This article analyzes current regulations on responsibilities of business organizations and individuals in consumer information protection and proposes recommendations for improvement of these regulations.
Nguyen Van Cuong, LL.D.
Director of the Institute of Legal Science, Ministry of Justice
Introduction
In goods trading and service provision transactions between business entities and consumers, the collection of consumer information, particularly personal information, becomes a common behavior of business organizations and individuals. In many cases, especially in e-commerce transactions, collection of consumer information, e.g., personally identifiable information (full name, phone number, contact address, etc.), will be a must-do for the transactions to take place. However, this makes consumers worry about the risk of leakage or use of personal information for purposes that are not beneficial to them. In fact, there have been not a few cases in which consumer information collected by business entities is disclosed, leaked or illegally exploited for purposes not expected by consumers.
The above-mentioned situation prompts to the need to adjust legal provisions regulating acts of collecting and processing consumer information, particularly personal information, in order to consolidate consumers’ confidence in law and the legal order on the consumer goods and service market.
Current law on responsibilities of business entities in consumer information protection
As early as 2010 when the Law on Protection of Consumer Rights was enacted, the issue of protecting consumer information was raised. Article 6 of the Law states: “A consumer may have his information kept secure and confidential when entering into transactions or using goods or services, except cases of provision of such information upon request by a competent state agency.” It is also stated that in case of collecting, using and transferring consumer information, goods and service traders must clearly and publicly notify in advance consumers of the purpose(s) of collection and use of the information. In addition, the traders have to obtain consumers’ consent before using the information and must use the information for the very purpose(s) notified to consumers. In addition, traders must ensure security, accuracy and completeness of consumer information during collection, use and transfer. They are also responsible for updating and correcting inaccurate customer information by themselves or taking measures to enable consumers to do so. Transfer of consumer information to third parties may be conducted only after getting consumers’ consent, unless otherwise provided by law.
In the field of e-commerce, Government Decree 52/2013/ND-CP issued on May 16, 2013, on e-commerce (Decree 52)[2], has paid special attention to the matter of protecting consumers’ personal information. The provisions of Articles 68 thru 73, not to mention others, have relatively specifically defined the responsibility to protect consumers’ personal information. Accordingly, in the process of conducting e-commerce business, traders, organizations and individuals collecting consumers’ personal information (information collection units) must comply with provisions of Decree 52 and relevant regulations regarding personal information protection[3]. Information collection units are also required to formulate and publish personal information protection policies and have such policies clearly displayed to consumers before or at the time of information collection. If collecting information via their e-commerce websites, information collection units must publicly display personal information protection policies at a noticeable position on these websites[4].
 |
Inside a Lotte Mart in Can Tho city__Photo: Thanh Liem/VNA |
| Inside a Lotte Mart in Can Tho city__Photo: Thanh Liem/VNA |
In addition, Article 70 (except Clause 4) of Decree 52 stipulates the obligation to obtain permission of consumers before collecting their personal information, accordingly, information collection units that collect and use consumers’ personal information on e-commerce websites are required to obtain the prior consent of the consumers owning such information (information subjects). However, such requirement, as mentioned in Article 70.4, is not applicable in case information collection units (i) collect personal information already publicly announced on e-commerce websites; (ii) collect personal information to serve the signing or performance of goods trading and service provision contracts; or (iii) collect personal information for calculating prices and charges for using information, products and services in the cyber environment.
It is said in Article 71 of Decree 52 that information collection units must use consumers’ personal information according to the notified purposes and scope, with some exceptions. The use of information referred to in this Article covers also the sharing, disclosure and transfer of personal information to third parties. According to Article 72, information collection units must ensure the security of personal information they collect and store, and must prevent acts of stealing and illegally accessing, using, changing and destroying information. Whereas, Article 73 provides consumers’ rights to check, update and modify personal information, empowering information subjects to request information collection units to check, update, modify or cancel the former’s personal information. For their part, information collection units are obliged to check, update, modify and cancel personal information of information subjects upon request or provide the information subjects with tools to do so.
