Years ago, the regulations on ensuring data security collected by enterprises from e-commerce websites and mobile apps were not strong, and tools for protecting data owners (‘users’) were not constituted. With the occurrence of loss and disputes and the rapid growth of the e-commerce industry, the Vietnamese legislature has issued several provisions to create a legal instrument to protect data owners and enterprises’ legitimate rights for collecting and using data. This article will discuss matters relating to ensuring data security through accessing, using, and exploiting the benefits of enterprises’ websites and the boundary between the legality of the information collected by enterprises and their rights upon collection of such information.
1. Introduction
The Fourth Industrial Revolution continues to progress strongly despite the world experiencing the COVID-19 pandemic. Digital transaction platforms have been created to optimize users’ demands, such as saving time or reducing travel, and to enhance the flexibility and benefits of applications. The effects of the pandemic and the requirements from governments on isolating, reducing direct activities, and limiting gatherings have become the impetus for the digital industry to reach a climax.
In Vietnam, this trend is even more pronounced as the Vietnamese government has issued several consecutive policies to minimize the effects of COVID-19. For example, social isolation measures apply not only to infected individuals but also to entire enterprises if they have employees who have had direct or indirect close contact with an infected individual. This situation raises questions about how enterprises can survive and operate, how authority agencies can avoid temporary closure, and how citizens can maintain daily activities such as studying, gatherings, consumption, and entertainment. Consequently, this has led to faster growth of digital technology in Vietnam than ever before.
According to statistics from the statistical organization in Vietnam, before COVID-19 broke out in Vietnam and globally, the number of internet users in Vietnam increased by 6.2 million (10 percent) from 2019 to 2020. As of January 2020, Vietnam currently has 68.17 million people using Internet services, with social media penetration reaching 67 percent [1]. With such growth, users’ data has become goods searched and used for commercial purposes by organizations and individuals. Governments also use data collected from declaration requests to manage citizens and companies. In this context, information technology is developing programs and apps to collect information and to track and monitor individuals and enterprises extensively, at a country level and even at a global level. However, many similar programs and systems are being built and operated rampantly by authorities and economic, commercial, and technological entities, among others, that gravely violate users’ rights to privacy. Users are forced to provide information when using any technology utilities or apps, without knowing whether their data security is ensured or not.
2. Which data is permissible to collect?
User rights to ensure their data security have been enshrined in regulatory documents of Vietnam since 1946 under the First Constitution. These rights are considered inalienable and belong exclusively to the data owners. This means that data owners have the entitlement to consider and determine the use of their data solely by their own decision. In Vietnam, the only data permitted to be collected is that which the owners have explicitly allowed and provided voluntarily. Data collectors, when utilizing data, must adhere to the legal framework of Vietnam. This principle is based on the concept of ‘individual consent’, wherein users express their consent and acceptance by ticking ‘I Agree’, ‘I understand and agree’, or ‘I accept’ stated in commitments such as ‘Terms and Conditions’ or ‘Terms of Use’.
The understanding of Vietnamese regulations regarding user data is similar to that of the rest of the world. ‘User data’ encompasses any information solely owned by the user, including their identity (name, age, date of birth, residence, ID), enterprise information if applicable (such as residency and workplace), financial details (income, assets, bank accounts, card numbers, savings, etc.), and users’ interests, habits, and needs. This information is provided through interactions or sharing individual data with organizations during transactions on platforms serviced by them. Data is also collected when users connect to and use websites to search for information, digital apps for work or entertainment purposes, etc. Users, by default, provide their information to the provider, enabling organizations to collect data.
Presently, Vietnam has only general provisions but no specific regulatory documents promulgated about data. This includes matters such as which data is permissible to collect, how users can manage or monitor organizations that collect and use data, using data for its original purpose, adjusting their information, the right to delete previously provided data, etc. This lack of specific regulations has resulted in data not being adequately protected, and illegal data trading frequently occurs.
3. The scope of data collection by organizations
Data belongs to users under their rights of privacy to ensure data security, and laws empower data owners with authority over their data. According to regulations, information collectors can utilize collected data only after obtaining the consent of data owners and can exploit the data only within the scope of what the user has agreed upon. In other words, data collectors can use data only to the extent agreed upon by users.
This principle is enshrined in the ‘Law on Cyber-information Security 2015’. Accordingly, before processing individual information such as collecting, adjusting, using, saving, providing, or sharing it, the owner’s consent is required. Collecting organizations are also required to take measures to ensure data security. However, the current provision only addresses this issue at a general level, reflecting the government’s orientation, and has not kept pace with the development of digital technology activities in Vietnam.
