Richard OUELLET, LY Van Anh, NGUYEN Ngoc Ha, HA Cong Anh Bao et Antoine COMONT (direction)

Balancing Between Personal Data Protection and Personal Data Trade

Précédent Up Suivant

A Legal Challenge

NGUYEN Thao Nhi and NGUYEN Tra My

Abstract

In response to the evolution of the data-driven economy, several legal frameworks are promulgated to protect personal data. However, there is also the rising concern that over-protection of personal data may harm trade. In the data economy, it is clear that personal data is sold and bought by businesses, contributing significantly to their profits. This leads to the question of how legal frameworks can effectively balance the protection of personal data with the economic interests of personal data trade. In this paper, the authors provide the rationales of personal data protection and personal data trade and illustrate the necessity of balancing between personal data protection and personal data trade. The study compares legal approaches taken by the European Union (“EU”), California (United States), China and Viet Nam in this regard and depicts the challenges in achieving the balance between personal data protection and personal data trade in Viet Nam. Based on these findings, the authors provide recommendations for Viet Nam. This research aims to serve as a reference for legislators in promulgating laws that not only protect privacy but also regulate the responsible and legitimate treatment of personal data, which will in turn benefit businesses in building consumer trust as well as enhancing consumer’s confidence when engaging in trade activities involving their personal data.
   
Keywords: Personal data protection, personal data trade, balance, legal challenges.

Résumé

En réponse à l’évolution de l’économie axée sur les données, plusieurs cadres juridiques ont été instaurés pour protéger les données personnelles. Cependant, une inquiétude croissante existe quant au fait qu’une protection excessive des données personnelles pourrait nuire au commerce. Dans l’économie des données, il est évident que les entreprises achètent et vendent des données personnelles, ce qui contribue de manière significative à leurs bénéfices. Cela soulève la question de savoir comment les cadres juridiques peuvent efficacement équilibrer la protection des données personnelles avec les intérêts économiques liés au commerce des données personnelles. Dans cet article, les auteurs examinent les raisons de la protection des données personnelles, le commerce des données personnelles, et mettent en évidence la nécessité de trouver un équilibre entre ces deux aspects. L’étude compare les approches juridiques adoptées par l’Union européenne (“UE”), la Californie (États-Unis), la Chine et le Viet Nam, et discute des défis auxquels le Viet Nam est confronté pour atteindre cet équilibre. Sur la base des résultats, les auteurs proposent des recommandations pour le Viet Nam. Cette recherche vise à servir de référence pour les législateurs dans l’élaboration de lois qui protègent non seulement la vie privée, mais régulent également le traitement responsable et légitime des données personnelles, ce qui aidera à son tour les entreprises à renforcer la confiance des consommateurs et à accroître la confiance des consommateurs lorsqu’ils participent à des activités commerciales impliquant leurs données personnelles.
    
Mots-clés: Protection des données personnelles, commerce des données personnelles, équilibre, défis juridiques.

In recent decades, significant measures have been taken to ensure the protection of personal data in the concern that the automated processing and the uncontrolled free flow of data in the data economy may put the fundamental right to privacy at risk. On the other hand, the trade in personal data is a reality in the data economy: businesses are clearly profiting from the sale of personal data of an enormous number of individuals. However, there is still hesitation in recognizing personal data as an economic asset because this would raise several legal and ethical implications. Nevertheless, with data being considered the new oil, it is time to consider the need to strike a balance between personal data protection and personal data trade. In Viet Nam, the issue of data trade and data protection is also being paid great attention, with the entry into force of Decree 13/2023/ND-CP on the Protection of Personal Data on 1 July 2023 (“Decree 13”) and the passing of the Personal Data Protection Law by the National Assembly on 26 June 2025 (“PDPL”), which will enter into force from 1 January 2026.

This paper’s scope encompasses legal frameworks governing personal data protection and personal data trade between businesses and their current situations in the EU, California (United States), China and Viet Nam. These jurisdictions are chosen because each of them has a distinctive legal approach to the protection and trade of personal data: while the EU emphasizes the strict protection of personal data, California (United States) explicitly allows the sale of personal data, and China presents similar features to Viet Nam in terms of the government’s central role in regulating data.

The authors aim to answer the following research questions: What are the legal approaches to balancing personal data protection and personal data trade in the EU, California (United States), China, and Viet Nam? What are the legal challenges in achieving a balance between personal data protection and personal data trade in Viet Nam? What are the recommendations for Viet Nam to address these legal challenges, based on models from the above jurisdictions? In order to address the above questions, the paper is structured in five parts: (1) Literature review; (2) Methodology; (3) Theoretical basis; (4) Legal approaches to balancing personal data protection and personal data trade; (5) Recommendations for Viet Nam on balancing between personal data protection and personal data trade in Viet Nam.

