The active collection of citizen data by both government and private enterprises during Việt Nam’s “digital transformation” has raised concerns regarding the right to own and control personal data. This situation poses several important questions: How does the law protect these rights? Are the legal frameworks sufficiently clear and robust? Crucially, does the law treat personal data as property or as an aspect of individual identity?
Authorities have yet to provide clear answers. Citizens, however, have a right to understand their essential legal protections to exercise their rights and identify potential violations. Unfortunately, Việt Nam’s current legal framework on personal data is characterized by ambiguities, inconsistencies, and questionable aspects that obscure this understanding.
The discussion on whether personal data constitutes a personal or property right has stirred heated debate among lawmakers. The term “data” originally described computer-related information—bytes and bits in electronic memory. As technology evolved, this definition expanded.
The General Data Protection Regulation (GDPR), for example, defines personal data as any information relating to an identified or identifiable person (the data subject), whether directly or indirectly. Such information includes names, identification numbers, location data, online identifiers, or characteristics related to a person’s physical, biological, genetic, psychological, economic, or cultural status. [1]
Before 2023, Việt Nam lacked a clear, unified definition. “Personal data” appeared only sporadically in documents like the 2015 Civil Code, which ensures the safety of correspondence and electronic databases, and the 2015 Law on Cyberinformation Security, which provided a definition for “personal information.” [2] The definition was only officially codified under Decree No. 13/2023/NĐ-CP, Article 2, clause 1. [3]
This codification brought the debate to the forefront: Should personal data be treated as a personal right—inviolable, non-transferable, and non-monetary—or as a property right, measurable in value and transferable through sale or inheritance?
Việt Nam’s current legal framework provides a clear direction. Decree 13/2023/NĐ-CP, the first official legal document on personal data, states as a fundamental principle that “personal data may not be bought or sold in any form, unless otherwise provided by law” (Article 3, Clause 4).
This indicates that Vietnamese law approaches data rights primarily as personal rights. Recent legal commentaries in Việt Nam affirm this, stating that “the right to personal data is encompassed within personal rights, forming an essential and integral component.” [4]
However, this "personal right" approach reveals internal contradictions within Việt Nam’s own legal system.
According to the European Commission, individuals’ rights over their personal data are extensive, including but not limited to: (i) the right to control their own information, including correction for accuracy and completeness; (ii) the right to permit or deny third-party access; (iii) the right to demand confidentiality from related organizations or individuals; and (iv) the right to compensation for unlawful violations. [5]
Việt Nam’s Decree No. 13/2023/NĐ-CP (Article 9) echoes this, specifying 11 rights for data subjects, including the right to be informed, consent, access, withdraw consent, delete data, restrict processing, receive data, object, complain or litigate, claim damages, and self-protection.
Paradoxically, several of these rights—such as the right to claim damages—bear the hallmarks of property rights, as they are associated with economic interests and can be quantified monetarily when violated. This ambiguity deepens when compared to Việt Nam’s existing definitions of property.
The 2015 Civil Code defines property as “objects, money, valuable papers, and property rights,” providing clearer distinctions between movable and immovable property and including both existing and future assets. Under this Code, an “object” must meet three criteria: it must exist in the physical world (now or in the future), provide real value to its owner, and be capable of human possession.
Based on these definitions, personal data fully qualifies as a form of property, specifically a movable one, for three reasons:
Furthermore, Article 115 of the 2015 Civil Code defines property rights as “rights that can be valued in money, including rights to intellectual property, land use rights, and other property rights.” The critical feature is monetary valuation. Given the immense economic potential of personal data, it clearly possesses the legal nature of a property right, not merely a personal one.
If personal data is recognized as property, data subjects would possess full rights of ownership, use, and disposition. This view moves personal data beyond informational status and into the realm of civil transactions, allowing it to be bought, sold, transferred, inherited, or subject to compensation when violated.
