In today’s digital era, personal data protection has become a top priority in Vietnam. The robust growth of the digital economy, particularly social media platforms, has led to the collection and processing of vast amounts of personal data – from basic information to sensitive data. To address this challenge, Vietnam’s Draft Law on Personal Data Protection has introduced detailed regulations regarding the responsibilities of social networks and over-the-top (OTT) media services in protecting users’ personal data. This article will provide a preliminary analysis of these regulations, assess their feasibility, and propose improvements suitable for Vietnam’s practical context.
1. Scope of application
The responsibilities of social networks and OTT services are stipulated in Article 31 of the Draft Law on Personal Data Protection. Article 31 applies to all organizations and individuals providing social networking and OTT services operating in the Vietnamese market or available on mobile application stores serving Vietnamese users. The regulatory scope of the draft law focuses on protecting personal data of Vietnamese citizens in the national digital space. This approach differs from the EU’s GDPR – which has a broader scope as it applies to all data subjects within the EU, regardless of the geographical location of the data controller.
2. New regulations prohibiting the use of identity documents for account verification
Article 31(c) of the draft Law explicitly prohibits social networks and OTT services from requiring users to provide images of citizen ID cards or national ID cards for account verification. This regulation is based on the fact that these documents contain sensitive information such as identification numbers, date of birth, residence, and biometric features. Storing this information on digital platforms not only poses security risks but could also lead to identity theft and fraud.
Current international trends are moving towards safer and more convenient authentication methods such as: two-factor authentication via SMS/email, biometric verification, or authentication through bank accounts and e-wallets. These solutions not only ensure security but also create a convenient user experience.
3. Enhanced user control over cookies
The spirit of this regulation adheres to the common approach of personal data protection regulations, specifically requiring data subject consent. Accordingly, Article 31(d) stipulates that service providers must grant users the right to refuse the collection and sharing of cookies – data files used to track, analyze behavior, and optimize user experience on digital platforms. This regulation reflects an approach similar to the EU’s GDPR.
To implement this regulation, service providers need to develop an intuitive, user-friendly cookie management interface that is transparent about the purpose, storage duration, and sharing scope of each type of cookie. This enables users to make informed decisions about allowing or refusing the collection and processing of their cookie data.
4. Regulations on data collection control rights and “do not track” mechanism
The Draft Law on Personal Data Protection has established stringent regulations regarding user activity monitoring on social media platforms and OTT services, with particular emphasis on implementing the “Do Not Track” option as a measure to protect users’ privacy rights. Under this regulation, service providers have a legal obligation to establish and maintain a technical mechanism allowing users to opt out of online activity tracking. This is considered a significant advancement in strengthening user autonomy over their personal data in the digital environment.
From a legal perspective, the implementation of the “Do Not Track” option requires service providers to comply with several fundamental principles. First, the “Do Not Track” option must be designed in a clear, accessible, and user-friendly manner. Second, when users activate this option, service providers are obligated to cease all collection, processing, and storage of data regarding that user’s online behavior. Third, respect for users’ “Do Not Track” requests must be maintained consistently and continuously throughout the service provision.
Of particular significance, the draft law stipulates that all user tracking activities may only be conducted with explicit and transparent consent from the data subject. This consent must meet the following criteria: (i) given voluntarily, (ii) based on comprehensive information about the purpose and scope of data collection, (iii) expressed through a clear affirmative action, and (iv) revocable at any time. Service providers are responsible for developing and maintaining a consent management system that meets these requirements.
However, the feasibility of implementing this regulation by social media platforms remains to be observed if this provision is enacted. This is due to the inherent nature of most current social media and OTT platforms, which operate effectively based on user behavior tracking and content recommendation mechanisms.
5. Regulations on eavesdropping prohibition
The Draft Law on Personal Data Protection has established a comprehensive legal framework for protecting personal communications, prohibiting all forms of unauthorized interference with users’ privacy. This includes preventing invasive acts such as surveillance, eavesdropping, call recording, and message reading without the data subject’s permission. This regulation aims to protect users’ privacy rights in an increasingly digitalized context, where the boundary between public and private spaces is becoming increasingly tenuous.
To implement this regulation, social media and OTT service providers may need to apply end-to-end encryption technology for all forms of communication, ensuring that only the sender and recipient can access the message content. Additionally, platforms must develop real-time monitoring systems to detect and prevent unauthorized access attempts. Notably, platforms’ practice of “listening” to users for content recommendations may also be considered a violation of this regulation.
Conclusion
The Draft Law on Personal Data Protection marks a significant milestone in efforts to protect user privacy in the digital space. However, effective implementation requires close coordination among stakeholders. State regulatory bodies need to issue detailed guidance documents and establish effective monitoring and enforcement mechanisms. Service providers must make substantial investments in technical infrastructure and human resources to meet legal requirements. Additionally, raising user awareness about their rights and responsibilities in personal data protection plays a crucial role. Only with active participation from all parties can Vietnam’s digital environment truly become secure and reliable, creating a solid foundation for sustainable development of the digital economy.
See more:
1/ Consumer information under the provisions of the law on consumer protection 2023
2/ Subjects and Fundamental Principles of GDPR
3/ Due diligence on personal data protection in M&A transactions
Disclaimers:
This article is for general information purposes only and is not intended to provide any legal advice for any particular case. The legal provisions referenced in the content are in effect at the time of publication but may have expired at the time you read the content. We therefore advise that you always consult a professional consultant before applying any content.
For issues related to the content or intellectual property rights of the article, please email cs@apolatlegal.vn.
Apolat Legal is a law firm in Vietnam with experience and capacity to provide consulting services related to Data and contact our team of lawyers in Vietnam via email info@apolatlegal.com.
