LNT & Partners

The amended Law on Protection of Consumers' Rights takes effect today, July 1, 2024. This article reveal key aspects of the new legislation on consumer information protection, emphasizing its impact on both businesses and consumers.

Introduction

The protection of consumer information has emerged as a critical issue in recent years, particularly given the rapidly evolving digital landscape. In response to this growing concern, the Law on Protection ofConsumers' Rights No. 19/2023/QH15 (“LPCR2023”) has been amended with specific new regulations aimed at strengthening consumer rights regarding data privacy. The introduction of this legal instrument, which takes effect on July 1, 2024, marks a pivotal shift inthe legal framework governing consumer data processing practices. In thisarticle, we delve into the noteworthy points of this new legislation concerning consumer information protection, outlining its impact on both businesses andconsumers.

1. Transparency in consumer information collection

Under the LPCR2023, "consumer information" includes personal data of consumers,information about their purchasing and usage processes for products, goods, and services, as well as other transaction-related data between consumers and businesses[1].

In compliance with new regulatory requirements, businesses are required to limit theircollection of consumer information to the extent necessary for a specified purpose and implement data retention policies to ensure that information does not remain longer than required. In addition, their obligations include informing consumers in advance of the purpose, scope, duration, use, andstorage of their data, as well as any third parties with whom the data may be shared. No collection is carried out unless customers explicitly agrees so. Customers may express their consent or refusal of this collection through aclear and transparent mechanism created by businesses. Notably, businesses are exempt from these obligations if they are collecting information that consumers have already made public or if such collection is permitted under other legal provisions[2].

2. Controlled use of consumer information[3]

It is worth mentioning that consumer information must be processed accurately and solely for the purposes notified to and consented by consumers in advance unless otherwise permitted by law. Businesses shall adhere to the intended purpose of data collection and utilization throughout the data processing lifecycle. Prior to altering the notified purpose or scope of consumer information use, businesses must re-notify consumers and secure their consent for the changes. These regulations encompass the sharing, disclosure,and transfer of consumer information to third parties. The LPCR 2023 also outlines exceptional cases where businesses may process consumer information beyond the explicitly defined limitations set by the law, including: (i) having separate agreements with consumers regarding purposes and scopes of use beyondthose initially disclosed; (ii) using information to sell, supply products,goods, or services as requested by consumers and only within the scope of information consented to by consumers; and (iii) fulfilling legal obligations as stipulated by law. Moreover, businesses collecting consumer information mustprovide mechanisms for consumers to opt in or out of actions such as sharing with third parties and using their data for advertising and commercial purposes.

3. Enhanced security measures for consumer information

Safeguarding consumer information through stringent measures is essential under new regulations. Article 19 of the LPCR 2023 specifies the responsibilities of businesses to ensure the safety and security of consumer information processing:

(i) Ensuring the security of consumer information during collection, storage, and utilization by implementing preventive measures against unauthorized access, theft, misuse, unauthorized alteration, updating, or deletion;

(ii) Addressing complaints, requests,and grievances from consumers regarding unauthorized data collection, improperuse, or deviations from specified purposes and scope; and

(iii) In the event of a cyber-attack compromising consumer information security, businesses or data stewards must promptly notify the competent state authority within 24 hours of identifying the breach. They must also take immediate actions to uphold data security, in compliance with cybersecurity laws, network security protocols, electronic transactions regulations, and relevant legal provisions.

Conclusion

In brief, the new regulatory framework that governs consumer data protection become significant to protect consumer information in today's digital landscape. Businesses must adjust their practices to meet stringent regulatory requirements while consumers should be aware of their rights and how to assert them effectively to safeguard their information. Adhering to these regulations not only ensures legal compliance but also promotes a secure environment that upholds consumer rights and enhances trust in data management practices.

To view all formatting for this article (eg, tables, footnotes), please access the original here.

LNT & Partners - Duong Ba Anh Duyen

Please Login or Register for Free now to view all updates and articles

In addition to free-to-view updates and articles, you can also subscribe to the full Legal Centrix Vietnam Service including access to:

  • Overview notes on the law
  • Thousands of high quality translations of legislation covering all key business areas
  • Legal and tax updates
  • Articles on important legal and tax issues
  • Weekly email alerts
  • Sophisticated web platform and search

Legal Centrix is trusted by top law and accounting firms.

LNT & Partners

LNT & Partners is a full-service independent Vietnam law firm, which focuses on advisory and transactional work in the areas of corporate/M&A, competition, pharmaceutical, real estate, infrastructure and finance as well as complex and high-profile litigation and arbitration matters.

The team’s commitment to professionalism, quality advice and client care has earned the practice recognition from multiple recognized international publications, including the Legal 500, Chambers and Partners and IFLR1000. It is no surprise that numerous Fortune 500 companies have chosen LNT & Partner as their dedicated legal adviser.

 

Click here to view the author's profile

Cookies On
Our Website
We use cookies on our website. To learn more about cookies, how we use them on our site and how to change your cookie settings please click here to view our cookie policy. By continuing to use this site without changing your settings you consent to our use of cookies in accordance with our cookie policy.