Abstract: Currently, online shopping through e-commerce platforms and social networks has become increasingly popular and is gradually turning into an essential need in people's daily lives. It is undeniable that this method of shopping offers numerous advantages over traditional shopping methods. However, concerns regarding the security of consumers' personal data remain a major challenge due to risks of data leakage, loss, and theft. This article analyzes the legal provisions and assesses the current state of personal data protection for consumers in Vietnam when participating in online shopping. Furthermore, the article examines certain provisions related to personal data protection under the European Union’s General Data Protection Regulation (GDPR), thereby offering several recommendations for improving Vietnam’s legal framework to enhance the protection of consumers' personal data in the context of online shopping.
Keywords: personal data, consumer, shopping, online, GDPR.
The impact of the Fourth Industrial Revolution, together with the context of the Covid-19 pandemic, has significantly changed people’s shopping and consumption behavior. Accordingly, consumers have begun to favor online shopping over traditional shopping methods previously used. In essence, online shopping is the process by which consumers purchase goods or services from sellers within a specified period of time through the Internet without any intermediary service[1]. At present, consumers can engage in online shopping through various forms. Depending on their needs and the convenience of each form, they may choose one or several methods, including but not limited to e-commerce platforms, social networks such as Facebook, Zalo, Tiktok, Instagram, or sales websites, etc. However, during the process of online shopping, consumers have been and are facing numerous risks, particularly concerns surrounding the protection of their personal data when participating in online transactions.
Personal data refers to information that enables the identification and recognition of a specific individual, allowing for differentiation between one person and another or between distinct personal data.[2] Such data include, but are not limited to, the following basic information: full name, middle name, and given name; other names (if any); date of birth; date of death or disappearance; gender; place of birth, place of birth registration, permanent residence, temporary residence, current address, place of origin, contact address; nationality; personal image, etc[3]. A consumer is a person who purchases or uses goods or services for the purposes of personal, family, or organizational consumption and living[4]. When these two terms are combined, consumers’ personal data may be understood as information that identifies and recognizes a person in the course of purchasing or using goods and services for specific purposes.
In this context, the process of purchasing goods and services can take place through two common forms: traditional shopping and online shopping. Online shopping refers to the process by which consumers directly purchase goods or services from sellers within a specific period of time through the Internet without any intermediary service; it is a procedure used to list goods and services together with accompanying images displayed remotely through electronic means[5]. Electronic means are defined as hardware, software, information systems, or other tools operating on the basis of information technology, electrical, electronic, digital, magnetic, wireless transmission, optical, electromagnetic, or similar technologies[6]. Instead of going to a physical store to purchase goods in the traditional way, consumers can simply stay at home and use electronic means connected to the Internet, through e-commerce platforms, social networks, or online store websites to carry out their shopping activities. For this reason, consumers’ personal data have become a commonly used “tool” of exchange between sellers and buyers. The purpose is to allow both parties to know and identify each other’s information, thereby facilitating faster and more convenient transactions, while also establishing trust between parties who otherwise have no prior knowledge of one another.
However, the downside of this convenience lies in the increasingly common situation where consumers’ personal data are leaked, exposed, or stolen for other purposes (which may be unlawful), becoming a source of concern for consumers when engaging in online shopping. In the context of the strong development of e-commerce and the digital society, the loss of personal data security is inevitable; therefore, the search for solutions to prevent, minimize, and ultimately eliminate this situation has always been a priority for policymakers. Among such solutions, legal regulation of the protection of consumers’ personal data in online shopping is one of the most important and prioritized measures.
At present, the laws on the protection of consumers’ personal data in online shopping are built upon the general legal framework for personal data protection. From the perspective of the Constitution 2013, the protection of personal data is recognized through the regulation on the right to privacy, specifically in Article 21: “Everyone has the right to inviolability of private life, personal secrets, and family secrets; and the right to protect his or her honor and reputation. Information about private life, personal secrets, and family secrets shall be kept safe by law”, or Article 38 of the Civil Code 2015 also provides that: “Private life, personal secrets, and family secrets are inviolable and protected by law”. Furthermore, Article 4(1) of the Law on Protection of Consumers’ Rights 2023 (hereinafter referred to as the Law on Protection of Consumers’ Rights or LPCR) stipulates that consumers are entitled to the assurance of safety for their life, health, honor, dignity, reputation, and property, and to the protection of their information and other legitimate rights and interests when participating in transactions or using products, goods, and services provided by business organizations or individuals. It can be seen that all three legal documents - from the fundamental to the sectoral level - have acknowledged the protection of personal data. In particular, the protection of consumers’ personal data is recognized through the right to privacy over personal data, which is an inviolable right of every individual. Only with the issuance of Decree No. 13/2023/ND-CP of April 17, 2023 by the Government on Personal Data Protection (hereinafter referred to as Decree No. 13/2023/ND-CP) did the protection of personal data obtain a specific legal framework for regulation (and will soon be strengthened with the promulgation of the Law on Personal Data Protection).