Like other property rights with measurable economic value, this classification provides a legal foundation for ensuring that the state cannot arbitrarily interfere with or access citizens’ data outside the limits of the law.
When viewed solely as a personal right, data is typically protected only on moral and legal grounds associated with dignity and privacy. In such cases, the state may invoke public reasons—national security, public order, or health—to justify data access or restriction, often without strict compensation mechanisms.
Conversely, if personal data is recognized as property, it becomes a quantifiable, tradable asset. Any state interference must therefore comply with constitutional property protections, permitted only in cases of genuine public necessity and subject to principles of compensation, similar to the expropriation of land or other assets.
Recognizing personal data as a property right not only strengthens individual autonomy but also establishes a vital safeguard against arbitrary state power. The state could no longer treat citizens’ data as “public assets” for unrestricted exploitation; it would have to meet strict accountability standards that ensure citizens’ ownership, decision-making authority, and control.
In his study “Property Rights and the Development of the State,” Amihai Glazer demonstrated that the extent of citizens’ property rights is inversely proportional to the ruler’s control over power. [6]
History shows that total control over citizens strengthens authoritarian regimes internally while reducing productivity and social wealth. To encourage productivity, rulers had to grant subjects basic rights—property ownership, freedom of movement, and participation in governance—thus trading some autocratic power for collective development.
In today’s context, personal data must likewise be recognized as a form of property, forcing the state to accept similar principles. Public power must be limited and yield to protect citizens’ data rights in pursuit of broader economic and social growth.
The strengthening of cybersecurity is essential in protecting personal data. Yet whether Việt Nam’s Law on Cybersecurity serves to “protect” or to “infringe” upon citizens depends on its interpretation and application.
International frameworks define the term narrowly. The European Union, in its NIS Directive (2016, amended 2022), defines cybersecurity as “the protection of network and information systems (NIS), their users, and affected individuals from incidents and cyber threats.” [7] The United States defines it as protecting information, devices, and data from "unauthorized access, use, disclosure, disruption, modification, or destruction." [8]
In Việt Nam, the concept takes on a strikingly different character. The 2018 Law on Cybersecurity, Article 2(1), defines it in far broader terms: “Cybersecurity is the assurance that activities in cyberspace do not harm national security, social order, safety, or the lawful rights and interests of organizations and individuals.”
The difference is clear. While the EU and U.S. focus on technical safety and personal rights, Việt Nam frames cybersecurity around political stability and social control—the traditional domain of the Ministry of Public Security (MPS).
The concept has effectively been codified as a means of consolidating the ministry’s power, granting it sweeping authority to demand data disclosure, monitor content, and handle any act deemed a threat. This approach reflects a political-security mindset in which personal data is seen not as a right but as a tool of governance, subordinating citizen privacy to the vague notion of “national security.”
In light of this, it is even more important to recognize personal data as a property right. Data must be anchored in its legal and material nature, tied to tangible economic value and measurable interest. Only then can property-protection principles under the Constitution and the Civil Code extend to data, placing meaningful limits on the MPS’s reach and restoring citizens’ rightful control over their own digital identities.
Đan Thanh wrote this article in Vietnamese and published it in Luật Khoa Magazine on Oct. 14, 2025. Đàm Vĩnh Hằng translated it into English for The Vietnamese Magazine.
Proposals to restrict motorcycles were first raised in 2017, yet it was not until July 12, 2025, that the Prime
Thích Minh Tuệ, a Vietnamese Buddhist monk born Lê Anh Tú in 1981 in Hà Tĩnh Province, has become a
Key Events * HCMC Finalizes Key Party Positions Before National Congress; * Vietnam Airlines Confirms Massive Data Breach Affecting 7.3 Million
In September 2024, a social media storm erupted around 16-year-old Chu Ngọc Quang Vinh, a 12th-grade English major at Nguyễn
Vietnam's independent news and analyses, right in your inbox.
