Realizing the positive role of international integration in economic development, Vietnam has proactively participated in new generation free trade agreements. Since the early years of the 21st century, Vietnam has realized this aspiration in Party and State documents, clearly expressing its viewpoints and policies on international trade promotion.
Regarding the preparation work in terms of completing legal procedures specifically for international trade commitments, Vietnam has an important basis which is the Law on International Treaties 2016, related resolutions and decisions to create a mechanism for approving participation in agreements quickly, neatly and effectively; including important documents such as: Resolution No. 07-NQ/TW, dated November 27, 2001, of the Politburo , on international economic integration; Decision No. 40/QD-TTg, dated January 7, 2016, of the Prime Minister, on approving the overall strategy for international integration until 2020, with a vision to 2030; Directive No. 38/CT-TTg, dated October 19, 2017, of the Prime Minister, on strengthening the implementation and effective exploitation of free trade agreements that have come into effect...
In order to meet legal compatibility, Vietnam has actively transformed the provisions of the agreements into domestic law and applied them harmonized with multilateral treaties and agreements, in which regulations on data security have been urgently researched, completed and promulgated, such as the Law on Personal Data Protection 2025 and the Law on Data 2024.
Personal data is one of the important components of e-commerce transactions. E-commerce transactions generate two groups of data, the first group is the personal data of the participants in the transaction, the second group is their behavior and conduct during the transaction completion process. The entire digital economy is a collection of data on all aspects surrounding individuals (1) . According to the operating method of modern e-commerce platforms, personal data is collected, stored, and used to process transactions; at the same time, to optimize user experience, or in other words, to make the subsequent transaction process easier and more convenient. For a long time before 2023 - the time of the issuance of Decree No. 13/2023/ND-CP on personal data management - in Vietnam, personal data in e-commerce was collected without being regulated by legal documents, raising concerns about information disclosure and leakage.
Personal data security is a condition of privacy. Personal data that is exploited and stored against the will of the subject will contain risks of violating privacy. Privacy is the right of an individual to keep confidential information, documents, and data related to private life; it is the right to inviolability of the body, residence, correspondence, telephone and other electronic information that no subject is allowed to access publicly, except in cases where this person himself/herself permits or by decision of a competent state agency. Privacy is not directly mentioned as a legal concept, but is declared through specific provisions, mainly on preventing infringement and extortion of information and unwanted interference with personal identity. For privacy in general, there are two main areas of concern: privacy and inviolability of the body, residence, and correspondence .
For e-commerce, customers' personal information is a form of data that contributes to " reconstructing " customer portraits and contributing to predicting customers' behavior and reactions when accessing product and service introduction content (2) ; privacy is connected to advertising in the digital environment, so businesses have the motivation and benefit of exploiting and storing customers' personal data (3) .
Although ensuring privacy and personal information security is a prerequisite for the development of e-commerce and ensuring privacy in the electronic environment, it is also a major legal challenge in Vietnam. In theory, data and personal information have not yet been truly recognized as a form of property, thereby the collection and processing of data has not properly assessed its nature. Currently, new legal regulations only focus on data processing procedures, aiming to protect individuals from unwanted infringement and exploitation of this data, avoiding consequences of privacy infringement. Meanwhile, data collected through e-commerce activities, in addition to the functions of storage and statistics, is also an input resource for activities to optimize the shopping experience and can bring future revenue (4) .
As a comprehensive statement, Article 17 of the International Covenant on Civil and Political Rights (ICCPR 1976) to which Vietnam is a member, clearly states that “ no one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence ”. Modern international law has specific provisions when assessing legal frameworks on privacy when designing personal information collection systems, as reflected in the OECD Privacy Principles, the Council of Europe Convention on the Protection of Individuals with Regard to Automatic Processing of Personal Information and Data (Convention 108), the Asia-Pacific Economic Cooperation (APEC) Privacy Framework and the International Standards on Privacy and Protection of Personal Information and Data (Madrid Resolution).
Personal data is a concept referred to in the European Union General Data Protection Regulation (EU GDPR 2016). Article 4 of the GDPR stipulates: “personal data means any information relating to a natural person (also known as: data subject) from which that natural person is or can be identified (...), which may refer to an identifier such as a name, an identification number, location, an online identifier or to factors specific to the physical, physiological, genetic, mental, economic, cultural or social aspects of that natural person”. These provisions also have a high degree of similarity to Article 2 of the Personal Data Protection Act 2025 on personal data protection.
