Data Privacy in E-Commerce Transactions

Data Privacy in E-Commerce Transactions

“In the last decade, with the introduction of innovation in advanced information technology, the retail industry has been witnessing a massive transformation to a novel business model – the online retail stores on e-commerce platforms, rather than centering on traditional distribution channels, which are physical stores, as it was the case in the early 2000s. The dawn of the e-commerce era has commenced with the corporate giants, like Amazon, eBay, Taobao; in Vietnam playground, Tiki, Shopee, Lazada, and Sendo are the main players sharing the lucrative e-commerce pie domestically. However, the increased popularity of this business trend has entailed some certain concerns, in which the privacy of personal data collected by such platforms upon registration is the heart of this matter. The question of how such platforms handle a massive amount of data collected from customers and whether or not such personal data remains confidential under the watch of such e-commerce providers, yet, requires further elaboration.”

To date, the regulatory framework for customer data privacy in e-commerce is mainly set forth in Decree 52/2013/ND-CP on E-commerce dated 16 May 2013 and its supplements and amendments regarding the same issue (“Decree 52”). Besides Decree 52, Law on Cyber Information Security 2015, and Law on Information Technology 2006 also have sufficient provisions regarding the collection of personal data and data privacy on the internet in general.

Personal data to be collected?

By law, personal data means information that contributes to the identification of a specific individual, including name, residential address, phone number, medical records, bank account number, information about personal payment transactions and other information that the individual wishes to keep confidential.

In fact, the type of information that e-commerce platforms currently collect is quite wide and associated with interactive activities on the network environment such as information related to the devices used to access and use services, information about the network and accounts with which the consumer interacts, preferences related to advertising information, detailed search history, transaction history, cookies, etc. Thus, it can be seen, comes from the fact that the law does not specify the types of personal information that are allowed to be collected, from which the information collected by the e-commerce platform includes personal information, payment information, information about consumer interactions on the network environment when using services, and other information that the e-commerce corporates deem necessary.

Purposes of data collection?

Regarding the purpose of use of the said personal data, although the law stipulates that an e-commerce company is only allowed to use the collected personal information of consumers for “the purposes and within the scope as announced“, the current regulations do not have any restrictions on the limit and scope of personal data that e-commerce business organizations are entitled to exploit, instead, the collection of such personal data is solely based on the consent of consumers when registering to use services on the e-commerce platform.

Based on the information published on a number of e-commerce platforms in Vietnam, personal data is claimed to be used for the following purposes:

  • Processing consumer transactions;
  • Serving the purpose of identifying and verifying consumers;
  • Managing and administering the use of services by consumers;
  • Marketing and advertising;
  • Legal and compliance purposes;
  • Communication and exchange of information;
  • Business analysis, research and, development;
  • For storage, server setting, backup; and
  • Any other purpose that the consumer has agreed to at the time of providing information.

Since the law does not impose any restriction on the purpose of use of personal data, besides the purposes listed above, e-commerce companies in Vietnam also use customer information for a very wide range of purposes. Given that customer consent has been obtained, e-commerce providers, with a higher legal status and more advantages over consumers, tend to maximize their allowed exploitation scope in relation to consumers’ personal information. Such practice could lead to the abuse of customer personal data, where e-commerce providers use such data for their own purposes disregarding customers’ shopping experience.

The responsibility of e-commerce platforms?

In general, Vietnamese law sets forth the responsibility of e-commerce platforms (or a third party authorized by them) in collecting and processing consumer personal information.

In terms of policy, an e-commerce company is obliged to develop and publish a policy to protect users’ personal information containing the following points:

  • Purpose of collecting personal information;
  • Scope of use;
  • Usage term;
  • Individuals or organizations that may have access to such information;
  • The address of the agency collecting and processing the collected data in case the consumer inquiries about his information collection and processing activities; and
  • Methods and tools for consumers to access and update their personal data on the e-commerce platform.

E-commerce companies must ensure that the policy is communicated to consumers prior to or at the time consumers provide their information and register to use the services provided by the above platforms. In most cases, these policies will be fully announced by e-commerce companies on their website in the form of a “Privacy Policy” so that consumers can access and establish their consent regarding their personal data.

Regarding the customer consent, Decree 52 stipulates that e-commerce company companies must have a mechanism so that consumers can choose whether or not to allow the use of personal information for the following purposes separately:

  • Sharing, disclosing, transferring information to a third party;
  • Using personal information for advertising, product introduction and, other commercial information.

In practice, large e-commerce platforms in Vietnam do not have such a mechanism for consumers to express their consent regarding the collection of information for these two purposes separately as required by law. This means that consumers are required to allow e-commerce business organizations to disclose information to third parties and use the information for advertising purposes or will not be able to use the services provided by those e-commerce companies.

The reason why the law prescribes a separate consensus mechanism related to the use of personal information for these two purposes is to limit the exceeded use of personal data by e-commerce platforms (i) to use the provided personal information to increase sales through advertising instead of focusing on the customer’s service experience, (ii) providing information to unrelated third parties for their own purposes.

Is customer data privacy guaranteed?

Currently, given that there is a legal framework that regulates the responsibilities of e-commerce companies in collecting and processing consumers’ personal data on e-commerce platforms, the accessibility and control over their personal data still has many restraints in practice settings.

Therefore, it is crucial that, when participating in and conducting e-commerce activities, organizations and individuals should learn the terms of privacy published on the website to determine the types of personal information that may be collected and the purpose of this collection, as well as the rights of consumers related to personal information such as requesting e-commerce companies to update, adjust or cancel information in case there is no need to use it.

This article is based on the current laws at the above recorded time and may no longer be relevant at the time readers access this article due to changes in applicable law and specific cases which the readers want to apply. Therefore, this article is for reference only.

Share on facebook
Share on twitter
Share on linkedin

We would be delighted to schedule a meeting to provide you with an effective solution.