In case goods and service traders collect, use and transfer consumer information in contravention of the above regulations, they will be sanctioned under Decree 98 issued in 2020, on the sanctioning of administrative violations in commercial activities, production and trading of counterfeit and prohibited goods and protection of consumer rights. Article 46 of Decree 98 sets a fine of VND 10-20 million for one of the following violations:
- Failing to clearly and publicly inform consumers of the purposes of information collection and use before collecting and using their information;
- Using consumer information not for the purposes notified to consumers without their consent;
- Failing to ensure security, accuracy and completeness of consumer information upon collection, use and transfer;
- Failing to adjust or take measures to enable consumers to update and adjust inaccurate information; and,
- Transferring consumer information to third parties without the consumers’ consent, unless otherwise provided for by law.
For cases in which the information is classified as personal secrets of consumers, the violators may face a fine doubling the above level.
However, when applying the above provisions, it is necessary to refer to the Law on Cyberinformation Security (the LCS), which had been issued previously in 2015. Article 3 of the LCS defines “personal information” as “information associated with the identification of a particular person”. Meanwhile, the term “subject of personal information” is interpreted as “a person identified from such personal information”; and the term “processing of personal information” can be understood as “the performance of one or several operation(s) of collecting, editing, using, storing, providing, sharing and spreading personal information in the cyberspace for commercial purposes”. Under Article 7, the acts of illegally collecting, using, spreading and trading in others’ personal information; and taking advantage of loopholes and weaknesses of information systems to collect and exploit personal information are prohibited.
According to Article 16 of the LCS, organizations and individuals that process personal information are responsible for ensuring security for information they process and must formulate and publicly announce their measures to process and protect personal information. Article 17 states that organizations and individuals that process personal information will collect personal information after obtaining the consent of the information subjects regarding the scope and purpose of collecting and using such information, and may use the collected personal information for purposes other than initial ones only after obtaining the consent of the information subjects. They must refrain from providing, sharing or spreading personal information they have collected, accessed or controlled to third parties, unless they get the consent of the information subjects or upon request of competent state agencies. Information subjects have the right to request organizations and individuals that process personal information to provide the personal information they have collected and stored.
 |
| The launching ceremony of the “E-Commerce Week” and “Online Friday 2022” in Hanoi on November 28__Photo: Tran Viet/VNA |
Meanwhile, Article 18 empowers information subjects to request organizations and individuals that process personal information to update, modify or cancel the personal information collected and stored by the latter or to stop providing the former’s personal information to third parties. Upon receiving such request, organizations and individuals that process personal information have to execute the request and notify the information subjects or provide the information subjects with the right to access information in order to update, modify or cancel their personal information by themselves. Entities processing personal information also have to take appropriate measures to protect personal information and notify the information subjects in case they cannot execute the request due to technical or other factors. Particularly, organizations and individuals processing personal information must destroy the stored personal information when the use purpose has been completed or the storage period has expired and notify such to the information subjects, unless otherwise provided by law.
The LCS also defines the responsibility to ensure security of personal information in the cyberspace, requiring organizations and individuals that process personal information to apply appropriate managerial and technical measures to protect personal information they have collected and stored and must comply with standards and technical regulations on cyberinformation security assurance. When cyberinformation security incidents occur or threaten to occur, these organizations and individuals should apply remedial and preventive measures as soon as possible[5].
Personal information protection is also provided in Government Decree 15 of February 3, 2020, on sanctioning of administrative violations in the fields of post, telecommunications, radio frequency, information technology and e-transactions, which covers the sanctioning of administrative violations for acts of violating the regulations on personal information protection. Specifically, according to Article 84, violations of the regulations on collection and use of personal information will be sanctioned as follows:
“1. A fine of between VND 10 million and VND 20 million shall be imposed on one of the following acts:
a/ Collecting personal information without the consent of the subject of personal information regarding the scope and purpose(s) of the collection and use of information;
b/ Providing personal information to a third party when the subject of personal information has requested the termination of information provision.
