Social media is not required to provide citizen identification to verify accounts

On the evening of May 5, at the 9th session of the XV National Assembly, Deputy Prime Minister Le Thanh Long represented the government to present the draft Law on Personal Data Protection.

Article 34 of the draft law stipulates personal data protection in relation to social networks and online information services.

It should be noted that if the draft is approved, organizations and individuals providing social network services and online information services are not required to provide images, videos containing sensitive content, or any personal information that can be used to authenticate accounts.

Organizations and individuals providing social network services and online information services must ensure the protection of personal data of citizens in Vietnam while operating in the Vietnamese market or appearing on mobile devices available for the Vietnamese market.

The service providers must clearly inform the content of the personal data collected when users utilize social networks and online services; they must not collect personal data unlawfully and beyond the scope of agreements with customers.

Social networks provide options for users to refuse cookies and share cookies; they also offer a “do not track” choice or only track the activity of users utilizing social networks and online information services with the consent of the users.

Organizations and individuals are responsible for notifying users clearly and transparently in writing regarding the sharing of personal data as well as applying protective measures when conducting advertising activities, particularly when relying on the personal data of customers. Notably, social networks are not allowed to eavesdrop, intercept, or record conversations and text messages without the explicit consent of the data subjects.

Social networks must inform data subjects about any violations and breaches of regulations regarding the protection of personal data within social network accounts and online information services within 72 hours of the occurrence of any violation or breach, along with the results of investigations, distinguishing the level of severity of the breach and potential risks arising.

The draft also defines provisions prohibiting the unlawful collection and transfer of personal data. Accordingly, organizations and individuals involved in handling personal data must apply protective measures to prevent the unlawful acquisition of personal data from systems, devices, and services of their own.

The establishment of technical systems and methods to collect personal data without the consent of data subjects constitutes a legal violation.