November 8, 2023
Spam messages and calls have been defined as advertising messages and calls which are made without users’ prior consent as well as not being under the receiving responsibility of the recipients. So the question to be raised is why, despite the unwillingness to receive advertising information, do people still get those undesirable messages and calls? The main cause would be personal contact information, such as phone numbers and email addresses being disclosed and exploited by entities in the advertising industry.
Theoretically, advertisers are entitled to advertise their products, goods, services,…[1] via various optional formats, such as messaging, emailing and so on. However, it is illegal to abuse civil rights (advertising right herein) in order to violate obligations, cause damage to other persons or for other unlawful purposes[2]. In this case, it is affirmative that the act of sending out spam messages and calls should be considered as an invasion of personal privacy. In essence, the basis for sending out advertisements is personal contact data, which is mostly collected illicitly from online data brokers, aside from a tiny portion legally collected with users’ consent. Furthermore, sending spam messages and making spam calls would severely invade the personal privacy as well as have negative effect on the recipients’ lives. Therefore, it is essential that management of spam messages and calls be tighten.
Currently, on the basis of Article 8.15 of Law on Advertising No. 16/2012/QH13 about prohibiting the act of forcing other agencies, organizations and individuals to receive advertisements involuntarily, the main legal documents which apply to spams calls and messages comprise of Decree No. 91/2020/ND-CP dated August 14, 2020 on fighting spam messages, spam emails and spam calls and Circular No. 22/2021/TT-BTTTT elaborating this Decree. These two legal documents have created a fairly solid legal corridor to protect users against the attack of spam calls and messages in recent years.
Firstly, there are clear definitions on “spam messages” and “spam calls” in Article 3 of Decree No.91/2020, involving some points in common, such as (i) utilized for marketing purpose; (ii) without the consent of users; (iii) violating regulations on advertising or breach of legal prohibitions. Concurrently, the criteria for recognition of spam messages and calls[3] has been established, containing factors such as frequency and pattern of acting (mainly sending messages, not making calls and vice versa) in order to orient towards prevention of spam messages and calls.
Secondly, there are multiple regulations on solutions to prevent spam advertisements. Specifically, Article 4 of Decree No.91/2020/ND-CP indicates measures for fighting spam messages and calls, for example, (i) Develop and launch systems for fighting and preventing spam messages, spam emails and spam calls; (ii) Receive and process feedbacks about spam messages, spam emails and spam calls; (iii) Spread knowledge and raise awareness of anti-spam efforts,… As a result, there have been a number of detailed measures established by relevant ministries, departments and agencies in order to manage spam calls and messages.
Thirdly, spam messages and calls are being managed via the Do-Not-Call Register[4] and the system for receiving feedbacks about spam messages and calls[5]. Receiving anti-spam information from users via the 5656 prefix phone number enables the Authority of Information Security (AIS) of the Ministry of Information and Communications to promptly coordinate anti-spam activities. Concurrently, phone users are entitled to refuse receiving opt-in messages, advertising messages or calls once their phone numbers are subscribed to the Do-Not-Call Register[6]. Instructions on how to utilize the aforementioned systems are specifically provided in Articles 5 and 6 of Circular No.22/2021/TT-BTTTT.
Fourthly, current legal documents clearly and separately stipulate the responsibilities of each subject on fighting spam messages and calls, including liabilities of telecommunications services and Internet services providers for instructing users and directly taking steps to prevent spam messages and calls[7]; liabilities of advertisers for legal and suitable advertising measures[8]; and, last but not least, rights and obligations of users on managing both advertising and spam messages, calls[9].
Fifthly, there are administrative penalties for violations of regulations on fighting spam messages and calls. The consolidated document No.08/VBHN-BTTTT in 2022 has a number of regulations on anti-spam messages and calls, which have been merged from Decree No.15/2020/ND-CP, No.91/2020/ND-CP and No.14/2022/ND-CP. The aforementioned provisions clearly stipulate the fine for each administrative violation in preventing, handling spam messages, spam calls[10].