The right to privacy ( right to privacy ) under Vietnamese law is called the right to privacy, essentially the right of an individual to establish boundaries with others (5) . The right to privacy under Vietnamese law is expressed in the 2013 Constitution, the 2015 Civil Code, the 2018 Law on Cyber Security in many personal aspects, such as privacy, confidentiality of correspondence and exchanges, and inviolability of residence. The 2025 Law on Personal Data Protection, Decree No. 13/2023/ND-CP and the 2024 Data Law are important legal documents, with provisions revolving around ensuring the security of personal data and building a national data center. Current legal norms have been built comprehensively and fundamentally, with provisions in accordance with international law.
Different concerns among countries about privacy reflect the differences in the overall level of socio-economic development of that country. Strategic differences among governments in prioritizing e-commerce development show that technology infrastructure issues are of greater concern in developing countries and sustainable development issues are of greater concern in developed countries (7) . Transparency in information disclosure and legal compatibility will effectively support the global development of e-commerce, as it creates a uniform and favorable commercial environment for transactions.
Assessing the regulations on personal data security, within the framework of cross-border e-commerce activities mentioned in Chapter 14 of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), member countries at the time of signing the agreement have not met the same level of compliance (8) . In particular, Brunei Darussalam and Vietnam are two countries that need time to meet the special requirements for Clause 14.8, Section 2 on the application of the legal framework for regulations to ensure personal data security.
Although requiring countries to comply with measures to manage cross-border data flows, aiming at a highly homogeneous common market in terms of commercial operating standards, the CPTPP also allows for contextual application. In addition to the cases of Vietnam and Brunei Darussalam, which delayed the implementation progress, member countries are allowed to manage data transfers abroad under the goal of ensuring national security, as long as they are not disguised trade barriers or are not overly regulated. Issues related to personal data security, in addition to ensuring the practice of personal rights over users' personal data, economic impacts can also include the management of super-platforms such as social media, e-commerce platforms; cybersecurity and adverse cost and time impacts on Vietnamese businesses, especially small and medium enterprises.
Other important new-generation free trade agreements, such as the Vietnam-EU Free Trade Agreement (EVFTA) and the Regional Comprehensive Economic Partnership (RCEP), provide for regulations on personal data security and privacy that are highly similar to those mentioned in the CPTPP. Specifically, in Chapter 8 of the EVFTA and Chapter 12 of the RCEP on e-commerce, member countries agree to maintain an effective legal framework on personal data security and privacy, not to apply restrictive measures, and to actively pursue legal compatibility goals among member countries.
The right to privacy in Japan is enshrined in Article 13 of the country's Constitution (9) , which affirms that citizens are protected in the process of state management. Japanese lawmakers have a clear and consistent view on the issue of personal data security, considering it an important issue to ensure social order and national values as well as Japan's position in international trade.
Japan's modern personal data protection law is considered to be relatively complete and strict, as a result of the careful preparation of the Japanese government to ensure trade relations with the European Union, after this economic zone applied personal data protection regulations to third-party countries involved in commercial transactions that exploit personal data (10) . Although, like other countries in Asia, the legal awareness of privacy rights is relatively slow and privacy laws are still in their infancy, Japan has shown early readiness to respond to European data protection laws at a high level, promoting the goal of protecting the rights and legitimate interests of citizens.
Despite significant obstacles due to pressure from the private sector, the Japanese government's measures still show their correctness and create extremely favorable conditions when considering the regulations of personal data security in this country with international law in general. Unlike many countries, Japan separates privacy and information security into two areas, although there is an assertion that there is an overlapping area, based on legal reasoning: privacy and information security overlap in terms of information privacy , but there are also differences, reflected in the enforcement mechanism and ultimate purpose of the law. In fact, it is possible to practice the right to information security without having to apply the right to privacy under Japanese law (11) , because the law has stipulated the principles of information storage and protection as well as the protection of ordinary civil assets. Japanese enterprises receive significant legal and financial support, with two main purposes: standardizing information management systems and upgrading systems through modern management technologies.
