
3.1.1 Pre-adoption of Decree No.13/2023/ND-CP on Personal data protection
Personal data protection is fundamentally linked to the right to privacy, a core human right recognized by Vietnam's Constitution, which is the highest legal authority in the country The 1946 Constitution initially addressed privacy rights, particularly concerning personal residences and correspondence in Article 11 This protection was further enhanced in the 1959 Constitution and expanded to include telephone and telegraph communications in the 1980 and 1992 Constitutions.
Constitution > A groundbreaking point came with the promulgation of the 2013
Constitution,” which explicitly affirms that:
Every individual possesses the fundamental right to privacy, which encompasses the protection of personal and family secrets, as well as the safeguarding of their honor and reputation Legal frameworks are in place to ensure the security of information related to one's private life and personal matters.
Recent legislative developments mark a crucial advancement in promoting legal awareness regarding privacy rights This progress indicates a willingness to expand the framework to include emerging data privacy rights in the future.
The foundation for personal data protection in the modern legal framework has been established through key legal documents, including the 2015 Civil Code, the 2006 Law on Information Technology, the 2015 Law on Network Information Security, and the 2018 Law on Cybersecurity Additionally, Decree No 64/2007/NĐ-CP, issued by the Government on April 10, 2007, addresses the application of information technology in state operations.
Article 18 of the 1959 Constitution of the Democratic Republic of Vietram.
” Article 71 of the 1980 Constitution of the Socialist Republic of Viet.
Article 73 of the 1992 Constitution and Article 21 of the 2013 Constitution of the Socialist Republic of Vietnam outline the legal framework for personal data protection However, Decree No 72/2013/NĐ-CP, which regulates the management and use of internet services, highlights that the current legal provisions are insufficient to address the challenges posed by recent technological advancements These developments have led to increased concerns regarding data breaches and unauthorized access to personal information.
Vietnam's legal framework currently does not explicitly define "personal data" and "personal data protection." Instead, it employs various related terms, including "personal information," "information about private life, personal secrets or family secrets," "private information," "digital information," and "personal information in the online environment."
The implementation of personal information terms is inconsistent across legal documents For instance, Decree 52/2013/NĐ-CP on e-commerce specifies in Clause 14, Article 3 that personal information excludes work contact details and information publicly shared by individuals Conversely, Clause 16, Article 3 of Decree 72/2013/NĐ-CP regarding internet services defines personal information as any data linked to an individual's identity, such as names, ages, addresses, ID numbers, phone numbers, and email addresses, regardless of whether this information has been publicly disclosed.
Legal documents acknowledge the necessity of protecting personal data but lack clarity on the implementation of these principles For instance, while consent for processing personal data is emphasized, the Law on Information Technology (Clause 1, Article 21) mandates that organizations must obtain consent from individuals before collecting and using their personal information Similarly, the Law on Network Information Security (point a, Clause 1, Article 17) requires consent regarding the scope and purpose of data collection However, these laws do not specify how consent should be obtained or define the validity of consent, particularly in hierarchical relationships, such as employer-employee situations, where individuals may feel pressured to consent due to potential negative repercussions.
3.1.2 Legal Evolution Post-Decree No.13/2023/ND-CP on Personal data protection
Following extensive public consultations and multiple reviews since the first draft's release in February 2021, the Government has issued Decree No 13/2023/NĐ-CP concerning the Protection of Personal Data.
Promulgated on April 17, 2023, and effective from July 1, 2023, Decree 13 represents Vietnam's first comprehensive legal framework for personal data protection This landmark regulation aligns Vietnam's data protection laws with international standards, particularly the GDPR, while enhancing existing regulations Importantly, Decree 13 does not replace prior laws but serves as a supplementary measure to refine and fill gaps in the current data protection landscape Key reforms introduced by Decree 13 significantly impact personal data protection in Vietnam.
* Recognition of the term “personal data” and relevant actors in personal data processing
As mentioned, there are several terms used in place of “personal data” in various legal documents regulating personal data protection Itis not until the adoption of Decree
According to Clause 1, Article 2 of Decree 13, "personal data" is defined as "electronic information in the form of symbols, letters, numbers, images, sounds, or equivalents associated with an individual or used to identify an individual." This definition highlights that personal data exists in a digital format and pertains to specific individuals, or is generated from their activities, facilitating their identification.
Furthermore, thisis the first time that personal data is classifiedinto two categories 90
Including basic personal data and sensitive personal data As sensitive data is data that
“when being infringed, will directly affect an individual’s legal rights and interests” 5! its processing must follow both the standard and specialized mules.