According to the Decree, personal data protection means the prevention, detection, and handling of violations related to personal data in accordance with law (Article 2(5) of Decree No. 13/2023/ND-CP). From this, it can be understood that the laws on the protection of consumers’ personal data in online shopping comprise the body of legal norms governing the prevention, detection, and handling of violations related to consumers’ personal data in online shopping within the electronic environment, with the ultimate goal of protecting consumers’ right to privacy in relation to their personal data.
Firstly, online shopping has been growing increasingly vibrant and has inevitably created an ideal environment for violations of consumers’ personal data.
TIn reality, traditional shopping is gradually giving way to online shopping[7] in the context of digital economic development. According to the E-Commerce Report Viet Nam 2023 issued by the E-Commerce and Digital Economy Agency, e-commerce has witnessed remarkable growth. With 74% of the population using the Internet, Viet Nam had approximately 59 to 62 million online consumers, and the estimated average spending per person reached around 300–320 USD in 2023[8], compared with 202 USD in 2018, 225 USD in 2019, 240 USD in 2020, 251 USD in 2021, and 288 USD in 2022. It can be seen that the value of online shopping per person has significantly increased, reflecting both the demand and the consumption trend in the digital era. Consumers can make purchases through various channels such as business websites, social networking sites, e-commerce platforms, and mobile applications[9]. Among these, sales conducted via social networks and e-commerce platforms are considered the most effective.
Secondly, the violation of users’ privacy concerning personal data has become one of the major concerns for consumers when engaging in online shopping.
It is observed that consumers can now access goods and services through various forms without being dependent on traditional shopping methods, offering greater flexibility and convenience. However, alongside these benefits, consumers in reality still face several risks - most notably, the disclosure, leakage, and intrusion of personal data. In fact, as the number of online shoppers has surged in recent years and is expected to increase sharply in the near future, e-commerce businesses have become prime targets for those seeking to steal information, with cyberattacks occurring more frequently and with increasing sophistication[11]. According to statistics, there are numerous reasons why a portion of consumers feel hesitant about online shopping: poor product quality compared with advertisements (68%); high shipping costs (41%); low-quality delivery services (30%); poor customer care services (28%), etc. Among these, the concern over personal information disclosure accounts for as much as 52% - significantly higher than other reasons - and it is also one of the main factors discouraging individuals who have never shopped online before (29%), ranking fourth after (i) in-store shopping being more convenient (45%); (ii) difficulty in verifying product quality (44%); and (iii) distrust of sellers (44%)[12].
Typical of this situation is the fact that many customers have reported receiving phone calls from individuals impersonating delivery staff after placing orders on e-commerce applications. These callers request that customers transfer money in advance before receiving their goods. What is noteworthy is that such individuals often provide accurate information about the order, which causes many consumers to believe them and proceed with the transfer without proper verification[13]. In reality, a user today usually maintains two to three accounts and uses social networks, accesses dozens of e-commerce websites, and provides information to hundreds of stores, hotels, and supermarkets during daily activities. Consequently, personal data are collected and stored across hundreds of different systems. Meanwhile, data security among these systems is inconsistent, creating risks of attacks and data breaches stemming from operational processes, human factors, or cybersecurity vulnerabilities[14]. There are numerous causes of the insecurity of consumers’ personal data in online shopping activities - from consumers’ subjective attitudes and their uncontrolled sharing of personal data without managing the types of data being disclosed, to intentional violations by other parties such as excessive and unauthorized data collection, non-transparent data-gathering practices, or even large-scale cyberattacks by hackers.
Thirdly, the law on personal data protection of consumers engaged in online shopping serves as an instrument to ensure the safety of consumers’ personal data.
It can be observed that the risk of personal data being leaked, exposed, or infringed upon in online shopping activities has become one of the main reasons why consumers are concerned about data security and privacy. Therefore, the protection of consumers’ personal data has become one of the key components of both the general legal framework on consumer rights protection and the specific legal framework on the protection of consumers’ personal data. At present, the mechanism for protecting consumers’ personal data in online shopping activities has been established and rapidly improved to address the aforementioned situation. Derived from the general concept of personal data protection - understood as the activity of preventing, detecting, deterring, and handling violations related to personal data in accordance with the law[15] - the protection of consumers’ personal data in online shopping is placed within this general framework but focuses on a specific subject, namely consumers, and within a specific context - the online environment.