Nonetheless, regulations currently in effect do not clearly or tightly regulate the main cause of spam messages and calls – infringement of personal contact information. Despite directional regulations on data protection in The 2013 Constitution, Civil Code No.91/2015/QH13 and other related Laws such as Cybersecurity Law No.24/2018/QH14, Law on Cyberinformation Security No.86/2015/QH13, etc and particularly, even though the act of trading private information without the users’ consent has been considered a crime according to Article 288 of Criminal Code No. 01/VBHN-VPQH, contemporary legal documents on managing spam messages and calls still do not strictly or completely regulate this illicit action.
Firstly, we can observe the positive impact of implementing regulations on fighting spam calls and messages. In the first nine months of 2022, the 5656 prefix phone number received 202,949 feedbacks from users, including: 25,476 feedbacks about spam messages (a decrease of 10.6% compared to the figure for the same period of 2021); and 177,473 feedbacks about spam calls (an increase of 34.2%)[11]. Whereas, the figure for subscribers of the Do-Not-Call register has steeply rocketed due to the positive response from citizens, indicated by the number of more than 100,000 new subscribers just in the first 20 days of operating the system[12]. Hitherto, after two years of implementation, this register has been prevalent among mobile subscribers as well as advertisers with 62 enterprises connecting to the Do-Not-Call register management system in order to get the list of subscribers registered, thus, they can avoid the risk of being punished for administrative violations resulting from sending spam messages and making spam calls to such phone numbers[13].
Additionally, telecommunication enterprises have contributed considerably to the process of fighting spam messages and calls via a number of statutory measures in accordance with the law and the guidance of competent state agencies. Specifically, based on the criteria for recognition of spam messages and calls, in the first half year of 2022, these enterprises blocked 356.6 million spam messages (an increase of 79.1% compared to the figure for the same period of 2021); as well as blocked (including locking and canceling) more than 150,000 phone numbers which were suspected of sending spam messages[14].
Secondly, there are also negative impacts of implementing regulations on fighting spam calls and messages. In addition to the aforementioned merits, in practice, the results of managing spam messages and calls have not thoroughly met expectations since a large number of spam sources are still reaching users. Furthermore, there are many problems in not only the regulations but also the practical implementation, such as the deficiency of instructions from telecommunication providers or the authority on how to utilize the statutory anti-spam system, which leads to difficulties for users; or the inefficiency of the criteria for recognition of spam messages and calls due to the lack of transparency and close management of the authorities, leading to ineffective implementation.
In particular, the deficiency of provisions which directly regulate the field of personal information protection, including the disclosure or trading of personal contact data in the advertising industry hampers public effort to root out the issue of spam messages and calls.
While awaiting the state’s amendment or guidance on imperfect regulations, individuals, advertisers and platform services providers can take these following steps in order to minimize the risk of undesirable impact on operating process:
Firstly, for individuals affected by spam messages and calls: At first, these subjects need to have enough legal knowledge to protect themselves against spam advertisements. It is advisable to strictly and thoroughly implement statutory measures to fight spam messages and calls, such as (i) subscribing to the Do-Not-Call Register to avoid receiving advertisements; (ii) proactively sending anti-spam feedbacks to the prefix phone number for assistance in handling the issue; and (iii) providing samples of spam messages to telecommunication providers and the competent authorities, etc. Particularly, mobile phone users must be aware of the risks from personal data disclosure, especially contact information. Therefore, users should have a sense of self-protection and apply basic protective measures for their data. In fact, this can be considered one of the most effective solutions to steer clear of spam messages and calls.
Secondly, for advertisers: To avoid probable risks when conducting marketing schemes, it is vital for these enterprises to constantly and promptly update legal provisions and relevant information from the state agencies for a comprehensive grasp of current laws and policies. Thus, they can adjust their plans to be appropriate to actual conditions. Moreover, advertisers also need to heed information of the Do-Not-Call Register and the anti-spam feedback system (5656 and 156 prefix phone numbers) to avert administrative penalties for erroneous messaging or calling to registered numbers. Applying a lawful and civilized scheme of advertising can lay a better foundation for business branding as well as extending the market share, in comparison to sending out spam advertisements.