Standardizing information management systems requires procedural and planning activities such as backup, forecasting, and zoning of responsible personnel, while applying management technology requires time and cost. The increase in time and cost can cause significant obstacles for small and medium-sized enterprises. Japan applies specific financial support policies including tax credits and depreciation of technology investments with funding levels of up to 30% of the investment value. The Japanese government describes the future society with the term Society 5.0, which aims at comprehensive digitalization, and considers digital infrastructure, technology and digital industry, and personnel with experience in digital processes as the three pillars of Society 5.0 (12) .
The above contents of Japan are valuable experiences for many countries in the process of perfecting laws on personal data protection, and at the same time have reference value for Vietnam in the process of identifying solutions to improve personal data security in parallel with developing e-commerce solutions.
Information security in the e-commerce environment is practiced through information systems, including tasks from collecting, encoding, arranging, storing, and destroying information, so information system management plays a leading role in personal data management.
Technically, Vietnam has developed the national standard TCVN 11930:2017 on Information technology - Security techniques - Basic requirements for information system security by level. In this regulation, standard information systems must meet important requirements on data security, such as having backup measures and ensuring the ability to restore data, encryption, storage partitions, access authorization... to prevent intrusion and illegal exploitation, ensuring the integrity of information. The document on the one hand sets out the levels of information security of the system, on the other hand is a technical standard for companies to compare and apply to optimize their systems. However, for commercial and service enterprises, the standard is currently only recommended. The mandatory application of information system security standards by level will equip businesses with an effective layer of protection and risk prevention. In addition, export enterprises and small and medium enterprises will have to carry out radical reforms and meet international information security standards under time and cost pressures. Information support and specific grants when upgrading information system security will be appropriate and highly effective methods for improving information security standards./.
--------------
(1) Spina A., “A Regulatory Mariage de Figaro: Risk Regulation, Data Protection, and Data Ethics”, European Journal of Risk Regulation . 2017, No. 8 (1): pp. 88-94
“digital economy is fueled by personal data, quite literrally” (rough translation: “data is the fuel of the digital economy” ), p. 88
(2) Ullah, I., Boreli, R. & Kanhere, SS, “Privacy in targeted advertising on mobile devices: a survey”, Int. J. Inf. Secur. 2023, no. 22, pp. 647-678
(3) Boerman, SC, & Smit, EG, “Advertising and Privacy: an overview of past research and a research agenda”, International Journal of Advertising , 2022, No. 42 (1), pp. 60-68
(4) Cavoukian, A., “Privacy by Design: Origins, Meaning, and Prospects for Assuring Privacy and Trust in the Information Era”, Privacy Protection Measures and Technologies in Business Organizations: Aspects and Standards , 2011, pp. 170-208
(5) Vu Cong Giao, Tran Le Nhu Tuyen, “Protection of rights to personal data in international law, laws in some countries and reference values for Vietnam”, Journal of Legislative Studies No. 09, 2020, (409)
(6) Nguyen Ngoc Dien, “Right to access information and the right to inviolability of private life”, Journal of Legislative Studies, 2018, No. 15, tr3-10
(7) Tran Thi Thap, Nguyen Tran Hung, Basic E-Commerce Textbook , Information and Communication Publishing House, 2020, pp.24-25
(8) Kimura, F. (2019), “The Importance and Implications of the E-Commerce Clause in the CPTPP”, Financial Cooperation in East Asia , S. Rajaratnam School of International Studies, Nanyang University Singapore
(9) Article 13 of the Japanese Constitution stipulates that citizens' liberty in private life shall be protected against the exercise of public authority.
(10) Suda, Y., “Japan's Personal Information Protection Policy Under Pressure: The Japan-EU Data Transfer Dialogue and Beyond”, Asian Survey, 2020, no. 60(3) pp. 510-33
(11) Harland J., “Japan's new privacy legislation: are you ready?”, Computer Law & Security Review , No. 20(3), 2004, pp. 200-3
(12) Japan External Trade Organization (JETRO): Enhancing National Productivity by Focusing on Data Linkage and International Cooperation, https://www.jetro.go.jp/en/invest/attractive_sectors/ict/government_initiatives.html
Source: https://tapchicongsan.org.vn/web/guest/nghien-cu/-/2018/1119402/tiep-tuc-hoan-thien-he-thong-phap-luat-ve-bao-ve-du-lieu-ca-nhan-huong-toi-muc-tieu-hoi-nhap-va-xay-dung-nen-kinh-te-so.aspx
Comment (0)