The law on the protection of consumers’ personal data in online shopping is specifically governed by three legal instruments, namely: the Law on Protection of Consumer Rights 2010 (compared with the Law on Protection of Consumer Rights 2023, effective as of July 1, 2024); Decree No. 52/2013/NĐ-CP dated May 16, 2013 of the Government on E-commerce, as amended and supplemented by Decree No. 85/2021/NĐ-CP (effective as of January 1, 2022) (hereinafter referred to as “Decree No. 52/2013/NĐ-CP”); and Decree No. 13/2023/NĐ-CP on Personal Data Protection. At present, all three instruments provide regulations on the protection of consumers’ personal data; however, certain provisions remain inconsistent and overlapping, as detailed below:
(i) The Law on Protection of Consumer Rights 2010 provides for the protection of consumers' information in comparison with the Law on Protection of Consumer Rights 2023
The Law on Protection of Consumer Rights 2010 regulates the protection of consumers’ information under Article 6. Compared with the Law on Protection of Consumer Rights 2023, these provisions have been revised and supplemented toward greater comprehensiveness, specifically as follows:
First, bthe concept of consumer information has been added. Accordingly, consumer information includes consumers’ personal data, information on their process of purchasing and using products, goods, and services, and other information related to transactions between consumers and traders or organizations engaged in business activities (Clause 3, Article 3). This addition ensures consistency in interpretation and provides clearer protection between consumers’ personal data and other information arising during consumption.
Second, the methods of protecting consumers’ information have been supplemented. While the Law on Protection of Consumer Rights 2010 stipulates that traders and business organizations shall “themselves” perform the responsibility of protecting consumers’ information, the Law on Protection of Consumer Rights 2023 additionally allows them to “authorize or hire a third party” to carry out these responsibilities. The inclusion of third-party authorization for collecting, storing, and using consumer information in the Law on Protection of Consumer Rights 2023, compared to the 2010 version, plays an important role in strengthening privacy and consumers’ rights protection in the current digital environment. Authorizing a third party to perform the collection, storage, and use of consumer information may stem from the fact that the third party possesses expertise and experience in data and personal information management that the traders or organizations may lack. In addition, third parties often have robust infrastructure and financial capacity to implement data protection processes effectively and to ensure compliance with relevant laws, including those on data protection and privacy rights. Through such authorization, organizations and individuals can reduce risks associated with data and information management, as third parties may adopt higher standards of security and safety to protect data.
In addition, the Law on Protection of Consumers’ Rights 2023 also requires that the third party must have a clear and comprehensible privacy policy describing how consumers’ personal information will be used and protected. The third party must ensure the safety and security of consumers’ personal information by applying cybersecurity and data protection measures. Moreover, apart from the actions that business organizations and individuals may take toward consumers’ information - namely “collection, use, and transfer” as provided in the Law on Protection of Consumers’ Rights 2010 -the Law on Protection of Consumers’ Rights 2023 further supplements additional actions, including storage, modification, update, and deletion. It can be observed that the Law on Protection of Consumers’ Rights 2023 has expanded the authority of entities responsible for protecting consumers’ information, while comprehensively consolidating the possible actions of business organizations and individuals that may affect consumers’ information. The delegation of information collection, storage, and use to a third party also aligns with international practice, particularly Article 28 of the General Data Protection Regulation (GDPR). Accordingly, all processing activities involving personal data, including delegation to third parties, must comply with the GDPR to ensure the protection of privacy and consumers’ rights. Non-compliance may result in severe fines and other legal consequences for the organization or the third party.
Third, new provisions have been added concerning the formulation of rules on the protection of consumers’ information (Article 16); notification requirements when collecting and using consumers’ information (Article 17); provisions on the use of consumers’ information (Article 18); provisions on ensuring the safety and security of consumers’ information (Article 19); and provisions on the inspection, correction, update, deletion, transfer, and suspension of the transfer of consumers’ information (Article 20). These are entirely new provisions compared with the Law on Protection of Consumers’ Rights 2010. It can be observed that the Law on Protection of Consumers’ Rights 2023 provides more comprehensive and complete regulations regarding the protection of consumers’ personal data when purchasing and using goods and services in general.
(ii) Decree No. 52/2013/NĐ-CP contains provisions on the protection of consumers’ personal information in e-commerce from Articles 68 to 73.
Overall, the contents of these provisions are generally consistent with those stipulated in the Law on Protection of Consumers’ Rights 2023.
- Entities that collect and use consumers’ personal information are required to develop and publicly announce a policy on personal information protection, which must include: (i) the purpose of collecting personal information; (ii) the scope of information use; (iii) the period of information retention; (iv) the persons or organizations that may have access to such information; (v) the address of the entity collecting and managing the information; and (vi) methods and tools enabling consumers to access and modify their personal data on the e-commerce system of the collecting entity (Article 69).
- Regarding obtaining consumers’ consent for data collection, the Decree stipulates that entities collecting and using consumers’ personal information on e-commerce websites must obtain the prior consent of the concerned consumers (Article 70).
- As for the use of consumers’ information, the entity collecting such data must use personal information only for the purposes and within the scope already notified, except where otherwise provided by law (Article 71).
(iii) Decree No. 13/2023/NĐ-CP comprehensively regulates matters concerning personal data protection.