Thirdly, for advertising platform services providers: To fulfil the legal obligations to fight spam messages and calls, aside from upgrading infrastructure and facilities for business purposes and managing spam advertisements, these providers can also take into account some supplementary measures, such as (i) cooperating with other providers in sharing experience, information and technology related to this field; or (ii) dividing responsibilities for managing spam messages and calls between themselves and other enterprises so as to complete the task more effectively and economically.
To conclude, it is clear that the contemporary system of laws has contributed substantially to the success of managing spam messages and calls, indicated by many above-mentioned positive results. However, more than the merits, the regulations and their implementation still contain some severe demerits which negatively impact the related subjects. Therefore, advertisers, individuals, and platform services providers should not only comply with the statutory regulations and make amending recommendations but also have other proactive measures to reduce the detrimental effect of spam messages and calls on their business.
PrivacyCompliance
[1] Article 12.1 of Law No. 16/2012/QH13 on Advertising :
“Article 12. Rights and obligations of advertisers
…”
[2] Article 10.1 of Civil Code No. 91/2015/QH13
[3] Article 4 of Circular No.22/2021/TT-BTTTT:
“Article 4. Criteria for recognition of spam messages, spam calls, and spam emails
….”
[4] Article 7 of Decree No.91/2020/ND-CP
[5] Article 5 of Decree No 91.2020/ND-CP and Article 5 of Circular No22/2021/TT-BTTTT
[6] Do-Not-Call Register is the list of phone numbers that have been registered by their subscribers who do not want to receive any opt-in message, advertising message or advertising call.
[7] Article 9 of Decree No.91/2020/ND-CP
[8] Article 10 of Decree No.91/2020/ND-CP
[9] Article 11 of Decree No.91/2020/ND-CP
[10] Article 94, 95 of The consolidated document No.08/VBHN-BTTTT in 2022.
[11] NK (2022), “Thí điểm đầu số 156 tiếp nhận phản ánh về cuộc gọi có dấu hiệu lừa đảo”. Link:
https://dangcongsan.vn/xa-hoi/thi-diem-dau-so-156-tiep-nhan-phan-anh-ve-cuoc-goi-co-dau-hieu-lua-dao-623284.html ; last time access: 09/01/2023.
[12] Minh Sơn (2020), “Hơn 100.000 thuê bao di động đã đăng ký vào danh sách không quảng cáo”. Link:
https://www.vietnamplus.vn/hon-100000-thue-bao-di-dong-da-dang-ky-vao-danh-sach-khong-quang-cao/674078.vnp ; last time access: 09/01/2023.
[13] NK (2022), “Đã có 62 DN quảng cáo kết nối vào hệ thống quản lý danh sách không quảng cáo”. Link: https://ictvietnam.vn/da-co-62-dn-quang-cao-ket-noi-vao-he-thong-quan-ly-danh-sach-khong-quang-cao-21670.html ; last time access: 09/01/2023.
[14] Section 1 of the Official Dispatch 4175/BTTTT-VP dated 11/08/2022 on preventing and handling spam messages, calls from unknown numbers, signs of fraud and information theft, issued by the Ministry of Information and Communications.
CJEU confirms that competitors can sue each other for GDPR infringements A German pharmacy sued another pharmacy for failing to guarantee explicit consent when processing the health data of the clients as prescribed under GDPR. The German Court held that such activity does amount to unfair and unlawful practice. However, the Court was unsure whether […]
Learn more
EDPB’s Guidelines on Legitimate Intesrest Recently, the European Data Protection Board (“EDPB”) adopted Guidelines 01/2024 on processing of personal data based on Article 6(1)(f) GDPR (processing based on legitimate interest). Legitimate interest is one of the lawful grounds on which personal data can be processed. Its flexible nature makes it quite hard to actually apply […]
Learn more
Can data subjects be data controllers? With the rise of AI trained on user data, the question of whether data subjects be considered data controllers for the personal data in their AI prompts and outputs has once again taken the spotlight. This is not a new issue, the possibility of the data subjects acting as […]
Learn more