Although data protection and data trade have each been widely discussed in existing scholarship, few studies have directly addressed how these two dimensions can be reconciled within a coherent legal framework. In particular, the legal balance between personal data protection and personal data trade remains an underexplored area in Viet Nam, where the regulatory landscape is still evolving. This paper seeks to fill that gap by examining comparative models and proposing recommendations to support Vietnam in achieving an effective and balanced approach.

1. Literature Review

Existing literature on balancing the protection of personal data with its trade is still limited. Possibly related literature discusses three main issues as follows:

(i) The concept of personal data as an economic asset

A study by Spiekerman et al. indicates that personal data of consumers is sold and bought by businesses, such as Bluekai.[1] Similarly, a study by Dudas, Kovacs and Schultz explores the concept of personal data as consideration for contracts,[2] in the case where personal data is given by consumers to online service providers in exchange for free services. In these studies, personal data is considered as an economic asset, which is a basis for the personal data trade.

(ii) Data protectionism as a trade barrier

Data protectionism as a trade barrier is analyzed in a study by Ferracane, who indicates that since data is moving across borders to serve the purpose of trade, strict limitations on data flows are seen as trade-inhibiting measures.​​[3] For example, in a 2014 survey, 79% of large US’s digital firms and 51% of small and medium enterprises viewed EU’s data requirements as major barriers.[4]

(iii) The detrimental effects of big data on fundamental rights

Studies on big data are relevant because big data analytics is being alimented by the massive collection of personal data, to which the trade in personal data contributes. A research by Oosteven and Irion points out how fundamental rights are negatively affected by big data, claiming that big data is used by businesses to categorize customers and present to them personalized communications, which not only are harmful to personal autonomy and informational self-determination, but also lead to direct or indirect discrimination.[5]

From the above, it can be seen that existing literature still contains significant unresolved gaps. The term personal data trade currently lacks a clear and widely recognized definition. Legal instruments and academic discussions primarily condemn the illicit trade in personal data, but do not explicitly clarify whether personal data can be legally bought and sold, and if so, under what conditions. This is also because it is not clear whether data trade falls within the scope of definition of the terms transfer or processing of data, concepts that are regulated in many legal instruments. Regarding personal data protection, existing literature either emphasizes its importance or highlights the negative impact of excessive data protection on trade, but it has yet to provide an analysis of how to achieve a balance. To address these gaps, this paper seeks to establish a clear definition of personal data trade and examine situations where it is legal. Furthermore, it aims to explore the possibility of a balanced approach that reconciles personal data protection with personal data trade, thereby contributing to the development of a more comprehensive legal framework in this regard.

2. Methodology

This paper adopts a combination of legal research methods to examine how to achieve a balance between personal data protection and personal data trade. The methodological framework consists of four complementary approaches, which are comparative legal analysis, doctrinal legal research, case-based reasoning, and policy-oriented legal research.

First, the paper applies comparative legal analysis to examine and contrast the legal frameworks of the EU, California (United States), and China, focusing on how these jurisdictions define, regulate, and enforce both the protection and commercialization of personal data. The comparative approach serves to identify distinct legal models and best practices that may be relevant or adaptable to Viet Nam’s evolving regulatory environment.

Second, the study relies on doctrinal legal research, involving the interpretation and analysis of existing legal instruments and regulations that form the backbone of data protection regimes. These include the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), the California Consumer Privacy Act (CCPA), the Personal Information Protection Law of the People’s Republic of China 2021 (PIPL), Decree 13, and the current PDPL. This method allows the study to clarify how each jurisdiction conceptualizes “personal data,” governs its processing and transfer, and regulates or limits its potential trade.

Third, the research employs case-based reasoning by referring to documented enforcement gaps and real-world data protection challenges observed in Viet Nam. This indirect use of case analysis provides practical insight into how theoretical provisions operate or fail to operate in practice. These examples help illustrate the consequences of regulatory shortcomings and highlight the need for stronger enforcement and clearer guidance on data commercialization.

Finally, the paper incorporates a policy-oriented legal research approach, which goes beyond descriptive analysis to assess how Viet Nam can reconcile two competing policy objectives: safeguarding the constitutional right to privacy and promoting the responsible use of data to advance the digital economy. This approach enables the formulation of normative recommendations that are not only legally sound but also contextually suited to Vietnam’s socio-economic realities.