The issuance of this Decree came in response to the widespread occurrence of personal data breaches, aiming to safeguard personal data rights, prevent violations that may infringe upon the rights and interests of individuals and organizations, and enhance the accountability of agencies, organizations, and individuals - especially data controllers - in processing personal data [16]. The provisions of the Decree also correspond in many aspects with those of the General Data Protection Regulation (GDPR).
The personal data protection rules of the European Union ensure the protection of personal data of data subjects in general and of consumers in particular whenever data are collected, including in circumstances where consumers engage in online shopping [17]. These rules are stipulated in the General Data Protection Regulation (GDPR) of the European Union. The GDPR is regarded as a legal framework established to provide citizens within the European Union with greater control over their personal data [18], and such rules are concretized through the rights of data subjects.
First, the right to be informed of the data subject. As a principle, before collecting and processing a person’s personal data, the data controller or processor must notify that person of the collection of their related data, and may only collect and process such personal data with the consent of the data subject [19].
The General Data Protection Regulation (GDPR) stipulates that personal data must be processed lawfully, fairly, and transparently in relation to the data subject (point (a), paragraph 1, Article 5). Therefore, the notification made by the data controller and the data processor is considered a mandatory act that these entities must perform if they wish to collect and process the personal data of others.
The notification content that the data controller and the data processor must provide to the data subject includes, but is not limited to, the following information: (i) the identity and contact details of the data controller and, where applicable, the identity and contact details of the controller’s representative; (ii) the contact details of the data protection officer, if any; (iii) the purposes and legal basis for the processing of personal data; (iv) the legitimate interests pursued by the data controller or a third party that may arise from the collection and processing of data; (v) the recipients or categories of recipients of the personal data, if any; etc.[20]
A problem arises in that not every time the data controller or data processor provides notification does the data subject have an obligation to consent to such a request. This is because the right to consent belongs to the data subject. In this relationship, the data subject retains an active position and compels the data controller and data processor to fulfil their notification obligations; however, whether the data subject consents to the collection and processing of their data depends entirely on their own will. In fact, Article 7 of the GDPR grants the data subject the right to withdraw their consent at any time during the process of data collection and processing by the data controller and data processor.
In relation to the protection of consumers’ personal data in the process of online shopping, it is common that, before collecting consumers’ personal data, the data collector (for the purposes of this article, the term “data collector” refers to the seller or service provider) will collect certain necessary information such as name, age, address, and phone number to verify whether a purchase or service use has been made by the data subject. In this case, the data collector is fulfilling its notification obligation, while the consumer demonstrates consent to the purchase or use of the service through an online form. In other words, the provision on the data subject’s right to be informed under the GDPR is reflected in the relationship between the data collector and the consumer when the latter engages in online shopping.
Second, the right to be forgotten. This right is reflected in two aspects: the right to delisting and the right to erasure. The right to delisting allows an individual to request a search engine operator to remove certain search results associated with them[21], while the right to erasure allows an individual to request the publisher to delete data that the individual has provided[22]. This article focuses only on certain aspects of the right to erasure.
Accordingly, the data subject has the right to request the data controller to erase personal data concerning them without undue delay. Upon receiving such a request from the data subject, the data controller is obliged to erase the personal data in question when one of the following conditions applies: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws consent and there is no other legal ground for the processing; (iii) the data subject objects to the processing; (iv) the personal data have been unlawfully processed; (v) the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject; (vi) the personal data have been collected in relation to the provision of an information society service[23]. Apart from the above cases, the right to erasure shall not apply in certain circumstances serving public interests or where the law of the European Union or its Member States provides otherwise[24].
Regarding the protection of consumers’ personal data in the process of online shopping, the right to be forgotten has not yet received due attention. In practice, after consumers purchase products or use online services, their personal data have already been collected and stored by the data collector. From such data, the collector may use them for purposes related to advertising, marketing, or offering further purchases/uses of services in the future. Immediately after purchasing or using an online service, consumers may exercise their right to be forgotten by requesting the data collector to erase their personal data. However, in reality, consumers often pay little attention to - or, in many cases, are unaware of - this right. As a result, their personal data continue to be used by collectors or third parties for other purposes without their knowledge, even though they no longer purchase products or use online services from the same collector.
Third, the responsibility of controllers and processors during the processing of data subjects’ personal data. Accordingly, controllers must implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific processing purpose are processed. The purpose of this responsibility is to ensure that the processing of personal data does not exceed the scope of the processing purposes which the controller and processor have previously notified to the data subject. As for the security of processing, the GDPR also prescribes the responsibilities of controllers and processors. Accordingly, they must adopt appropriate technical and organizational measures to ensure a level of security appropriate to the risk (taking into account the state of the art, the cost of implementation, as well as the nature, scope, context, and purposes of processing, etc.) that may arise during the processing of personal data. Once personal data of the data subject have been collected, controllers and processors must fulfill various obligations, including ensuring the security of personal data processing - thereby indirectly safeguarding the data subject’s personal data.
