When companies think about data protection, they usually focus on “visible” data like names, email addresses, or bank details. However, there is a hidden layer called metadata - essentially “data about data” - that often gets ignored.

Under Vietnam’s new personal data protection rules, overlooking metadata is a major risk. If metadata can be used to identify a specific person, it falls under the same strict rules as regular personal data.

What is Metadata? The “Digital Footprint”

Metadata is information that describes the context of a file or a message rather than the content itself. Even if you remove a person’s name from a file, the metadata can still point directly to them.

For example, a company shares an internal report after deleting the author’s name to keep it anonymous. However, the file’s properties (the metadata) still show a unique “Author ID” and a “Last Modified By” timestamp linked to a specific computer. Even though the name is gone, the metadata identifies exactly who wrote the document.

The Legal Conflict: Two Ways to Read the Law

The Personal Data Protection Law 2025 (PDPL 2025) and Decree 356/2025 define personal data (dữ liệu cá nhân) in a way that creates significant confusion. The law defines personal data as “digital data or information in other forms that identifies or helps identify a specific individual, including basic personal data and sensitive personal data.” Within this, basic personal data (dữ liệu cá nhân cơ bản) is further categorized as information reflecting “common identity and background factors frequently used in social transactions and relationships.”

The problem is that metadata often helps identify a person without actually reflecting these identity factors or frequently being used in social interactions. This leads to two conflicting interpretations:

• Interpretation 1 (Strict): Metadata is only personal data if it fits the narrow definition of “basic personal data” - meaning it must reflect common identity factors frequently used in social transactions. Under this view, businesses might argue that technical logs are mere machine data, not personal data, despite their capability to point toward a specific individual.

• Interpretation 2 (Broad): Under Article 3 of Decree 356/2025, basic personal data also includes “other information associated with a person or that helps to identify them.” This suggests that any metadata is regulated the moment it makes identification possible - even if it has nothing to do with background or identity.

The Identification Trap

A common misconception in data strategy is that technical metadata - like a device’s hardware ID - is “just a string of numbers” and therefore exempt from privacy laws. However, under Vietnam’s PDPL 2025, the line between technical logs and personal data is dangerously thin.

Consider a retail mall that maintains a Loyalty App database (containing names linked to device IDs). The mall offers “Free Guest Wi-Fi” and, to provide a personalized experience, the system silently records the MAC address (the permanent hardware ID) of any phone attempting to connect. The goal is simple: when a loyalty member connects, the Wi-Fi welcome page automatically greets them by name.

The mall might assume this isn't “processing personal data” because they aren't tracking behavior or collecting new names - they are just matching a hardware number to a pre-existing profile. The legal reality, however, depends on the classification of that MAC address:

• Interpretation 1 (Strict): The mall argues that a MAC address is a technical string that does not reflect traditional identity factors. Since it isn't a traditional social identifier, they claim it falls outside the definition of basic personal data and should be exempt.

• Interpretation 2 (Broad): This is where the legal risk becomes real. Because the mall already owns the Loyalty App database, the MAC address acts as the unique “key” that identifies the individual. Under Decree 356/2025, because this metadata helps to identify a specific individual, it is classified as basic personal data the moment it is collected.

Under the broad interpretation, the mall becomes a data controller for the MAC address data from the very start. By failing to obtain clear, informed permission at the point of MAC address collection, the mall makes its entire past data collection illegal. Because the law treats MAC addresses as personal data, failing to get consent means you are not allowed to use any of the data you have gathered. If the mall later tries to use these records for secondary purposes - such as generating store-level foot traffic reports or heat maps - every insight produced is considered the product of unauthorized processing.

Implications for Businesses: A Prudent Approach

For businesses in Vietnam, managing metadata should be treated as a serious legal requirement rather than just a technical one.

To navigate this, companies should follow these three steps:

• Audit Technical Logs: Conduct a thorough check of IP addresses, timestamps, and device IDs to determine if they can be linked back to real people.

• Treat Metadata as Personal Data: Under the PDPL 2025, personal data is defined broadly to include any information that “identifies or helps identify” a specific individual. Because Decree 356/2025 reinforces this “identifiability” test, the most prudent strategy is to treat all identifying metadata as basic personal data to avoid unexpected penalties.

• Processor Vigilance: Ensure their third-party processors protect metadata with the same level of care as primary data, including stripping or hiding metadata during anonymization processes.

Ultimately, compliance under the PDPL 2025 requires constant vigilance over the hidden digital footprints that traditional security measures often overlook.

This post is written by Nguyen Thuc Anh.