Decree 13 regulates personal data processing involving two key parties: the Data Subject and the entities responsible for processing and controlling personal data.
A Data Subject is defined as an individual to whom personal data pertains As a Data Subject, individuals possess several rights, including the right to be informed about data usage, the right to provide consent, and the right to access their personal data They also have the right to withdraw consent, request the deletion of their data, and obtain restrictions on data processing Furthermore, Data Subjects can request their personal data, object to its processing, file complaints or lawsuits, claim damages, and exercise their right to self-protection.
Individuals have the responsibility to protect their own personal data and to request that relevant organizations safeguard this information They must also respect and protect the personal data of others When consenting to data processing, individuals are required to provide their personal information fully and accurately Additionally, they should engage in promoting personal data protection skills and adhere to legal regulations regarding data privacy.
3° See: Clause 3, Article 2; Clause 4, Article 2 Decree 13.
*! Clause 4, Article 2 Decree 13. © Clause 6, Article 2 Decree 13.
* Article 9 Decree 13. on protection of personal data and prevent violations against regulations on protection of personal data $*
The Decree categorizes actors involved in the processing and control of personal data into four distinct groups: (i) Data Controller, (ii) Data Processor, (iii) Data Controller-cum-Processor, and (iv) Third Party.
Overview of the legal framework for children’s personal data protection
3.2.1 General provisions on children’s data protection
Vietnam is committed to protecting children's personal data through a robust legal framework, including the Constitution, laws, and by-laws The 2013 Constitution affirms the right to privacy for all individuals, regardless of age, which supports the recognition of children's privacy rights This commitment is further reinforced by the 2016 Law on Children, ensuring that children's data receives appropriate and adequate protection.
Children possess an inherent right to privacy, which includes the protection of personal and family secrets, ensuring their best interests are upheld Their honor, dignity, and personal prestige, along with the confidentiality of their communications—such as mail, telephone, and telegram—are safeguarded by law.
They are protected from and may resist illegal interventions against personal inform ation *
Decree No 56/2017/NĐ-CP, issued by the Government on May 9, 2017, serves as Vietnam's first legal framework defining "private information of children." This decree outlines various types of sensitive information, including a child's name, age, health status, personal images, family details, contact information, and educational background It emphasizes the importance of safeguarding children's privacy by detailing what constitutes their private information.
As a part of children’s privacy, their personal data in an online environment must be legally protected Children’s personal data protection is referred to in the 2006 Law on
The 2015 Law on Network Information Security and the 2018 Law on Cybersecurity underscore the importance of children's rights to personal information confidentiality These laws outline the responsibilities of organizations, parents, teachers, and other relevant individuals in safeguarding these rights, ensuring a comprehensive approach to protecting children's privacy in the digital age.
Decree 56 which extends greater protection of children’s personal information in a virtual environment,” and Decree 13 which elaborates on the requirements for processing children’s personal data, in light of the emerging categories of personal data that have surfaced in the digital age such as digital account information or personal data that reflects activities and activity history in cyberspace of children.!°!
TM Article 21 the 2016 Law on Children.
* Article 73 the 2006 Lav on Information Technology.
” See: Clause 2, Article 16; Article 19 the 2015 Lay on Netvrork Information Security.
** Article 29 the 2018 Law on Cybersecurity.
3.2.2 Specific provisions on children’s data protection
* Publication of children’s personal data
Decree 56 requires that those who seek to publish private information of a child on a network shall “obtain the consent of the child’s parent(s) or caregiver and the child himself/herself if he/she is full seven years or older, and ensure information safety for the child’? as well as “employ measures and tools to ensure safety for private information of children and deliver warning messages when children provide or change their private information.” "9? Parents, caregivers and children aged full seven years or older, and agencies, organizations and persons with child protection responsibility as prescribed by law have the right to request providers of services and persons operating in the Internet environment to remove private information of children to ensure safety and best interests of children.
“> Principles for processing of children’s personal data
According to Decree 13, the processing of children’s data must comply with general principles set out in Article 3 and specific principles unique to children
The processing of personal data must adhere to key principles, including lawfulness, transparency, purpose limitation, data minimization, accuracy, integrity and confidentiality, storage limitation, and accountability If personal data is processed for purposes beyond the consent provided by the data subject, they have the right to request deletion of their data This is further emphasized in Clause 3, Article 20 of Decree 13, which mandates that the processing of children's personal data must cease and that such data should be permanently deleted or destroyed if processed for unintended purposes.