In connection with the protection of consumers’ personal data during online shopping, consumers seem unable to identify or perceive how the data collector performs its responsibilities regarding their personal data during the processing. According to the author, this is one of the reasons why consumers’ personal data are infringed without any means of redress available to them. This is because, if the data collector effectively performs its responsibility for ensuring data security, the leakage or unauthorized disclosure of consumers’ personal data would be significantly limited.
In addition, under the European Union’s legislation on consumer protection - specifically, Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council, and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council (hereinafter referred to as “Directive 2011/83/EU”) - it is provided that, with regard to consumers’ personal data, traders shall comply with the obligations applicable under Regulation (EU) 2016/679[27]. It can thus be seen that the protection of consumers’ personal data in online shopping is governed by the provisions of the GDPR. In other words, EU law does not regulate this matter in any other separate legal instrument.
In conclusion, the protection of consumers’ personal data in online shopping is subject to the GDPR. The GDPR is recognized as one of the most exemplary legal frameworks for personal data protection; therefore, the application of the GDPR to the protection of consumers’ personal data (as a specific group of data subjects) is a matter of course.
Through the identification and assessment of the current state of personal data protection for consumers in the online environment, and by referring to the regulatory framework of the European Union, it can be seen that several provisions on personal data protection in general - and on the protection of consumers’ personal data in online shopping in particular - remain inconsistent in Viet Nam, specifically among the Law on Protection of Consumers’ Rights 2023, Decree No. 52/2013/ND-CP, and Decree No. 13/2023/ND-CP. Therefore, the authors propose several corresponding recommendations as follows:
First, there should be a unified use of the term personal data. In practice, the current legal framework in Viet Nam shows inconsistency in the use of the terms personal data and personal information. The specialized legal document governing the protection of personal data - Decree No. 13/2023/ND-CP - defines personal data as information in the form of symbols, letters, numbers, images, sounds, or similar forms in the electronic environment that is associated with a specific individual or helps to identify a specific individual (Clause 1, Article 2). Meanwhile, both the Law on Protection of Consumers’ Rights 2010, the Law on Protection of Consumers’ Rights 2023, and Decree No. 52/2013/ND-CP use the term personal information [28]. Comparing these definitions, the interpretation of personal data under Decree No. 13/2023/ND-CP is broader and more comprehensive than the term personal information. This is because Decree No. 13/2023/ND-CP explicitly lists basic types of personal data in Clause 3, Article 2, similar to how personal information is defined in Decree No. 52/2013/ND-CP, but the main distinction lies in its focus on identifying individuals through their data.
The use of the term personal data in Decree No. 13/2023/ND-CP aligns with the General Data Protection Regulation (GDPR), which adopts personal data - rather than personal information - to refer to “any information relating to an identified or identifiable natural person” (Clause 1, Article 4). From a comparative legal perspective, considering Decree No. 13/2023/ND-CP as a dedicated legal instrument on personal data protection and drawing upon the EU’s legislative experience under the GDPR, it is essential that Vietnamese legal documents adopt a uniform term - personal data - to ensure consistency in understanding, interpreting, and applying legal provisions in practice.
Second, there remains inconsistency between the requirement of notification and consent when collecting consumers’ personal information. While both the Law on Protection of Consumers’ Rights 2023 and Decree No. 13/2023/ND-CPprescribe the obligation to notify [29], Decree No. 52/2013/ND-CP stipulates the requirement to "obtain consumers’ permission before collecting information". The meanings of notification and consent are distinct. Consent refers to requesting and obtaining approval from another person to perform a specific act [30], whereas notification merely requires one party to inform another about certain content, leaving the recipient to decide how to respond; the notifier does not influence the recipient’s will. The author argues that the use of the term notification is more appropriate, as it aligns with the GDPR and maintains a balance between the notifying and notified parties - ensuring that consent to data processing is obtained objectively without undue influence.
Third, regulations on the protection of consumers’ personal data in online shopping are currently dispersed across multiple legal instruments, raising the question of which legal document should apply in such cases. Notably, three different legal instruments govern the same matter: the Law on Protection of Consumers’ Rights 2023, Decree No. 52/2013/ND-CP, and Decree No. 13/2023/ND-CP. Among these, Decree No. 13/2023/ND-CP may be regarded as the Vietnamese equivalent of the GDPR, as it serves as the primary legal framework regulating personal data protection.
