The current regulations on the protection of consumers’ personal information in e-commerce activities in Vietnam establish a comprehensive legal framework to ensure privacy and data security. Article 21.1 of Vietnam’s Constitution of 2013 guarantees the right to private life, personal secrets, and family secrets, extending legal protections to personal information. The Civil Code of 2015, in Article 38, further reinforces these privacy protections, ensuring personal information is safeguarded.
In the context of e-commerce, several specific laws have been enacted to address the protection of consumer data. The Law on Consumer Protection 2023 mandates that consumer information must be kept confidential during transactions, unless required by competent state authorities. The Law on Cyber Information Security 2015 defines personal information as data linked to the identification of a specific person, but this definition may need further refinement to cover all aspects of personal data protection.
A significant development in the protection of personal data in Vietnam is the introduction of Decree No. 13/2023 on Personal Data Protection. This decree provides a detailed legal framework governing the collection, processing, storage, and use of personal data in Vietnam. Under Decree 13, personal data is classified into basic and sensitive data, with stricter rules imposed on the handling of sensitive data. The decree applies to both domestic and international organizations processing the personal data of Vietnamese citizens. It requires businesses to implement robust technical and organizational measures to safeguard personal data, and individuals must be informed of the purpose and scope of data collection. Additionally, personal data must only be processed with the explicit consent of the data subject, except in cases where the law provides otherwise. Violations of the decree may result in significant fines and penalties subject to future decree on sanctions, further reinforcing Vietnam’s commitment to protecting personal information in the digital age.
Entities involved in e-commerce, such as platforms, service providers, and technical infrastructure providers, must adhere to regulations concerning personal information handling. These entities are responsible for publishing privacy policies, ensuring data security, and maintaining infrastructure that complies with data protection laws. E-commerce websites, sales applications, and sellers on these platforms must also comply with data protection regulations, disclosing their data collection practices and safeguarding consumer information. Consumers themselves are encouraged to take personal responsibility for protecting their data, while state management agencies, such as the Ministry of Information and Communication (MIC) and the Ministry of Industry and Trade (MOIT), oversee compliance and conduct inspections.
Violations of personal information protection laws, including Decree No. 13, can result in administrative, civil, and criminal sanctions. Decrees No. 98/2020/ND-CP and No. 15/2020/ND-CP outline fines for violations, while the Civil Code 2015 and Law on Consumer Protection 2023 provide for compensation and injunctive relief. In severe cases, criminal penalties may be imposed under Article 288 of the Criminal Code 2015. Decree No. 13 also sets out specific penalties for non-compliance, with fines ranging from administrative sanctions to suspension of business operations for severe breaches.
Despite the legal framework, several challenges persist in effectively protecting personal information in e-commerce. To address these issues, a multi-faceted approach is necessary. First, increasing penalties for violations would serve as a stronger deterrent, especially in cases where the economic benefits of non-compliance outweigh current fines. Adjusting fines to reflect the potential financial gains from data misuse could encourage businesses to prioritize compliance. Second, enhancing enforcement measures is crucial. This could involve more frequent inspections, better coordination among state agencies, and the use of technology to monitor compliance in real-time. Lastly, promoting awareness among businesses and consumers is essential. Businesses need to be educated on their legal obligations under laws like Decree No. 13, while consumers should be informed of their rights and the steps they can take to protect their personal data and personal information. By addressing these issues, Vietnam can create a more secure e-commerce environment and better safeguard consumers’ information.