2. A fine of between VND 20 million and VND 30 million shall be imposed on one of the following acts:
a/ Using personal information for purposes against those agreed upon collection of information or without the consent of the subject of personal information;
b/ Providing or sharing or spreading personal information collected, accessed or controlled to a third party without the consent of the subject of personal information;
c/ Illegally collecting, using, spreading or trading in personal information of others.
3. Remedial measures: forcible destruction of personal information due to commission of the violations specified at Point b, Clause 1, and Points b and c, Clause 2, of this Article.”.
According to Article 85 of Decree 15, violations of regulations on updating, modification and destruction of personal information will be sanctioned as follows:
“1. A fine of between VND 10 million and VND 20 million shall be imposed on the act of failing to notify the subject of personal information after destroying stored personal information or failing to take appropriate measures to protect personal information due to technical factors.
2. A fine of between VND 20 million and VND 30 million shall be imposed on one of the following acts:
a/ Failing to update, modify or destroy stored personal information at the request of the subject of personal information or failing to provide the subject of personal information with the right to access his/her personal information for him/her to update, modify or destroy the information by himself/herself;
b/ Failing to destroy stored personal information when the use purpose has been fulfilled or the storage period expires.
3. A fine of between VND 30 million and VND 50 million shall be imposed on the act of failing to apply managerial or technical measures as prescribed to protect personal information.”.
Analyses and comments
When referring to the above-mentioned regulations to determine responsibilities of business organizations and individuals in protecting consumer information, it is found that there are quite sufficient provisions to handle violations of the law on protection of consumer information. For example, based on the current regulations, it is possible to somewhat determine which information items are included in “consumer’s personal information”. On the basis of the definition of “personal information” in the LCS and the 2010 Law on Protection of Consumer Rights, “consumer’s personal information” may be determined as “information associated with the identification of a particular individual consumer”. Pursuant to this provision, along with Article 3.13 of Decree 52, consumer’s personal information can be clearly determined to be composed of such information items as name, age, home address, phone number, medical information, bank account number, etc. The current regulations also enable the determination of the obligations of business organizations and individuals when collecting and using consumer’s personal information, e.g., the obligation to abide by law, the obligation to seek the consent of consumers before collecting information, the obligation to secure the safety of the collected information, the obligation to use the information for the purpose(s) as committed/announced, the obligation to ensure the accuracy and updating of personal information, and the obligation to respect the rights of consumers with respect to their personal information, etc. In addition, based on the current regulations, it is possible to clearly define the legal liability of business organizations and individuals when violating regulations on protection of consumer information, especially violations of regulations on protection of consumer’s personal information.
However, the current regulations still reveal inadequacies which can be seen in the following aspects:
Firstly, regulations on obligations/responsibilities of business organizations and individuals in protecting consumer information are scattered in different legal documents, while it is not easy to determine the relationship as well as the order of priority in application of these legal documents.
Secondly, there is no official legal document explaining which information items are included in “consumer information”. After analyzing current legal provisions, especially the above-mentioned ones, it can be said that consumer information includes first of all consumer’s personal information. However, consumer information certainly does not stop at “consumer’s personal information”. So, the question here is besides “consumer’s personal information”, what are other items of information that constitute consumer information? This issue has not yet been regulated by law.
Thirdly, the interpretation of the term “consumer’s personal information” varies among legal documents. The LCS just broadly defines “personal information” as “information associated with the identification of a specific person” (regardless of whether or not that person has self-disclosed such information). Meanwhile, Article 3 of Decree 52 explains “personal information” as “information that contributes to the identification of a particular natural person, including his/her name, age, home address, telephone number, medical information, bank account number, information about personal payment transactions and other information that person wishes to keep confidential.” However, Article 3 of Decree 52 also stipulates that “personal information referred to in this Decree of a person does not include business contact information and information that person has himself/herself published in the media”. In addition, the current law still fails to fully classify consumer’s personal information based on the sensitivity of each type of information. For instance, health information of a person is extremely different from information on his/her name and address and personal information of children differ from that of adults.
