The government of Việt Nam is accelerating the construction of a digital state model to modernize governance, improve public service delivery, and drive the digital economy. However, a paradox has emerged.
As data becomes increasingly centralized, citizens are losing control over their information. Treating personal data merely as a resource for management, rather than a fundamental right, might yield short-term efficiency gains for the digital state, but it risks undermining long-term social trust and national competitiveness.
Personal data is increasingly at risk as citizens navigate a dense digital environment. Everyday life now routinely involves electronic identification, public service applications, cashless payments, electronic health records, and chip-based citizen ID cards . Despite this digital integration, personal data is frequently leaked, traded, and exploited on a large scale without accountability.
Việt Nam consistently ranks among the nations with the highest volumes of personal data sold online. Viettel Cyber Security, a subsidiary of the military-run Viettel Group, reported a surge in data breaches in 2024.
As many as 14.5 million accounts were exposed, which accounted for 12% of the global total. [1] Furthermore, numerous large-scale data breaches have exposed customer information from financial, real estate, and edtech companies, compromising phone numbers, addresses, identity details, and basic financial data. [2]
Most of these incidents conclude in silence, offering no clear information regarding legal responsibility, remedial measures, or compensation for the affected individuals.
Rapid Digitization, Amidst an Imbalanced Legal Foundation
The Vietnamese government has taken significant steps to build a digital legal framework to protect citizens and strengthen national security. The foundation for data governance amid rising non-traditional security threats was laid by the 2018 Law on Cybersecurity [3] and its guiding document, Decree No. 53/2022/NĐ-CP. [4]
Following this, the 2023 Decree 13/2023/NĐ-CP [5] formally introduced the concepts of personal data, sensitive data, and the basic rights of data subjects for the first time.
Furthermore, Prime Minister Phạm Minh Chính signed Decision No. 2623/QĐ-TTg in Nov 2025 [6], which approved a plan to implement the Law on Personal Data Protection.
With the Ministry of Public Security taking the lead, the state will “organize communication, dissemination, and legal education on personal data protection” in the coming years. [7]
The core issue, however, is how these legal instruments interact. Rather than functioning in a balanced relationship, regulations on cybersecurity and personal data protection operate under a logic where “security takes precedence.”
While Decree 13 offers conceptual progress, it places heavy responsibilities on businesses and data-processing organizations, leaving mechanisms to verify state power over data relatively vague.
As a result, a lack of detailed guidance and legal precedents makes it difficult for data subjects to exercise their rights, such as objecting to data processing, requesting deletion, or initiating legal action.
This results in a paradox: citizens are nominally the subjects meant to be “protected,” yet they suffer the most when data violations occur.
Expanding State Power
The need to safeguard national security is a common justification for tightening data control. This concern is not without merit, particularly in the context of rising cybercrime, digital espionage, and information interference. What is troubling, however, is that Việt Nam’s data governance often expands the concept of “security” without clearly defined limits.
For instance, Decree No. 53 of 2022 allows authorities to request user data from businesses to investigate and handle cybersecurity violations.
But the decree doesn’t make it clear what the rules, limits, or independent oversight mechanisms are for these requests. When a system lacks checks and balances, data access risks becoming an unchecked administrative tool rather than a controlled security measure.
By contrast, access to personal data in the European Union—even in cases involving national security—is subject to strict oversight by courts and independent data protection authorities under the General Data Protection Regulation (GDPR). [8] Rather than weakening security, this rigorous oversight actually enhances the public’s perception of the legitimacy of these measures.
This positive dimension is largely absent in Việt Nam. The Communist Party currently leads the country, and because it lacks an equivalent mechanism, the state’s power to intervene in personal data remains nearly absolute.
A State Going Too Far
Fundamentally, the service relationship between the state and its citizens is simple: the state interacts with individuals and legal entities to deliver public services. [9]
Consequently, a “digital state” must be measured not just by its interconnected databases or the volume of its online public services, but by the level of public confidence citizens have when entrusting their personal data to the system.
This trust cannot be based on slogans or vague promises; it needs clear, open, and enforceable legal systems.
If the Vietnamese government continues to treat personal data as a resource for state management rather than a fundamental right, it might achieve short-term gains in mitigating security risks. However, this approach will incur long-term costs regarding public trust and economic competitiveness.
When citizens face leaks or misuse of their personal data without clear remedies, they will inevitably avoid compliance, submit incomplete information, or utilize informal channels. In the end, this behavior weakens the very governance capacity that the state wants to improve.
In Việt Nam, citizens have never truly held control over their data security and rights. The state remains firmly in control, with the police acting as the decisive authority. Should this trend continue, the “digital future” of the country in this data-driven era appears exceptionally unpromising.
Lê Hải Bình wrote this article in Vietnamese and published it in Luật Khoa Magazine on Dec. 24, 2025. Đàm Vĩnh Hằng translated it into English for The Vietnamese Magazine.
- Thiện, Đ. (2025, April 1). Thông tin cá nhân, tài liệu doanh nghiệp Việt bị rao bán rộng rãi trên mạng. Tuổi Trẻ. https://tuoitre.vn/thong-tin-ca-nhan-tai-lieu-doanh-nghiep-viet-bi-rao-ban-rong-rai-tren-mang-2025040121130404.htm
- VOV. (2025, April 3). Hơn 14 triệu tài khoản tại Việt Nam bị rò rỉ dữ liệu. https://vtv.vn/cong-nghe/hon-14-trieu-tai-khoan-tai-viet-nam-bi-ro-ri-du-lieu-20250403131635077.htm
- Luật An ninh mạng năm 2018 . (2018, June 12). Thư viện Pháp luật. https://thuvienphapluat.vn/van-ban/Cong-nghe-thong-tin/Luat-an-ninh-mang-2018-351416.aspx
- Nghị định số 53/2022/NĐ-CP của Chính phủ. (2022, August 15). Thư viện pháp luật. https://thuvienphapluat.vn/van-ban/Cong-nghe-thong-tin/Nghi-dinh-53-2022-ND-CP-huong-dan-Luat-An-ninh-mang-398695.aspx
- Nghị định 13/2023/NĐ-CP . (2023, April 17). Thư viện pháp luật. https://thuvienphapluat.vn/van-ban/Cong-nghe-thong-tin/Nghi-dinh-13-2023-ND-CP-bao-ve-du-lieu-ca-nhan-465185.aspx
- Quyết định số 2623/QĐ-TTg. (2025, November 29). Thư viện pháp luật. https://thuvienphapluat.vn/van-ban/Bo-may-hanh-chinh/Quyet-dinh-2623-QD-TTg-2025-trien-khai-thi-hanh-Luat-Bao-ve-du-lieu-ca-nhan-682619.aspx
- Minh Hiển. (2025, November 29). Kế hoạch triển khai thi hành Luật Bảo vệ dữ liệu cá nhân. https://baochinhphu.vn/ke-hoach-trien-khai-thi-hanh-luat-bao-ve-du-lieu-ca-nhan-102251129131617617.htm
- Europa. (n.d.). Data protection under GDPR. https://europa.eu/youreurope/business/dealing-with-customers/data-protection/data-protection-gdpr/index_en.htm
- Hậu, N. V. (2025, June 26). Cơ sở pháp lý về nhà nước số ở một số quốc gia trên thế giới. Tạp chí Quản lý nhà nước. https://www.quanlynhanuoc.vn/2025/06/26/co-so-phap-ly-ve-nha-nuoc-so-o-mot-so-quoc-gia-tren-the-gioi/