4. What the government has done to ensure data security
Users possess privacy rights to their data, including the right to their user data collected by various entities such as providers, website owners, and e-commerce platforms. These entities often require users to provide their data to access services, collect information, or fulfill obligations. In Vietnam, the regime for ensure individual data security was established with the 1946 Constitution and has been specifically supplemented at different periods to catch up with the development of digital technology. The current Constitution regulates as follows:
- Everyone has the right to the inviolability of their private life, personal secrets, and family secrets; and has the right to protect his or her honor and reputation. The safety and confidentiality of information on private life, personal secrets, and family secrets of citizens are ensured by law.
- Everyone has the right to confidentiality of correspondence, telephone, telegraph, and other forms of private communications. No one may open, control, or seize illegal correspondence, telephone, telegraph, or other forms of private communications of other people.
Article 38 of the Civil Code 2015 on the ‘Right to private life, personal privacy, and family privacy’ regulates:
- Private life, personal privacy, and family privacy are inviolable and protected by law.
- The collection, storage, use, and publication of information related to the private life or personal privacy of an individual must have the consent of that person and the collection, storage, use, and publication of information related to family privacy must have the consent of the family members, except where otherwise prescribed by law.
- The safety of the mail, telephone, telegraph, electronic database, and other forms of private electronic information exchange of an individual shall be ensured and kept confidential. The opening, control, and seizure of the mail, telephone, telegraph, electronic database, and other forms of Legal Update 29 Mar 2021 private electronic information exchange of another person may only be conducted in the cases provided by law.
- A party to a contract may not disclose information on the private life, personal privacy, or family privacy of the other party or parties known to it during the process of contract establishment and performance unless otherwise agreed.
The Law on E-transactions 2005 in Article 46 ‘Information confidentiality in e-transactions’, provides:
Agencies, organizations, and individuals must not use, provide, or disclose information on private and personal affairs or information of other agencies, organizations, and/or individuals that are accessible by them or under their control in e-transactions without the latter’s consent unless otherwise provided for by law.
The Law on Cyber-information Security 2015 also regulates ‘Principles of protecting personal information in cyberspace’, and accordingly provides:
- Individuals shall protect their personal information and comply with the law on provision of personal information when using services in cyberspace.
- Agencies, organizations, and individuals that process personal information shall ensure cyber information security for the information they process.
The Law on Cybersecurity 2018, at first required that enterprises providing services in cyberspace shall notify directly to users if their data is violated, broken, or lost.
The Criminal Code of Vietnam has specified criminal acts for violating the privacy rights of users and, based on the violation and damage level to users, imposes the respective administrative penalty or imprisonment.
In the scope of international transactions, the Vietnamese Government also proves its commitment to protecting privacy rights by participating in the International Covenant on Civil and Political Rights (‘ICCPR’), in which Article 17 states:
- No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home, or correspondence, nor unlawful attacks on his honor and reputation.
- Everyone has the right to the protection of the law against such interference or attacks.
6. Current situation in Vietnam
We understand that ensuring data security plays an important role, but in Vietnam, users are not aware of this. Thus, much of user data has become a commodity for commercial purposes. In other words, the protection of users’ and customers’ data has not been very focused. Only when incidents and damages occur will legal measures and remedies be considered. Business fields such as real estate, health care, and insurance activities are groups of services where there is a great need for accessing information of users and the mentioned data will be construed as a basis for service offering and marketing.
Under different transaction forms, users’ data is exchanged and illegally traded on a large scale for marketing and sales purposes, showing that customers’ data is being very loosely protected. Users themselves understand this illegal use, however, there are no tools for users to request termination of illegal use of information.
At the beginning of the article, the speed of using and exploiting utilities based on digital technology, extremely popular apps in Vietnam, and the frequency of usage increases dramatically each year are discussed. In addition, the impact of government policies to minimize the impact of the COVID-19 pandemic has created momentum for the development of the digital industry in Vietnam. Another thing that significantly affects the appearance of many electronic applications, trading floors, etc., is the tax exemption and reduction policy, the investment incentive policy of the Vietnamese government. Given the speed of development, Vietnam’s lawmakers are gradually drafting regulations on the protection of privacy and the safety of users’ data based on the general regulations of the world, creating a safe network environment for foreign users and investors in Vietnam. In addition, the Vietnamese government is implementing many policies to encourage users to change their views on the privacy of their data, the data of enterprises, and other individuals.
[1] https://datareportal.com/reports/digital-2020-vietnam.
To read more about how to protect personal data, please read our related article [here].
Download to learn more about this topic (pg. 26 – 31)
IPBA Journal | Ensure data security for users on digital technology platforms
Get instant access to our downloadable resource packed with expert insights.