According to the legal approach of the European Union, the protection of personal data - including in the field of e-commerce - is uniformly regulated under the General Data Protection Regulation (GDPR). This legislative technique, as assessed by the authors, ensures a systematic, consistent, and transparent framework for personal data processing, regardless of the field of application. In Viet Nam, the protection of consumers’ personal data in online shopping activities is concurrently governed by various legal instruments, most notably the Law on Protection of Consumers’ Rights (2023), Decree No. 52/2013/NĐ-CP, and Decree No. 13/2023/NĐ-CP. From a legislative perspective, the authors hold that maintaining separate regulations on personal data protection in each specialized law is necessary but should not be fragmented. Instead, a “framework regulation” approach should be adopted within a unified legal instrument - currently Decree No. 13/2023/NĐ-CP, and in the near future, the Law on Personal Data Protection (which is under drafting and expected to be passed by the National Assembly). Specialized laws should only provide specific provisions addressing unique features of their respective sectors, with explicit references or cross-citations to the general legal instrument to ensure coherence and uniformity within the legal system. It should also be noted that Decree No. 13/2023/NĐ-CP is a subordinate legal document, whereas the Law on Protection of Consumers’ Rights is a higher-level statute. Therefore, a direct cross-reference from a law to a decree may cause technical inconsistencies in legal hierarchy. While awaiting the promulgation and entry into force of the Law on Personal Data Protection, references to Decree No. 13/2023/NĐ-CP should be regarded only as an interim solution. In the long term, a rational hierarchical structure should be established within the legal framework - a general law providing overarching regulation, and sector-specific laws supplementing detailed, specialized provisions.
The Fourth Industrial Revolution, characterized by groundbreaking, increasingly modern and intelligent transformations, has profoundly influenced the economic and social development of nations. Among these changes, the Internet is regarded as one of the core factors reflecting the evolution and development of each country across different periods, as well as distinguishing one nation or economy from another. However, the more advanced technology becomes, the more negative consequences it may entail. A typical example is the rapid expansion of online shopping activities, which has been accompanied by a growing severity of personal data theft and breaches of consumer information - and Viet Nam is no exception. Therefore, to ensure the effective protection of consumers’ personal data in the current context, the improvement of the legal framework is imperative. In addition to refining the provisions of Decree No. 13/2023/NĐ-CP, it is essential to establish consistency and coherence among relevant legal instruments addressing this issue, thereby facilitating the protection of consumers’ personal data in online shopping activities.
REFERENCES
1. Law on Protection of Consumer Rights No. 59/2010/QH12 dated November 17, 2010.
2. Law on Protection of Consumer Rights No. 19/2023/QH15 dated June 20, 2023.
3. Law on Electronic Transactions No. 51/2005/QH11 dated November 29, 2005.
4. Law on Electronic Transactions No. 20/2023/QH15 dated June 22, 2023.
5. Decree No. 52/2013/ND-CP dated May 16, 2013, providing for e-commerce.
6. Decree No. 13/2023/ND-CP dated April 17, 2023, providing for personal data protection.
7. General Data Protection Regulation (GDPR) of the European Union.
8. Directive 2011/83/EU stipulates: In respect of personal data of the consumer, the traller shall comply with the obligations applicable under Regulation (EU) 2016/679.
9. Nhi Anh, Vietnam’s e-commerce expected to reach over USD 20 billion in 2023, vneconomy, https://vneconomy.vn/thuong-mai-dien-tu-viet-nam-nam-2023-du-kien-dat-hon-20-ty-usd.htm.
10. Ngoc Tram, Ngoc Anh, Risk of personal data leakage through e-commerce platforms, https://cand.com.vn/Ho-so-Interpol/nguy-co-lo-lot-thong-tin-ca-nhan-qua-san-thuong-mai-dien-tu-i760575/.
11. Son Bach, Dissemination and guidance on the Decree on personal data protection, https://nhandan.vn/pho-bien-huong-dan-nghi-dinh-ve-bao-ve-du-lieu-ca-nhan-post756516.html.
12. Nguyen Thi Dung, The right to be forgotten on the Internet in some countries and reference experiences for Viet Nam, https://danchuphapluat.vn/quyen-lang-quen-tren-moi-truong-internet-o-mot-so-quoc-gia-va-kinh-nghiem-tham-khao-cho-viet-nam.
13. Vu Cong Giao & Le Tran Nhu Tuyen, Protection of the right to personal data in international law, national laws of selected countries, and reference values for Viet Nam. Legislative Studies Journal, No. 09 (409), 2020.
14. Huynh Thi Nam Hai & Huynh Thi Minh Hai, The right to be forgotten and the issue of personal data protection, https://tapchitoaan.vn/quyen-duoc-lang-quen-va-van-de-bao-ve-du-lieu-ca-nhan.
15. Vu The Hoai & Nguyen Pham Thanh Hoa, The right to privacy over personal data in cyberspace under the law of the European Union – Some lessons for Viet Nam.Labour Publishing House, Ha Noi, p. 677 (2023).
16. Hoang Phe,Vietnamese Dictionary. Da Nang Publishing House, Ha Noi – Da Nang, p. 1151, 2003.
17. Le Phuong, National Assembly Deputy Ngan Phuong Loan: Consumers should be more cautious when shopping online. The National Assembly of Viet Nam, https://quochoi.vn/hoatdongdbqh/Pages/tin-hoat-dong-dai-bieu.aspx?ItemID=44113.