‘© Clause 1, Article 36 Decree 56. © Clause 2, Article 36 Decree 56.
Article 20 emphasizes that the processing of children's data must prioritize their rights and best interests, in line with the UN Convention on the Rights of the Child (UNCRC) and Vietnamese legal frameworks, including the 2016 Law on Children and Decree 56 As a UNCRC member, Vietnam mandates that children's best interests be central to all decisions affecting them Consequently, any processing of children's personal data must be conducted in a way that safeguards their rights and welfare, ensuring that it does not negatively impact them.
% Consent as a prerequisite to processing of children’s personal data
Under Article 9 of Decree 13, children as Data Subjects possess rights related to consent, including the ability to give and withdraw consent Article 20 specifies that the processing of a child's personal data requires consent if the child is seven years old or older, alongside the consent of their parents or guardians, with exceptions noted in Article 17 Importantly, Decree 13 has a broader application than Decree 56, which only mandates consent for publication; it extends the consent requirement to various activities affecting personal data, such as collection, storage, sharing, and deletion.
Moreover, the processing of children’s personal data necessitates the consent of two subjects: () the children themselves; and (is) their parents or guardians Firstly, children
“© Clause 3, Article 5 the 2016 Law on Children.
‘© Sea: Clause 1, Article 24; Clause 3, Article 35; clause 3, Article 36; etc Decree 56.
‘ See: Clause 7, Article 2; Clause 1, Article 11 Decree 13
According to Clause 7, Article 2 of Decree 13, children aged seven and above can independently consent to the processing of their personal data, granting them autonomy over how their information is handled However, the Personal Data Controller, Processor, and Third Parties must verify the age of these children to ensure they meet the age threshold for consent Additionally, due to children's vulnerability regarding their mental, physical, and legal capacities, parental or guardian consent is required for the collection, storage, and use of their personal data This requirement is crucial for protecting children's rights and interests, ensuring that responsible adults make informed decisions on their behalf.
* Cessation of the processing of children’s personal data
According to Article 20 of Decree 13, the processing of children's personal data must be ceased, irretrievably erased, or destroyed under specific circumstances: when the processing is completed for the purpose consented to by the data subject, when a parent or guardian withdraws consent, or at the request of a competent authority if the processing threatens the child's legitimate rights and interests Notably, Vietnamese law presumes that children cannot independently withdraw consent, making the cessation of data processing reliant on the actions of parents or guardians.
3.2.3 Assessment of the legal framework for children’s data protection
Vietnam has made notable progress in recognizing the importance of children's data protection, as evidenced by legal provisions in fundamental documents and participation in international forums focused on children's rights This reflects the government's commitment to safeguarding children's privacy in the digital age However, the current legal framework for children's data protection in Vietnam still faces limitations, ambiguities, and inconsistencies.
Airstly, the current regulations on children’s consent have yet covers all children in different age groups.
According to the 2016 Law on Children, a child is defined as any individual under the age of sixteen, which means that the term "children" applies to all persons legally considered under this age Additionally, Clause 2 of Article 20 of Decree 13 provides further regulations regarding the rights and protections of children.
The processing of a child's personal data requires consent if the child is seven years old or older, along with parental or guardian consent, except in specific cases outlined in Article 17 of the Decree Additionally, Decree 56 prohibits the announcement or disclosure of a child's private information without the consent of the child, if they are seven or older, or without the consent of their parent or guardian.
When processing personal data of children aged seven to under sixteen, consent is required from both the children and their parents or guardians However, it is unclear whether consent is necessary for the processing of personal data concerning children under seven years old, as indicated in Clause 2, Article 6.
In cases where itis impossible to apply analogy of law as prescribedinaClause
1 of this Article, basic principles of civil law provided for in Article 3 of this Code, case law, and justice shall apply.
Recommendations for improving children’s data protection in Vietnam 53 1 Recommendatious for improving the legal framework for children’s data
3.3.1 Recommendatious for improving the legal framework for children’s data protection
Firstly, children’s personal data protection should be governed by a law promulgated by the National Assembly.
Current regulations on personal data protection in Vietnam are found in several legal documents, including Decree 56 and Decree 13 Although these decrees are the most detailed instruments regarding personal data protection, they lack the legislative authority of laws passed by the National Assembly In the context of safeguarding children's privacy rights in the digital age, it is crucial to enhance the legal framework to ensure stronger protection and compliance.
“5 Trong Dat, TikTok bi any ra sao với các sca phan ted Viet Non? (How Tik Tok is handled with viohtions in
'Vietram2], Viemammut, October 5, 2023, available at: Tik Tok bi xk lý ra sao với các saipham tai Việt Nam?
