By Nga Dao
The first half of 2023 has witnessed some key developments in Vietnam’s data privacy legislation. These particularly include the issuance of the first-ever decree on personal data protection (Decree 13/2023/ND-CP or PDPD) in April and the adoption of the Law on E-Transactions and Law on Consumers’ Right Protection in June, both of which contain new provisions aimed to enhance the protection of users’ data in the online environment. This is a snapshot of new data privacy requirements for online service providers from the consumers’ perspective.
Consent is the key principle and primary legal basis for personal data processing under the PDPD. Article 9 of the PDPD provides for the data subject’s right to consent and Article 11 states clearly that a data subject must voluntarily consent and be aware of:
- The type of data to be processed;
- The purpose of personal data processing;
- The organizations and individuals authorized to process personal data; and
- His/her own rights and obligations.
The Law on E-Transactions requires all agencies, organizations, and individuals involved in e-transactions to comply with the legislation on cybersecurity and online information security, including the PDPD. Meanwhile, under the Law on Consumers’ Right Protection, a business entity shall have to acquire consumers’ consent in the following cases:
- Collecting, storing, using, modifying, updating, or annulling consumers’ information by itself or an authorized third party.
- Changing the purpose or scope of the use of consumers’ information.
- Sharing, disclosing, transferring consumers’ information to a third party or using consumers’ information for advertisement or other commercial activities, except otherwise provided for by law.
It should be noted that consumers’ information is defined to include both personal and non-personal data.
The PDPD sets out 8 principles for personal data protection:
- Personal data shall be processed in accordance with the provisions of the law;
- The data subject shall know about activities related to the processing of his/her personal data, except otherwise provided for by law;
- Personal data shall be processed for the purposes already registered and declared by the personal data controller, personal data processor, personal data controller-cum-processor, and third party on personal data processing;
- Personal data collected must be appropriate and limited to the scope and purpose of data processing. Personal data may not be purchased or sold in any form, except otherwise provided for by law;
- Personal data shall be updated and supplemented according to the purpose of the processing;
- Personal data shall be subject to protection and security measures during processing, including protection against violations of the regulations on personal data protection and prevention of loss, destruction, or damage caused by incidents, using technical measures;
- Personal data shall be stored for a period of time corresponding to the purpose of data processing, except otherwise provided for by law.
- Data controller, data controller-cum-processor shall comply with the above-mentioned data processing principles and prove their compliance with these principles.
Meanwhile, the Law on Consumers’ Right Protection requires business organizations and individuals that collect, store, and use consumers’ information to formulate and publish rules on consumers’ information protection. Such rules must cover the purpose of collecting information, scope of using information, information retention period, security and privacy measures. Business entities shall have to prevent the stealing, illegal access, use, modification, update, or annulment of consumers’ information as well as to receive and handle consumers’ reports, requests, or complaints regarding the illegal collection or use of their information. They are also required to respond to consumers’ requests and destroy consumers’ information when the retention period expires.
The Law on E-Transactions also prohibits the collection, provision, use, disclosure, display, and trading of data messages in contravention of the law.
Notification of personal data processing is a requirement under PDPD. Accordingly, before conducting data processing, the concerned organizations or individuals shall have to notify data subjects of the following:
- The processing purpose
- The type of used personal data that is related to the processing purpose
- The processing method
- Information on other organizations and individuals related to the processing purpose
- Potential unintended consequences or damages
- The starting and ending time of data processing.
The PDPD also requires that such privacy notices be issued in a printable or duplicative format, including an electronic format or a format that can be verified.
Meanwhile, according to the Law on Consumers’ Right Protection, consumers shall be notified of the purpose and scope of collecting and using their information as well as the information retention period. In case of a change in the purpose or scope of collecting and using consumers’ information, the concerned online service providers shall notify the consumers before making such a change.
In summary, consumers may get better protection in the online environment thanks to the above-mentioned regulations but online service providers may feel that the extra operational burden for them is disagreeable. Given that the Law on E-Transactions and the Law on Consumers’ Right Protection are still waiting for their guiding decrees and won’t take effect until July 1st, 2024, it’s now the time for digital platforms to review and update their privacy policies and notices based on the new requirements while monitoring relevant regulatory developments and preparing for full compliance with the new legislation in the near future.
 Consumers are defined as people who purchase, use products, goods, services for consumption, daily-life purposes and not for commercial purposes (Article 3.1 of the Law on Consumers’ Right Protection)
 Article 5 of the Law on E-Transactions
 Articles 15.2, 18.1, 18.4 of the Law on Consumers’ Right Protection
 Article 3 of the Law on Consumers’ Right Protection stipulates: “Consumers’ information includes personal information of consumers, information on the process of buying, using products, goods, services of consumers and other information related to the transactions between consumers and business organizations, individuals.”
 Article 3 of Decree 13/2023/ND-CP
 Article 16 of the Law on Consumers’ Right Protection
 Article 20 of the Law on Consumers’ Right Protection
 Articles 5 & 6 of the Law on E-Transactions
 Article 13 of Decree 13/2023/ND-CP
 Articles 17, 18 of the Law on Consumers’ Right Protection