18. Mai Hoang Thinh, Trends in online shopping behavior of Vietnamese consumers. Industry and Trade Magazine, https://tapchicongthuong.vn/bai-viet/xu-huong-hanh-vi-mua-hang-truc-tuyen-cua-nguoi-tieu-dung-viet-nam-104014.htm.
19. Tran Binh, Alarming situation of personal data breaches, https://www.sggp.org.vn/bao-dong-tinh-trang-lo-lot-du-lieu-ca-nhan-post773279.html.
20. Vietnam E-commerce Association. Vietnam E-commerce Index Report 2023: Toward Sustainable E-commerce Development, pp. 31–37, 2023.
21. Vietnam Chamber of Commerce and Industry (VCCI) & Lazada: Sustainable E-commerce Development Report: A Driving Force for the Digital Economy, p. 25, 2023.
22. Department of E-commerce and Digital Economy, Ministry of Industry and Trade, "Vietnam E-commerce White Paper 2022", p. 45, 2022.
23. European Union, Data protection and online privacy,https://europa.eu/youreurope/citizens/consumers/internet-telecoms/data-protection-online-privacy/index_en.htm.
* Lecturer, Faculty of Civil Law, Ho Chi Minh City University of Law.Approved for publication on May 24, 2025. Email: xkoanh@hcmulaw.edu.vn
** Bachelor of Laws, Ho Chi Minh City University of Law.
Email: nguyenphamhoa.28042001@gmail.com
[1] Mai Hoang Thinh, Trends in Online Shopping Behavior of Vietnamese Consumers, Industry and Trade Magazine, (10:15, December 28, 2024), https://tapchicongthuong.vn/bai-viet/xu-huong-hanh-vi-mua-hang-truc-tuyen-cua-nguoi-tieu-dung-viet-nam-104014.htm.
[2] Vu The Hoai, Nguyen Pham Thanh Hoa, Privacy Rights over Personal Data in Cyberspace under the Law of the European Union – Some Lessons for Vietnam, Labor Publishing House, Hanoi, p. 677, 2023.
[3] Decree No. 13/2023/ND-CP dated April 17, 2023, on personal data protection, Clause 3, Article 2.
[4] Law on Protection of Consumer Rights No. 59/2010/QH12 dated November 17, 2010, Clause 1, Article 3. Meanwhile, under the Law on Protection of Consumer Rights No. 19/2023/QH15 dated June 20, 2023, Clause 1, Article 3 (effective from July 1, 2024), a consumer is defined as a person who purchases or uses products, goods, or services for personal, family, agency, or organizational consumption and living purposes, and not for commercial purposes.
[5] Mai Hoang Thinh, Trends in Online Shopping Behavior of Vietnamese Consumers, Industry and Trade Magazine, (10h15 28/12/2024), https://tapchicongthuong.vn/bai-viet/xu-huong-hanh-vi-mua-hang-truc-tuyen-cua-nguoi-tieu-dung-viet-nam-104014.htm.
[6] Law on Electronic Transactions No. 20/2023/QH15 dated June 22, 2023, Clause 2, Article 3.
[7] Le Phuong, NA Deputy Ngan Phuong Loan: Consumers Should Be More Cautious When Shopping Online, Viet Nam National Assembly (2:15 PM, December 28, 2024),https://quochoi.vn/hoatdongdbqh/Pages/tin-hoat-dong-dai-bieu.aspx?ItemID=44113.
[8] Nhi Anh, Viet Nam’s E-Commerce in 2023 Estimated to Reach Over USD 20 Billion, VnEconomy (2:30 PM, December 28, 2024), https://vneconomy.vn/thuong-mai-dien-tu-viet-nam-nam-2023-du-kien-dat-hon-20-ty-usd.htm.
[9] Viet Nam E-Commerce Association, E-Commerce Index Report 2023: Toward Sustainable Trade Development, pp. 31–37, 2023.
[10] VCCI, Lazada, Sustainable E-Commerce Report: A Driving Force for the Digital Economy, p. 12, 2023.
[11] VCCI, Lazada, Sustainable E-Commerce Report: A Driving Force for the Digital Economy, p. 25, 2023.
[12] Department of E-Commerce and Digital Economy, Ministry of Industry and Trade, "Viet Nam E-Commerce White Book 2022", p. 45, 2022.
[13] Ngoc Tram, Ngoc Anh, Risks of Personal Information Leakage through E-Commerce Platforms (8:00 PM, May 14, 2025), https://cand.com.vn/Ho-so-Interpol/nguy-co-lo-lot-thong-tin-ca-nhan-qua-san-thuong-mai-dien-tu-i760575/.
[14] Tran Binh, Alarming Situation of Personal Data Leaks (8:10 PM, May 14, 2025), https://www.sggp.org.vn/bao-dong-tinh-trang-lo-lot-du-lieu-ca-nhan-post773279.html.
[15] Clause 5, Article 2, Decree No. 13/2023/ND-CP dated April 17, 2023 of the Government on personal data protection.
