In the digital age, customers’ information has become the ultimate weapon accelerating an enterprise’s competitiveness. Through the act of collecting, archiving and analyzing the pool of customers’ data, enterprises can learn the customers’ demands and shopping habits to improve their services, develop relationships with the customers as well as identify new business opportunities.
In fact, besides enterprises which use customers’ information to enhance their services and take care of their customers, there are a lot of enterprises which sell their customers’ information for benefits. The fact that customers’ personal information is being illegally disclosed, stolen and made into goods for selling ubiquitously on the internet poses many potential risks for the customers. Consequentially, the protection of personal information in general and consumers’ information, in particular, has become one of the most burning issues that need to be taken into account.
Therefore, by this article, the author will briefly discuss the regulations of Vietnamese laws regarding the protection of consumers’ information.
1. Consumers’ information
Consumers’ information includes information about names, ages, contact addresses, phone numbers, credit card numbers or information on payment transactions that has been collected by enterprises through the sale of goods, provision of services or market surveys conducted by the enterprises. Such information is considered personal information because it is connected with the identification of a particular customer and is an important, commercially valuable source of data that can be utilized by enterprises for advertising, marketing, broadcasting and other customer care activities.
In general, all enterprises want their customers to provide as much information as possible, making it easier for them to consult and introduce appropriate products. However, when sharing their personal information, almost every customer fears that their information will be leaked and their right to privacy, hence, will be invaded. As a result, to ensure their right to privacy will not be violated, every customer wants to know why their personal information is being collected, as well as how it will be archived and used.
2. Regulations on the protection of consumers’ information
At the moment, Vietnamese regulations on the protection of consumers’ information are not concentrated in a specific law but are scattered in many different specialized statutory texts. In particular, the protection of consumers’ information is provided in Article 6 of the Law on the Protection of Consumers’ rights 2010. This provision acknowledges that consumers’ information will be kept safe and secret when they engage in transactions, purchase goods or use services unless otherwise requested by competent agencies. In case business organizations or individuals collect, use, or transfer consumers’ information, they have to perform their responsibilities to: (a) Clearly and publicly notify the consumers in advance of the purpose of collecting and using such information; (b) Use the information in accordance with purposes notified to the consumers after obtaining their consent; (c) Ensure safety, accuracy and completeness when collecting, using, transferring consumers’ information; (d) Take initiative in updating and amending information on discovery that it is inaccurate, or take measures to enable consumers to update and amend such information; (dd) Only transfer consumers’ information to a third party when the consumers consent, unless otherwise required in other laws.
In the field of credit and banking, the duty to ensure information confidentiality and not provide information about any customer’s account, deposits, assets and transactions is enumerated in Article 14 of the Law on Credit Institutions 2010.
As regards the field of e-commerce, Decree No. 52/2013/ND-CP on e-commerce has set forth many important provisions on the protection of consumers’ personal information in chapter 5 – safety and security in e-commerce transactions. This Decree has also contributed to produce a fairly comprehensive definition for the term “personal information” and this is the first time the phrase “information subject” (or data subject), which has existed in many countries’ personal information protection laws, is used.
Regulations on the protection of personal information safety continued to be perfected when the Law on Cyberinformation Security was passed in 2015. Accordingly, apart from joining forces with Decree No. 52/2013/ND-CP by introducing a definition for the term “information subject”, the Law on Cyberinformation Security also offered principles of protecting personal information in cyberspace (Article 16), requirements for the collection, use, updating, amendment and cancellation of personal information (Article 17 and Article 18), requirements of security assurance for personal information in cyberspace (Article 19) and responsibilities of state management agencies in protecting personal information in cyberspace (Article 20).
Moreover, the issue of protecting personal information and the right to privacy have also been acknowledged in the Civil Code 2015. Correspondingly, Article 38 of the Civil Code 2015 stipulates that “private life, personal privacy and family privacy are inviolable and protected by law” and the collection, storage, use or publication of such information must be approved by the information subject and their family.
In addition, Vietnamese laws have also issued certain sanctions against violation of personal information confidentiality in general and consumers’ information in particular. Accordingly, in Article 84 of Decree No. 15/2020/ND-CP on penalties for administrative violations in the field of posts, telecommunications, radio frequency, information technology and e-commerce transactions, the maximum administrative penalty for violations in collecting and using personal information is 30.000.000 VND together with remedial measures – compulsory cancellation of personal information gained from wrongful conduct. Likewise, Decree No. 98/2020/ND-CP on penalties for administrative violations in commercial activities, production of, trading in counterfeit or banned goods and protection of consumers’ rights also provided for sanctions against violations in protecting personal information in e-commerce activities (Article 65) as well as sanctions against violations in protecting consumers’ information (Article 46).
Apart from administrative penalties, individuals and organizations engaging in violative acts towards personal data can also suffer criminal liabilities for the crimes of “Infringment upon another person’s secret information, mail, telephone, telegraph privacy or other means of private information exchange (Article 159 of the Criminal Code 2015)” or “Illegal provision or use of information on computer networks, telecommunications networks (Article 288 of the Criminal Code 2015)”.
3. Reality of consumers’ information protection in Vietnam
The crisis of trade-in customers’ personal information is particularly alarming in Vietnam when advertisements for customers’ data are popping up ubiquitously on the internet. Just type the keywords “buy customers’ data” into Google and no longer than a second later, thousands of advertisements with prices ranging from tens of thousands to hundreds of thousands dongs will appear (https://danhsachkhachhang.com, https://danhsachmoi.com, https://fulldata.org,…). Customers’ data is marketed under various service packages such as facebook customers lists; insurance, banking individual customers lists; mobifone-using customers lists;….and such sales are executed in the following main two ways:
On the one hand, enterprises will actively collect and store customers’ information to create a data pool and proceed to analyze and process this information to operate their businesses.
On the other hand, enterprises will collect the personal information of customers and let their partners access this information without having any solid regulations on preventing their partners from transferring or selling such information to yet other partners.
As we can see, although Vietnamese laws have issued some regulations in an effort to protect personal information, it seems that such regulations are not really effective, and the sanctions are not heavy enough to resolve this worrisome issue.
