Personal data, an intangible asset associated with each individual’s identity. Personal data seems to be one of the main objects collected and processed for businesses operating in the fields of e-commerce, banking, etc. Collection methods vary from traditional (on paper, orally, etc.) to non-traditional (through websites, electronic forms, etc.). Due to the importance of personal data in the digital technology environment, the law has gradually had strict regulations on personal data processing activities, such as in Decree 13/2023/ND-CP and most recently the Draft Law on Personal Data Protection. The Draft Law on Personal Data Protection is expected to be commented on at the 9th session of the National Assembly in May 2025.(1) The premise for personal data processing activities is the consent of the personal data subject and there are many issues surrounding them. One of these is whether the consent of the personal data subject in an electronic environment is valid?
1. Consent of the personal data subject
A prerequisite for the processing of personal data to be carried out is the “consent of the personal data subject” to the processing of personal data by the Personal Data Controller. The consent is considered to be valid when it meets the conditions of (i) form and (ii) content.
a. Form:
Decree 13/2023/ND-CP (hereinafter referred to as “Decree 13”) sets out binding formal conditions for the validity of personal data subjects. Accordingly, clause 3 Article 11 of Decree 13 stipulates the form of personal data subject consent: “The consent of the data subject must be clearly and specifically expressed in writing, voice, checking the consent box, consent syntax via text message, selecting technical consent settings or through another action that demonstrates this”. “Clearness” is further clarified by the Draft Law on Personal Data Protection in clause 4 Article 11 as “The consent of the data subject must be given by an affirmative action that creates a clear indication”. Accordingly, the personal data subject shall take specific action to express his/her consent. Vietnamese law provides specific cases for presenting the consent of personal data subjects such as in writing, voice, by consent box… Requiring clarity and specificity in the method of expressing the subject’s consent also further affirms that silence or non-response does not constitute consent.(2)
b. Content:
The consent of the personal data subject is only valid when the data subject voluntarily and clearly knows the following contents:(3)
- Types of personal data processed;
- Purpose of processing personal data;
- Organizations and individuals whose personal data is processed;
- Rights and obligations of data subjects.
In addition to the provision on “Consent of data subjects” in Article 11, Decree 13 has a separate provision on “Notification of personal data processing”. Accordingly, some contents that need to be notified to personal data subjects are stipulated in parallel in the provision on consent. It can be understood that, with the contents on (i) information of other organizations and individuals related to the processing purpose, (ii) consequences, unexpected damage that may occur, (iii) time to start and end data processing do not require the consent of the personal data subject.
However, the Personal Data Controller may publish the contents to the personal data subject and wait for the consent of the personal data subject. This will ensure that the Personal Data Controller receives the consent of the personal data subject, as well as the personal data subject can fully grasp the personal data processing activities of the Personal Data Controller.
The Draft Law on Personal Data Protection has a new additional provision compared to Decree 13, specifically in clause 3 Article 11: “There shall not be a condition requiring consent to transfer personal data of the data subject to other services that are not for the purpose of collection. The data subject has the right to refuse this condition”. It is seen that the new additional provision is reasonable, especially in the context of the Personal Data Controller intentionally incorporating provisions that automatically consent to the processing of personal data for many different purposes. This causes the personal data subject to inadvertently only agree to one purpose but is “forced” to do so for many different purposes.
2. Consent of personal data subjects in electronic environment
Users in the electronic environment seem to be familiar with the method of e-commerce contract agreement such as “browse wrap” and “click wrap”. In essence, the Personal Data Processing Notice is considered as a bilateral agreement, the Personal Data Controller will notify the personal data processing activities and the personal data subject has the right to agree or disagree with the personal data processing activities. We can consider and consider the validity of online Personal Data Processing Notices as an e-commerce contract .
a. Click – wrap method
The Click-wrap is a method in which the terms and conditions are presented to the user, typically after launching an application. The user shall click “I Agree” or “I Accept” to proceed with using the software or to finalize the agreement. This method exists in various forms, including (i) Users must scroll through the entire content of the terms before they can click the acceptance button (as illustrated in Image 1); or (ii) The acceptance button is accompanied by a hyperlink to the full terms and conditions (as illustrated in Image 2).
Image 1
Image 2
The outstanding feature of this method is that it allows the personal data subject to “actively” express his/her consent by clicking the “I agree” button. Compared with the requirement on the form of expressing the consent of the personal data subject in Decree 13, the consent of the personal data subject is clearly expressed by the action of “ticking the consent box”.
In addition, the law requires the data subject to “clearly know” the contents when agreeing. It can be seen that the click method as in Image 1 meets the clarity in the consent operation of the data subject and in the presentation of the Personal data controller enough for the personal data subject to clearly know the necessary contents. On the contrary, the click method in Image 2 is not clear in the presentation method of the Personal Data Controller. This will raise a question: “Is the consent of the personal data subject legally effective if the data subject does not click on the link to read the contents of the notice?”. In the author’s opinion, not knowing clearly or not reading the contents of the Notice depends on the subjective will of the personal data subject. Considering the responsibility of the Personal Data Controller, they have fulfilled their notification obligation and the personal data subject has agreed to the contents of the Controller. Therefore, the consent of the personal data subject under the click method as shown in Image 2 will still be considered valid, even if the content is not really clear.
b. Browse – wrap method
The browser method is the method in which the user agrees to all the terms when accessing the browser, using the browser or other methods. Usually, the terms are specified in a link attached at the bottom of the website. With the browser method, the user does not need to express his/her explicit consent. In addition, the content of the browser method clearly states, “By accessing this website, the user has agreed to the terms and conditions below”. The most obvious difference between the click method and the browser method is the user’s consent. This leads to the browser method defaulting to “silence is considered consent”.
In contractual relations, the 2015 Civil Code regulates the acceptance of offers to enter into contracts, in which silence is not considered as acceptance of offers to enter into contracts, except in cases where the parties have an agreement or are in accordance with the transaction habits.(4) This is reaffirmed once again in Decree 13, according to which silence or non-response of the data subject is not considered as consent.(5) This leads to the fact that, according to current legal regulations, notifications to users via browser are not valid because the users have not actually agreed to the contents of the Personal Data Processing Notice. In addition, in practice, users may not be aware of the existence of the Personal Data Processing Notice.
Based on the above analysis, the Personal Data Controller should adjust a method of Notification to the personal data subject that is public, transparent and requires the explicit consent of the personal data subject. As users, we should pay attention to the above legal issues to ensure our legitimate rights and interests when personal information is processed.
(1) Son Ha, National Assembly will consider the Law on Personal Data Protection, Vnexpress Newspaper, December 11, 2024, https://vnexpress.net/quoc-hoi-se-xem-xet-luat-bao-ve-du-lieu-ca-nhan-4826367.html
(2) Clause 6 Article 11 Decree 13/2023/ND-CP.
(3) Clause 2 Article 11 Decree 13/2023/ND-CP.
(4) Clause 2 Article 393 Civil Code 2015.
(5) Clause 6 Article 11 Decree 13/2023/ND-CP.
See more:
1/ Shape Personal data protection organization services under the draft law on personal data protection
2/ Personal data processing impact assessment
Disclaimers:
This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.
For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.
Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Data and contact our team of lawyers in Vietnam via email info@apolatlegal.com.