By combining these four methods, the paper aims to provide both a theoretical and practical understanding of the legal relationship between data protection and data trade, thereby offering grounded and actionable recommendations for Viet Nam’s future policy development in this field.

3. Theoretical Basis

In this section, the authors will present the concept of personal data protection and personal data trade. By analyzing the conflicts between these concepts, the authors also indicate the necessity of balancing between personal data protection and personal data trade.

3.1. The Concept of Personal Data Protection and Personal Data Trade

The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD Guidelines) and the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) were the first legal instruments to introduce the concept of personal data, both defining it as any information relating to an identified or identifiable individual (data subject).[6] The GDPR represents a significant legal milestone in defining personal data, since it also defines what is an identifiable natural person.[7] At national level, some countries like California (United States) and China use the term personal information instead, but with a definition similar to personal data found in international law.[8]

In Viet Nam, both terms personal data and personal information are used in legal instruments, and their definitions remain inconsistent.[9] While the Law on CyberInformation Security 2015 (“LCIS”) defines personal information only as briefly as “information associated with the identification of a specific person”,[10] Decree 13 defines personal data more in detail, as “any information that is expressed in the form of symbol, text, digit, image, sound or in similar forms in electronic environment that is associated with a particular natural person or helps identify a particular natural person”[11]. The PDPL’s definition is more concise: “Personal data refers to digital data or information in other forms that identifies or assists the identification of a specific individual”.[12] In this paper, the authors decide to adopt the term personal data because it is more widely used internationally.

In the realm of personal data protection, existing literature primarily focuses on defining the right to personal data protection, associating it with the right to privacy.[13] Nevertheless, the concept of personal data protection can be found in Vietnamese law, being defined as: “The activities of preventing, detecting, stopping, and handling violations related to personal data in accordance with the law”[14] and “when agencies, organizations, and individuals use specific forces, equipment, and measures to prevent and combat infringement on personal data”.[15] These definitions will be adopted by this paper.

The concept of personal data trade has not been included in any instruments in international law, but national legislations mention its “sale”. The California Privacy Rights Act (“CPRA”) amending the CCPA defines the sale of personal information as “selling, renting, releasing, disclosing, disseminating, making available, transferring […] a consumer’s personal information by the business to a third party for monetary or other valuable consideration”.[16] The PIPL uses the terms “sell” and “buy”.[17] In Vietnamese legal instruments, this concept is also referred to as “purchase or sale of personal data”.[18] However, as sale may have a narrower meaning than trade, the authors choose the term personal data trade, with the meaning of obtaining or providing personal data in exchange for money, products or services.[19]

To sum up, while personal data protection is defined in many instruments, there is a lack of an explicit definition of personal data trade.

3.2. The Necessity of Balancing between Personal Data Protection and Personal Data Trade

The trade in personal data is already a profit-generating activity itself, with the rise of data brokers,[20] but the main actor is actually the profit that comes from the application of the knowledge derived from the processing and analysis of such data. For example, businesses vastly benefit from tailoring product recommendations to suit customers’ interests.[21] Businesses find ways to obtain as much data as possible because the more data they possess, the better decisions they make[22] (which are obviously profit-oriented). Legally recognizing personal data as an economic asset gives relevance to personal data trade and benefits the economy, but it is in contradiction with the fundamental right to personal data protection.[23]

In contrast, the strict protection of personal data has negative impacts on many aspects of the economy, including: (i) harming international trade by restricting the flow of data across borders and hinders technological innovation by limiting the collection and processing of data; (ii) placing high compliance burdens on businesses;[24] (iii) leading to the disappearance of online free services, which are accessible to anyone if they provide their personal data.[25]

It is clear that personal data protection and personal data trade each make contributions to different aspects of society. On the one hand, the protection of personal data guarantees the fundamental right to privacy of individuals as well as other rights and freedom, in light of how easy it is at present to illegally access and make use of personal data without consent for purposes contrary to data subjects’ wishes. On the other hand, the trade in personal data holds significance in the current economy, where all kinds of businesses rely on data to grow.

It is clear that the conflicts above need to be addressed, so that consumers can exchange their personal data for services while not having their privacy significantly compromised, and businesses can commercially exploit personal data while not being burdened with high compliance costs. The only way to do so is to strike a balance between the two extremes of personal data protection and personal data trade. The ultimate objective of this balance is the harmonization of the interests of data subjects and businesses, as they will both be able to reap the benefits of the data economy while not being harmed substantially.