Vietnam's regulatory framework for children's data protection highlights the importance placed on this issue by top governance authorities The introduction of a specific law reflects Vietnam's dedication to adhering to international standards established by the UN Convention on the Rights of the Child (UNCRC) and implementing best practices in safeguarding children's data.
The introduction of a personal data protection law does not render Decree 13 obsolete; rather, it enhances and clarifies existing gaps while providing detailed guidance for its implementation Consequently, Decree 13 can be revised to include specific guidelines and measures that align with the new law, especially regarding the protection of children's personal data.
Secondly, clarifying the circumstances where children’s personal data can be processed without their consent and consent from their parents or guardians.
Article 14 of the 2013 Constitution states that: “Human rights and citizens’ rights may not be limited unless prescribed by a law solely in case of necessity for reasons of national defense, national security, social order and safety, social morality and community well-being.”
Children's rights, particularly their right to privacy, can only be restricted as outlined by law Any limitations on children's ability to consent regarding their personal data must be established by legislation rather than by mere by-laws.
Thirdly, clarifying the scope of that law on personal data protection to avoid overlap with that of other relevant laws.
The 2018 Law on Cybersecurity emphasizes safeguarding national security and public order in cyberspace, outlining the responsibilities of organizations and individuals This legislation primarily regulates cyber activities, particularly the handling of personal data that affects national security and social stability, thereby focusing exclusively on the processing of personal data within the public sector.
The 2018 Law on Cybersecurity establishes comprehensive regulations for personal data protection, applicable to agencies, organizations, and individuals in both the public and private sectors.
The regulations outlined in this personal data protection law are fundamentally based on the recognition of the right to privacy, aligning with similar laws in other countries, rather than being primarily focused on national security or maintaining social order and safety.
Fourthly, clarifying the requirements for the processing of personal data concerning children under the age of seven.
Current regulations address the processing of personal data for children aged seven to under sixteen but do not explicitly cover those under seven Consequently, it can be inferred that the same legal principles applicable to civil transactions involving younger children would also govern the processing of their personal data.
The absence of clear guidelines for handling personal data of children under seven creates challenges for organizations and data processors, leading to inconsistent practices and varying levels of privacy protection Relying on legal analogies fails to adequately address the unique vulnerabilities of very young children, as data processing involves complex technological and ethical considerations Therefore, it is crucial for policymakers to develop comprehensive regulations specifically targeting the processing of personal data for children under seven These regulations should be crafted through stakeholder consultation and informed by best practices in children's data protection to effectively safeguard their privacy rights in Vietnam, including amending children's rights to withdraw consent for data processing.
Under Decree 13, children aged seven and older can consent to data processing with their parents or guardians, but they cannot independently withdraw this consent later on This situation highlights concerns regarding children's autonomy over their personal information, as they may initially consent without fully understanding the risks involved As children mature and become more aware of data protection issues, they should have the right to reassess their consent and request the termination of data processing if they choose to do so.
International standards like GDPR highlight that children deserve the same rights as adults regarding their personal data, including the ability to give and withdraw consent Empowering children with these rights enhances their privacy and autonomy while fostering a culture of data protection from a young age By enabling informed decisions about personal information, Vietnam can strengthen privacy rights and create a more transparent and accountable data processing environment.
Sixthly, specifying the regulation on the requirements for privacy notices provided to children.
Under the GDPR, data processors are required to inform data subjects about the processing of their personal data as outlined in Article 13 Specifically, when communicating this information to children, it must be presented in a concise and understandable manner.
** Arick 13(1) GDPR. transparent, intelligible and easily accessible form, using clear and plain language” so that children can easily understand it.
In Vietnam, Decree 13 emphasizes children's rights to be informed about the processing of their personal data To ensure comprehension, Personal Data Controllers and Processors must present privacy information in an engaging manner suitable for children's age levels This can involve creating child-friendly versions of privacy policies, one with essential information and another with more detailed content, to cater to varying levels of understanding.
3.3.2 Recommendations for improving the implementation of provisions on children’s data protection
First, equipping children and parents with the knowledge and skills needed to safeguard children’s personal data.
Decision 830 establishes a national program for online child protection, aiming to equip children with age-appropriate knowledge and skills to safeguard their personal data while navigating the internet Given the current Informatics curriculum lacks sufficient and coherent information on personal data protection, there is an urgent need to revamp this education By focusing on age-appropriate data protection knowledge, children from primary school onwards can develop a foundational understanding of this critical issue.