[16] Son Bach, Dissemination and guidance on the Decree on Personal Data Protection, (1:15 PM, January 1, 2024), https://nhandan.vn/pho-bien-huong-dan-nghi-dinh-ve-bao-ve-du-lieu-ca-nhan-post756516.html.
[17] European Union, Data protection and online privacy, (10h15 01/01/2024), https://europa.eu/youreurope/citizens/consumers/internet-telecoms/data-protection-online-privacy/index_en.htm.
Vu Cong Giao, Le Tran Nhu Tuyen, Protection of Personal Data Rights in International Law, Laws of Selected Countries, and Implications for Viet Nam, Legislative Studies Journal, No. 09 (409), 2020.
[19] General Data Protection Regulation (GDPR) of the European Union, Articles 13 and 14.
[20] General Data Protection Regulation (GDPR) of the European Union, Clauses 1 and 2, Article 13, and Clauses 1 and 2, Article 14.
[21] Huynh Thi Nam Hai, Huynh Thi Minh Hai, The Right to Be Forgotten and Issues of Personal Data Protection (11:07 AM, January 1, 2024), https://tapchitoaan.vn/quyen-duoc-lang-quen-va-van-de-bao-ve-du-lieu-ca-nhan.
[22] Nguyen Thi Dung, The Right to Be Forgotten in the Internet Environment in Some Countries and Lessons for Viet Nam (3:05 PM, January 1, 2024), https://danchuphapluat.vn/quyen-lang-quen-tren-moi-truong-internet-o-mot-so-quoc-gia-va-kinh-nghiem-tham-khao-cho-viet-nam.
[23] General Data Protection Regulation (GDPR) of the European Union, Clause 1, Article 17.
[24] General Data Protection Regulation (GDPR) of the European Union, Clause 3, Article 17.
[25] General Data Protection Regulation (GDPR) of the European Union, Clause 2, Article 25.
[26] General Data Protection Regulation (GDPR) of the European Union, Clause 1, Article 32.
[27] Directive 2011/83/EU stipulates: In respect of personal data of the consumer, the traller shall comply with the obligations applicable under Regulation (EU) 2016/679, Clause 4 Article 13.
[28] Decree No. 52/2013/ND-CP dated May 16, 2013 on e-commerce, Clause 13, Article 3, defines: “Personal information means information that contributes to identifying a specific individual, including name, age, home address, telephone number, medical information, account number, personal payment transaction information, and other information that an individual wishes to keep confidential”.
[29] Article 17 of the Law on Protection of Consumer Rights 2023 is titled “Notification upon Collection and Use of Consumer Information”; Article 13 of Decree No. 13/2023/ND-CP is titled “Notification of Personal Data Processing”.
[30] Hoang Phe, Vietnamese Dictionary, Da Nang Publishing House, Hanoi – Da Nang, p. 1151, 2003.
Tags:
Tags:
(L&D) The article proposes solutions to improve Viet Nam’s criminal law, contributing to crime prevention and control and the protection of human rights in the context of the 4.0 technology era.
(L&D) This article focuses on clarifying the current provisions of Canadian criminal law regarding the subjects of application, monitoring mechanisms, rights of individuals under electronic monitoring, and measures for handling violations of electronic monitoring. In addition, the article analyzes both the advantages and limitations of electronic monitoring in the criminal justice field in Canada, thereby providing recommendations for improving the Law on Execution of Criminal Judgments of Viet Nam in this regard.
(L&D) The principle of insurable interest in property insurance contracts plays an important role in determining the parties entitled to enter into such contracts as well as their rights upon the occurrence of an insured event. Compliance with this principle is a prerequisite for ensuring the legality and validity of property insurance contracts in accordance with Vietnamese law.
(L&D) - The right of residence of migrant workers in ASEAN plays an important role in promoting economic integration, social stability within the region, and sustainable development.
(L&D) - This article examines and compares the mechanisms for exemption from environmental liability under Directive 2004/35/EC (Environmental Liability Directive – ELD) of the European Union and Vietnam’s Law on Environmental Protection 2020, with the aim of identifying shortcomings in Vietnam’s legal framework and proposing solutions to enhance the effectiveness of environmental protection.
(L&D) - Fraud in real estate trading platform services constitutes a persistent and multifaceted challenge across jurisdictions, including Vietnam.
(L&D) - The article presents the importance of developing underground space and underground works to address the issue of land scarcity in major urban areas, especially in the context of rapid urbanization, which is considered an inevitable trend to optimize the use of land resources.
![Balancing interests in copyright protection for artificial intelligence outputs - International legal practice and some recommendations for Vietnam [1]](https://t.ex-cdn.com/phapluatphattrien.vn/480w/files/content/2024/09/02/tri-tue-nhan-tao-1-0813.jpg)
(L&D) – This article examines the impacts of artificial intelligence (AI) on copyright law and the necessity of adjusting the legal framework to balance the interests among stakeholders.