4. Legal Approaches to Balancing Personal Data Protection and Personal Data Trade

In this section, the authors will indicate the legal approaches of some jurisdictions around the world, including the EU, California (United States) and China regarding personal data protection and trade. The reason behind the choice of these jurisdictions, as explained above, lies in the distinctive features that each of them has and the fact that Viet Nam can benefit from learning from the experience of different legal approaches to balancing between personal data protection and personal data trade. The authors thereby will point out the limitations and legal challenges that Viet Nam is facing in terms of balancing the protection and trade of personal data.

4.1. Jurisdictions Around the World

Internationally, data protection is often framed with the free movement of data across borders, and the necessity of balancing them is put forward in international texts.[26] Although to some extent similar, it is not exactly the same as balancing personal data protection and personal data trade in this paper. Privacy and cross-border transfer of data will be tackled briefly in the analysis below of the legal approach of the EU, with the famous GDPR. For the rest, the authors analyze two other national jurisdictions: California (United States), where the sale of personal data is legal; and China, which has attempted to create a state-regulated data market.

4.1.1. European Union

Experts have been suggesting that Europe has always and will continue to favor economic integration over fundamental rights,[27] but the Data Protection Directive of 1995 (DPD) and the GDPR replacing it show otherwise. With the DPD, the EU tried to carry on the ‘twin goals’ of market integration and supranational data protection,[28] in an attempt to balance a fundamental right with the economic interests of the free flow of personal data (within the EU).[29] On the other hand, the GDPR, widely regarded as the most advanced data protection law in the world,[30] takes a clear position: it sets the protection of personal data as a general rule and data processing to be an exception only allowed under specific conditions.[31] The principle-and-exception legal drafting technique being used there conveys that the protection of personal data is emphasized. The trade in personal data is thus hardly conceivable under the GDPR. Nonetheless, a recent EU Directive has acknowledged that personal data in the modern digital economy can be used, instead of money, to pay for digital content – this suggests that personal data can be used as consideration to contract.[32] This is an important step towards a more comprehensive data protection framework that takes into account new trends of the economic use of personal data.[33] Nevertheless, it still is at odds[34] with the EU’s Charter of Fundamental Rights, which assigns an inalienable, fundamental nature to the right to protection of personal data found in no other jurisdiction.[35]

4.1.2. California (United States)

California’s CCPA is also said to take the lead in data protection together with the EU’s GDPR,[36] inheriting many elements from the latter. However, the CCPA uses the principle-and-exception legal drafting technique in a way completely opposite to that of the GDPR. In principle, businesses are allowed to sell personal data under the CCPA, except when the consumers have exercised their Right to Opt Out of Sale or Sharing of Personal Information.[37] The opt-out mechanism, which is found in some other states in the United States (“US”),[38] is a rather particular approach, given that generally, even the processing of personal data is only legal if explicit consent is obtained.[39] For this reason, it seems that behind the concern for personal data protection, allowing businesses to sell personal data is actually in the interests of California. Moreover, obligations concerning data protection in the CCPA do not apply to all businesses,[40] which means that some may enjoy even more freedom in selling personal data. However, data brokers are subject to extensive requirements according to California laws.[41] They must register and report to the California Privacy Protection Agency (CPPA)[42] – the first dedicated privacy enforcement agency in the US. Failure to do so may result in administrative fines, other costs or even being shut down.[43] The strict requirements imposed on data brokers, besides contributing to data protection, may also imply that this type of business is highly profitable.

4.1.3. China

In China, the PIPL is the first all-encompassing law on personal information protection, designed based on the GDPR.[44] It sets rules for data collection, processing, and protection while also imposing strict measures on cross-border data transfers. Despite this, large-scale data breaches still occur.[45] In response to this, six Chinese government agencies have announced an action plan to crack down on illegal data collection, trade, and distribution[46] as well as moving toward a model of ‘legalizing’ data trade by bringing transactions onto regulated exchanges in order to combat the existing black markets.[47] The Chinese government thus aims to play an intermediary role by setting regulations on the exploitation, use, and exchange of personal and corporate data. The plan implies China’s view on data as a “strategic asset” that can be leveraged to drive economic growth.[48] However, this model has not succeeded in attracting private companies because of the fear of infringing laws restricting the sale of consumers’ data.[49]

4.2. Viet Nam

4.2.1. Legal Framework

Viet Nam has only recently begun developing a comprehensive legal framework for data protection, as previous regulations were scattered across various legal documents,[50] with a significant milestone being Decree 13 and the PDPL. Closely aligning with the GDPR, Decree 13 and the PDPL imposes stringent requirements on the collection, processing, and transfer of personal data, emphasizing the data subject’s consent and the responsibilities of data controllers and processors.[51]

