The protection of consumer information has emerged as a critical issue in recent years, particularly given the rapidly evolving digital landscape. In response to this growing concern, the Law on Protection ofConsumers' Rights No. 19/2023/QH15 (“LPCR2023”) has been amended with specific new regulations aimed at strengthening consumer rights regarding data privacy. The introduction of this legal instrument, which takes effect on July 1, 2024, marks a pivotal shift inthe legal framework governing consumer data processing practices. In thisarticle, we delve into the noteworthy points of this new legislation concerning consumer information protection, outlining its impact on both businesses andconsumers.
Under the LPCR2023, "consumer information" includes personal data of consumers,information about their purchasing and usage processes for products, goods, and services, as well as other transaction-related data between consumers and businesses[1].
In compliance with new regulatory requirements, businesses are required to limit theircollection of consumer information to the extent necessary for a specified purpose and implement data retention policies to ensure that information does not remain longer than required. In addition, their obligations include informing consumers in advance of the purpose, scope, duration, use, andstorage of their data, as well as any third parties with whom the data may be shared. No collection is carried out unless customers explicitly agrees so. Customers may express their consent or refusal of this collection through aclear and transparent mechanism created by businesses. Notably, businesses are exempt from these obligations if they are collecting information that consumers have already made public or if such collection is permitted under other legal provisions[2].
It is worth mentioning that consumer information must be processed accurately and solely for the purposes notified to and consented by consumers in advance unless otherwise permitted by law. Businesses shall adhere to the intended purpose of data collection and utilization throughout the data processing lifecycle. Prior to altering the notified purpose or scope of consumer information use, businesses must re-notify consumers and secure their consent for the changes. These regulations encompass the sharing, disclosure,and transfer of consumer information to third parties. The LPCR 2023 also outlines exceptional cases where businesses may process consumer information beyond the explicitly defined limitations set by the law, including: (i) having separate agreements with consumers regarding purposes and scopes of use beyondthose initially disclosed; (ii) using information to sell, supply products,goods, or services as requested by consumers and only within the scope of information consented to by consumers; and (iii) fulfilling legal obligations as stipulated by law. Moreover, businesses collecting consumer information mustprovide mechanisms for consumers to opt in or out of actions such as sharing with third parties and using their data for advertising and commercial purposes.
Safeguarding consumer information through stringent measures is essential under new regulations. Article 19 of the LPCR 2023 specifies the responsibilities of businesses to ensure the safety and security of consumer information processing:
(i) Ensuring the security of consumer information during collection, storage, and utilization by implementing preventive measures against unauthorized access, theft, misuse, unauthorized alteration, updating, or deletion;
(ii) Addressing complaints, requests,and grievances from consumers regarding unauthorized data collection, improperuse, or deviations from specified purposes and scope; and
(iii) In the event of a cyber-attack compromising consumer information security, businesses or data stewards must promptly notify the competent state authority within 24 hours of identifying the breach. They must also take immediate actions to uphold data security, in compliance with cybersecurity laws, network security protocols, electronic transactions regulations, and relevant legal provisions.
In brief, the new regulatory framework that governs consumer data protection become significant to protect consumer information in today's digital landscape. Businesses must adjust their practices to meet stringent regulatory requirements while consumers should be aware of their rights and how to assert them effectively to safeguard their information. Adhering to these regulations not only ensures legal compliance but also promotes a secure environment that upholds consumer rights and enhances trust in data management practices.
[1] LPCR 2023, Article 3, Clause 3
[2] LPCR 2023, Article 17
[3] LPCR 2023, Article 18
Disclaimer: This Legal Update is intended to provide updates on the Laws for information purposes only, and should not be used or interpreted as our advice for business purposes. LNT & Partners shall not be liable for any use or application of the information for any business purpose. For further clarification or advice from the Legal Update, please consult our lawyers: Ms Duong Ba Anh Duyen at anhduyen.duong@lntpartners.com.