Consumer information security is a very important and urgent issue, as it not only helps consumers minimize the risks of information leakage but also ensures their personal privacy rights. However, the infringement on consumers' information privacy during transactions is currently quite common and frequent, significantly impacting consumers. This article focuses on analyzing and clarifying certain regulations regarding personal information, personal information security, and suggests several methods to safeguard consumer information during transactions.
First, what is meant by "Personal Information" or "Personal Data" of consumers?
According to Clause 13, Article 3, Decree No. 52/2013/ND-CP dated May 16, 2013, issued by the Government on E-commerce, "Personal information is information that contributes to identifying a specific individual, including name, age, home address, phone number, medical information, bank account numbers, information on individual payment transactions, and other information that an individual wish to keep confidential. Personal information in this Decree does not include work contact information and information that individuals have self-published through media channels." (Decree No. 52/2013/ND-CP was amended and supplemented on September 25, 2021, by Decree No. 85/2021/ND-CP, and the regulation in Clause 13, Article 3, of Decree No. 52/2013/ND-CP remains unchanged.)
Alternatively, according to Article 2 of Decree No. 13/2023/ND-CP dated April 17, 2023, issued by the Government on the protection of personal data: "Personal data refers to information in the form of symbols, writing, numbers, images, sounds, or similar forms in the electronic environment that is linked to a specific individual or helps identify a specific individual. Personal data includes basic personal data and sensitive personal data." "Information that helps identify a specific individual is information created from an individual's activities which, when combined with other stored data or information, can identify a specific person."
A consumer is defined as someone who purchases or uses products, goods, or services for personal, family, organizational, or institutional purposes, not for commercial purposes. The information of consumers includes their personal information, information about the process of purchasing and using products, goods, and services, and other information related to the transactions between consumers and business entities or individuals (Clause 1, 3, Article 3, Consumer Protection Law 2023).
This information is often shared by users when participating in social media applications such as Facebook, Zalo, Instagram, or provided when using utility apps, conducting e-commerce transactions, participating in online games, or when accessing advertisements on websites...
Besides, consumers often have to provide their personal information to businesses or individuals when they wish to purchase a product directly. For small-value goods, consumers may not need to provide information to the business or individual, but for high-value goods, it is necessary to provide details such as name, age, address, and phone number to facilitate delivery or post-purchase services. Especially in cases where consumers make transactions online, they are often required to provide sensitive information such as bank card numbers and security pins. This information is crucial to consumers, and if leaked, they could suffer significant material and emotional consequences.
In practice, the leakage of personal information, particularly mobile phone numbers and social media account names, causes consumers a great deal of trouble and annoyance from spam messages and advertising texts. For example, consumers who purchase goods or services from unreliable intermediaries with poor information security policies often receive unsolicited messages or calls offering loans, property purchases, or participation in training courses.
Many online fraudsters have used real consumer photos from social media to create fake accounts, scamming the account holder's friends and relatives. Moreover, frequent updates of daily activities on social media, including images and information about children, can also become valuable information for cybercriminals.
With the application of artificial intelligence (AI), the collected information is processed to create data fields on users' information and behavior, which applications or social networks can sell to third parties for advertising purposes. Therefore, once personal data is publicly shared, its collection, processing, and distribution fall outside the control of consumers.
Given these realities, the issue of securing personal information for consumers is increasingly concerning and remains an urgent matter.
So, what is information security?
Information security (Information Security) refers to the activities of maintaining and ensuring that stored and transmitted data is secure, preventing unauthorized access or actions that target personal and organizational assets, data, and private information. Effective information security minimizes risks for both individuals and businesses.
Information security involves maintaining four interconnected principles: confidentiality, integrity, accuracy, and availability of all information.
Confidentiality is the central focus of any security solution for an information technology system. It ensures that access control functions are effective.
Integrity refers to ensuring that the information is complete and unaltered. It is a complex and often misunderstood characteristic. Integrity is understood as the quality of information based on how accurately it reflects reality. The closer the data is to reality, the more accurate the information.
Accuracy of information ensures that all provided information is correct, complete, without error, and does not infringe upon content copyright.