Fourthly, inconsistencies are also revealed in the wording of legal documents with regard to acts of business organizations and individuals that affect “consumer’s personal information”. The LCS uses the phrase “processing personal information” to refer to the acts of “collecting, editing, using, storing, providing, sharing, and distributing personal information” (Article 3.17), while Decree 52 uses the phrases “collecting, using and storing personal information” and, noteworthily, under Decree 52, “using personal information” covers also “sharing, disclosing and transferring personal information”.
Fifthly, the scope of application of the provisions on protection of consumer’s personal information in the 2010 Law on Protection of Consumer Rights covers both physical environment and cyberspace, while in the LCS’s provisions on protection of personal information only applies to activities in the cyberspace.
Sixthly, there remain differences between Decree 15 of 2020 and Decree 98 of 2020 in descriptions of violations of regulations on protection of consumers’ personal information that are subject to fines and the fine level applicable to each violation. It is not to mention the fact that if compared to other countries, the fines under Vietnam’s law are still quite light.
Recommendations
For the time being, competent authorities are considering revision of the 2010 Law on Protection of Consumer Rights with a view to meeting requirements for protecting consumer rights against the backdrop of strong development of e-commerce and digital economy. This is a very good legislative opportunity to redress shortcomings of current regulations on responsibilities of business organizations and individuals in protecting consumer information.
First of all, it is necessary to determine and clearly define the relationship among, and the order of priority in applying, regulations on obligations/responsibilities of business organizations and individuals in protecting consumer information that exist in many different legal documents. The application of merely Article 156 of the 2015 Law on Promulgation of Legal Documents (revised in 2020) to handle this case is not really satisfactory[6]. The Law on Protection of Consumer Rights’ provisions on protection of consumer’s personal information should be regarded as specialized regulations and, therefore, take precedence over general regulations on protection of personal information.
Second, the Law on Protection of Consumer Rights should give an official explanation of which information items are included in “consumer information”. It must be once again affirmed that “consumer information” primarily includes consumer’s personal information; however, it is not limited to “consumer’s personal information” but also covers other information. Then, the Law should explicitly interpret the term “consumer’s personal information” so as to ensure a consistent understanding of the term when its guiding texts are later promulgated and applied. And not less importantly, such interpretation may be more detailed than, but should be consistent with, the definition of “personal information” in the LCS.
Third, the Law on Protection of Consumer Rights should use the phrase “processing personal information” to indicate the acts of “collecting, editing, using, storing, providing, sharing, and spreading consumer’s personal information. This phrase, which has already appeared in the LCS, is used quite commonly in international regulations on consumer protection as well as personal information protection. In addition, the Law should provide different levels of legal liability for different types of consumer’s personal information, depending on the sensitivity of the information, and, at the same time, attach more importance to the protection of personal information of minors, especially children.
Fourth, it is necessary to stipulate that the Law on Protection of Consumer Rights’ provisions on protection of consumer’s personal information will apply to the organizations and individuals doing business in both real space and cyberspace.
Last but not least, stricter sanctions should be imposed on business organizations and individuals that violate regulations on protection of consumer’s personal information, along with taking into consideration civil and criminal penalties, so as to soon establish order and discipline in the consumer goods and service market to ensure its sustainable development in Vietnam against the backdrop of blossoming of e-commerce and digital economy under the impacts of the Fourth Industrial Revolution.-
1. Legal documents shall apply from the time they come into force. Legal documents shall apply to acts which are committed at the time such documents are effective. In case a legal document’s provisions have retrospective effect, these provisions shall apply.
2. In case legal documents contain different provisions on a single issue, the document of higher legal effect shall apply.
3. In case various legal documents promulgated by the same agency contain different provisions on a single issue, the document that is promulgated later shall apply.
….
