26.2 C
Ho Chi Minh City
Monday, July 13, 2026

Paradox of personal location data

By Lawyer Nguyen Van Phuc

Must read

In the digital economy, a person’s location data can reveal a surprising amount of information, including where they are, where they live and work, who they regularly meet, how they move about in their daily lives, and even the types of behavioral groups they may belong to. For businesses, this makes location data one of the most valuable forms of commercial information. For consumers, however, it is also one of the most sensitive types of personal data, carrying significant privacy risks.

For technology platforms such as Grab, Be, Xanh SM, ShopeeFood, and GHN – Express, location data is far more than a technical input. It serves as the backbone of their digital business models, underpinning everything from ride matching and route optimization to delivery coordination, estimated arrival times, fraud prevention, and day-to-day operational management. Virtually every core function depends on the ability to track and process location information in real time.

Fine line between efficiency and privacy

Decree No. 356/2025/ND-CP, which provides detailed guidance on the 2025 Law on Personal Data Protection, classifies personal location data collected through location-based services as sensitive personal data. As a result, any activity involving the collection, storage, analysis, sharing, or transfer of location data must comply with stricter requirements governing the legal basis for data processing, notice and consent mechanisms, data retention and security controls, impact assessments, and incident response measures. Personal location data is therefore subject to heightened regulatory protection and oversight.

The challenge for technology companies is that they can hardly function without access to location data. A ride-hailing platform must know the precise locations of both passengers and drivers to efficiently match trips. A food delivery app relies on real-time tracking of couriers to optimize delivery routes and estimate arrival times. Likewise, logistics companies depend on continuous location tracking of vehicles, warehouses, and shipments to manage operations and monitor delivery status.

In other words, location data is not merely an operational tool; it is a core revenue-generating asset. This creates a unique challenge for technology companies. On the one hand, data protection laws require organizations to minimize data collection and limit processing to specific purposes. On the other hand, their business models depend on access to accurate, continuous, and real-time location data to function effectively.

Consent means “take it or leave it”

In the past, many companies tended to view a user’s click on an “Agree” button as an almost unquestionable legal basis for processing personal data. Under Vietnam’s new personal data protection framework, however, that approach is increasingly exposing organizations to legal and compliance risks.

When it comes to location data, the key question is no longer simply whether a user has given consent. It also involves whether the user was adequately informed, whether that consent was genuinely voluntary, and whether the company has effectively forced users into an “agree or lose access to the service” situation.

In many cases, the concept of “consent” can, in practice, become a “take it or leave it” arrangement, where users must agree to share their location data in order to continue using a service. This blurs the line between “freely given consent” and “consent that is effectively conditional” on access to the service, an issue that is becoming increasingly sensitive from a legal and regulatory perspective.

Growing risks of secondary data use

One of the most complex legal issues surrounding location data is that it is rarely used for a single purpose.

Location data may initially be collected to match rides or optimize delivery routes, but it is often later repurposed for a range of additional uses, including analyzing user behavior, evaluating driver performance, delivering targeted advertising, forecasting market demand, and even training artificial intelligence systems.

From a technical and operational standpoint, such reuse can help companies reduce data collection costs, improve efficiency, and enhance the performance of their algorithms. From a legal perspective, however, it represents a significant compliance risk when the scope of data processing expands beyond the purposes that were originally disclosed to, reasonably expected by, or otherwise known to the data subject.

The longer data is retained, the greater the risk

Technology companies generally prefer to retain data for as long as possible, as historical location records can provide significant business value. Such data can be used to resolve customer disputes, detect and investigate fraud, forecast demand patterns, optimize routing systems, and support a range of other operational and strategic decisions.

Personal data protection laws, however, take a fundamentally different approach. Under these frameworks, personal data should be retained only for as long as necessary to fulfill the purpose for which it was collected. This creates a significant compliance challenge for ride-hailing platforms, not only in Vietnam but across the globe.

If companies retain location histories for too long, both legal and security risks can increase. Extended retention periods not only heighten the risk of data breaches and unauthorized disclosures but may also expose organizations to claims that they are processing personal data beyond its original purpose or keeping it longer than necessary.

At the same time, deleting such data too quickly presents a different set of challenges. Companies may lose critical records needed to verify deliveries or completed services, resolve customer complaints, and investigate potentially fraudulent activity. In some cases, premature deletion can also undermine a company’s ability to manage operational risks and protect the integrity of its services.

The key question is no longer whether to retain the data, but which data should be kept, at what level of detail, who should have access to it, and for how long.

Risks of exposing location histories

Among the various types of personal data today, location data may not appear as intuitively sensitive as financial information or medical records. However, it is arguably the type of data most capable of reconstructing a person’s life in a comprehensive manner. For technology platforms such as ride-hailing, food delivery, and logistics services, this risk is particularly significant because companies do not have a single location. Rather, they often have access to a user’s entire “movement stream,” whether in real-time or through long-term historical records.

This is also why many data protection authorities around the world regard the exposure of location data as one of the most serious privacy incidents. In July 2022, Ubeeqo International, a French car-sharing and short-term rental company, was fined €175,000 by the French Data Protection Authority (CNIL) for multiple violations of the General Data Protection Regulation (GDPR), primarily for excessive collection of users’ location data. CNIL specifically emphasized that the tracking and retention of overly detailed geolocation data can create a risk of monitoring individuals’ private lives beyond what is necessary.

CNIL specifically highlighted that tracking and retaining overly detailed geolocation data can create a risk of monitoring individuals’ private lives beyond what is necessary.

Challenges of cross-border data transfers

Most technology companies today rely on international cloud storage services, foreign service providers, global artificial intelligence systems, and data centers located outside Vietnam. As a result, location data is often transferred across borders as part of routine business operations.

Under the current legal framework, however, such transfers carry a range of compliance obligations. Companies may be required to conduct cross-border data transfer impact assessments, implement controls over data recipients, and establish appropriate safeguards to protect the data throughout the transfer process. In practice, these requirements have become one of the most significant compliance challenges facing technology companies operating in Vietnam today.

In the near future, the competitiveness of technology companies will be measured not only by their algorithms, delivery speed, or ability to scale into new markets, but also by their capacity to build data-processing models that are transparent, privacy-conscious, and accountable.

Under Vietnam’s new legal framework, location data can no longer be treated as a freely available resource for companies to collect and exploit at will. Instead, it is increasingly recognized as a category of personal data that carries privacy and regulatory risks, requiring organizations to shift from a “collect as much as possible” mindset to one focused on processing only what is genuinely necessary and can be justified. For platform-based businesses, compliance will therefore involve far more than simply updating a privacy policy. It will require a fundamental redesign of how data is collected, used, stored, and shared across the digital ecosystems they operate.

More articles

Latest articles