Availability of information is another critical characteristic, ensuring that information reaches the right person (authorized user) when needed or requested.
In Vietnam, several laws related to information security have been enacted, including:
The Law on Protection of State Secrets, passed by the XIV National Assembly during its 6th session (November 15, 2018), consists of 5 chapters and 28 articles, effective from July 1, 2020. Some provisions related to the formulation, appraisal, and promulgation of the list of state secrets and the protection periods became effective on January 1, 2019.
The Cybersecurity Law, passed on June 12, 2018, and effective from January 1, 2019, includes 7 chapters and 43 articles, defining key issues related to national cybersecurity, including the protection of critical information systems, prevention of cyber threats, and the roles and responsibilities of organizations and individuals.
Decree 13/2023/ND-CP, issued on April 17, 2023, concerns the protection of personal data and consists of 4 chapters and 44 articles. It outlines the responsibilities of organizations and individuals in protecting personal data.
In addition, the Constitution, Civil Code, Consumer Protection Law, and numerous sectoral regulations such as laws on telecommunications, information technology, and electronic transactions include provisions on the basic rights of citizens and the protection of personal information.
For individual consumers, the theft or alteration of personal information can result in significant losses, not only damaging personal reputation but also leading to financial harm. Those who misuse personal data may engage in illegal activities.
Therefore, protecting consumers' personal information is essential to prevent data breaches by hackers, ensure secure information exchange and transactions, and avoid legal consequences.
Some methods to safeguard personal information include:
Securing personal information through legal regulations:
The state has enacted laws that define permissible and prohibited actions as well as sanctions for violations related to personal information security of consumers. The issue of information security has been a priority for the state, with regulations and penalties specified in the following legal documents: the Constitution, the Consumer Protection Law 2023, the Network Information Security Law 2015, the Civil Code 2015, the Criminal Code 2015 (amended in 2017), and the Law on Administrative Penalties, among others.
Securing information through legal compliance by businesses and individuals:
Organizations and individuals engaged in business must comply with legal regulations regarding the protection of information technology and personal data of consumers both during and after the collection of personal information. Additionally, the security of consumer information is a criterion for evaluating business operations, the application of scientific and technological advancements, and the reputation of businesses and individuals. Therefore, businesses and individuals should establish a comprehensive information security policy and procedures to adhere to legal requirements and enhance consumer trust, thereby improving the company's reputation and standing.
Securing information through consumer awareness:
Consumers themselves need to be aware and responsible for protecting their own personal information by increasing their knowledge about personal data protection, understanding their responsibility for their own data, and proactively checking and verifying the privacy policies of businesses before agreeing to provide their personal information. They should not indiscriminately share personal information with organizations or individuals that have not been verified as trustworthy. Given the rise of online shopping, experts suggest that although many websites and social media platforms offer online sales, regulatory agencies can only control registered e-commerce sites. To avoid risks when shopping online, consumers should be cautious of unfamiliar websites or social media accounts advertising services or products at unusually low prices or with large discounts. Particularly, consumers should be careful with requests for personal information (such as name, phone number, date of birth, address, bank account number, etc.) from unfamiliar websites to prevent financial data theft or account breaches.
Additionally, consumers should be aware that many applications can store location data and use artificial intelligence to monitor activities such as searches, check-ins, and shopping, even eavesdropping. Therefore, it is recommended to set location sharing on applications to only display when in use to protect oneself from data exposure.
If consumers accidentally expose their information and face disturbances or fraud, they should not remain silent but report to relevant agencies or specialized units to issue warnings and alerts to others.
It is evident that personal information is crucial for identifying an individual and distinguishing them from others. Protecting personal information is especially important for ensuring privacy and confidentiality. Article 21 of the 2013 Constitution and Article 38 of the 2015 Civil Code of Vietnam recognize the inviolability of personal privacy and confidentiality, which are protected by law. However, in the current context, personal information is increasingly treated as a valuable commodity due to unlawful collection, processing, and trading, particularly in the context of consumer transactions which are becoming more widespread and sophisticated. This seriously infringes upon the legitimate rights and interests of individuals involved in commercial transactions. Therefore, it is essential to continue protecting the personal information of individuals against potential breaches in the context of current consumer transactions.