Page 154 - ISC PROCEEDINGS 21.4
P. 154
This paper aims to clarify both theoretical and practical issues related to personal
data protection and propose solutions to improve the legal framework and enhance the
protection of individual rights in the digital environment. The study may also serve as a
reference for policymakers, regulatory authorities, and businesses in fulfilling their
obligations to protect citizens’ personal data.
2. Research methodology
This study employs two main research methods: legal analysis (Frankenreiter &
Livermore, 2020; Korobkin, 2002) and comparative legal analysis (Michaels, 2006; Samuel,
2014). However, unlike a purely formal statement of method, these methods are applied
to specific legal questions concerning the design and enforceability of personal data
protection rules in business activities.
First, the legal analysis method is used to examine Vietnam’s current legal
framework governing personal data protection in business (Điện, 2006). The analysis
focuses on the constitutional and civil-law foundations of privacy rights, the dedicated
Law on Personal Data Protection 2025, and related legislation concerning cybersecurity,
consumer protection, and electronic transactions. Rather than merely listing legal
instruments, the analysis is organized around five legal dimensions: (i) the scope and
definition of personal data; (ii) the rights of data subjects; (iii) the obligations of
businesses and other data-processing entities; (iv) enforcement and supervisory
mechanisms; and (v) sanctions for violations. This structure allows the paper to identify
whether the legal framework is coherent in substance and workable in practice.
Second, the comparative legal method is used to evaluate selected foreign models
of personal data protection and their relevance to Vietnam. The jurisdictions chosen for
comparison are the European Union, the United States, Japan, Singapore, and South
Korea. These systems were selected because they represent different regulatory models.
The EU reflects a comprehensive and rights-based model; the United States represents a
sectoral and fragmented model; Japan and Singapore illustrate Asian frameworks that
combine consent-based governance with compliance-oriented regulation; and South
Korea offers an example of a strong and relatively strict data protection regime in Asia.
The comparative analysis is conducted according to the same five criteria used for the
Vietnamese framework, namely scope, rights, obligations, enforcement, and sanctions.
This allows the study to move beyond descriptive overview and derive lessons that are
specifically relevant to the Vietnamese context.
3. Research findings
3.1 International legal experiences in personal data protection
United States: The United States does not have a comprehensive federal law on
personal data protection. Instead, regulations apply to specific sectors (Boyne, 2018) ),
such as healthcare data protection, educational information protection, financial data
protection, and protection of personal information of children under 13. California
pioneered the California Consumer Privacy Act (CCPA), which grants consumers rights
such as knowing what data is collected, requesting deletion, and opting out of the sale of
personal data (Illman & Temple, 2019).
European Union: The General Data Protection Regulation (GDPR) is considered the
most comprehensive and strict regulation on personal data protection globally (Hoofnagle
et al., 2019). It applies to all organizations processing personal data of EU residents
regardless of location. Data subject rights include access, rectification, erasure, restriction
153