In the existing instruments, there is no definition of the term “sale and purchase of personal data” despite it being mentioned in several provisions. However, Article 3.17 LCIS mentions the concept of processing of personal data that means “the performance of one or some operations of collecting, editing, utilizing, storing, providing, sharing or spreading personal information in cyberspace for commercial purposes”. The phrase “commercial purposes” may suggest an indirect reference to personal data trade, despite lacking specificity. Article 2.7 of Decree 13 also gives the definition of “processing of personal data”, which “refers to one or multiple activities that impact on personal data, including collection, recording, analysis, confirmation, storage, rectification, disclosure, combination, access, […] transfer, deletion, destruction or other relevant activities”. Similarly, the PDPL regulates that “Personal data processing refers to activities impacting personal data, including one or more of the following: collection, analysis, summary, encryption, decryption, modification, deletion, destruction, de-identification, provision, disclosure, transfer of personal data, and other activities impacting personal data”.[52] Although personal data trade is not mentioned in a direct manner, these definitions, if broadly explained, may cover the selling and buying of personal data.

In principle, the sale and purchase of personal data is not encouraged in Viet Nam. Article 3.4 of Decree 13 regulates: “The purchase or sale of personal data shall be prohibited in any form, unless otherwise provided for by law”.[53] Besides, Article 22.2 Decree 13 regulates that the “[…] purchase or sale of personal data without the consent of the data subject is a violation of law”.[54] It explicitly prohibits the buying and selling of personal data “without the data subject’s consent”, but “unless otherwise provided for by law”. This means that, if there is consent or if the law provides otherwise, and the purpose and contents of the transaction are not contrary to the law and/or social ethics,[55] the buying and selling of personal data may be legal. However, there is currently no specific legal framework governing this situation. In the PDPL, the prohibition is expected to be further emphasized, with the maximum fine being set at 10 times the revenue gained from a violation.[56] Nevertheless, it is interesting to note that the PDPL has an article stating that: “The personal data transfer specified in Clause 1 [of article 17] whether free of charge or for a fee, shall not be considered sale and purchase of personal data”.[57] This shows an initial effort in establishing the scope of the activities constituting sale and purchase of personal data by differentiating it from the transfer of personal data, even when this might involve the collection of a certain amount of fee.

It is also important to note that the recent Law on Data sets out the possibility of establishing data exchange platforms, where data transactions are allowed.[58] However, it is still not clear if personal data will be eligible for such transactions.[59]

4.2.2. Enforcement

Despite strict prohibitions, the mechanisms for safeguarding personal data in Viet Nam are not yet efficient, resulting in the widespread unauthorized trade of personal data.[60] Over the years, the illegal trading of personal data has become a painful phenomenon, affecting not only the privacy of people but also leading to other serious fraud and illegal acts.[61] The implementation of the LCIS and Decree 13 remains inconsistent and lacks the necessary rigor to curb this growing issue.[62] In cyberspace, especially through dark websites and social networks, the exchange and trading of personal data takes place openly; notably, this situation does not only occur between individuals but also involves businesses.[63] The consequences range from unsolicited marketing calls, spam messages to severe financial fraud schemes,[64] dramatically affecting consumers’ privacy. From the legal perspective, there are some key reasons for these shortcomings as follows:

First, there is a lack of uniformity in terminology, as legal documents use the concepts of personal data and personal information inconsistently. For example, the LCIS employs the term personal information, while Decree 13 uses personal data.

Second, while the selling and buying of personal data is strictly prohibited, there is no definition establishing what type of conduct constitutes selling and buying personal data, which may pose challenges in law enforcement, since the commercial use of personal data can take place in diverse forms.

Third, while it can be understood that what is not prohibited by law is permitted (as long as it is not contrary to the law and/or social ethics), it is a limitation that the legal framework still lacks clear provisions governing the buying and selling of personal data with the consent of data subjects,[65] as this has become an emerging reality, important for growth in the digital and data economy.

Fourth, the limited awareness of the public contributes to the ineffective enforcement of laws in Viet Nam[66].

Nonetheless, Viet Nam is taking actions to combat this. For instance, several large-scale networks engaged in the appropriation and illegal trading of data in Viet Nam have been detected and dealt with – the volume of personal data illegally collected and traded that has been identified amounts to thousands of gigabytes.[67] However, although some businesses have recently taken measures to comply with Decree 13,[68] the implementation still presents difficulties for most because of legal conflicts.[69] Some businesses possessing customer data apply insufficient security measures, creating vulnerabilities that may lead to the leakage or exposure of personal data.[70]

5. Recommendations for Viet Nam on Balancing between Personal Data Protection and Personal Data Trade in Viet Nam

In this section, the authors will analyze the legal challenges Viet Nam has to face in order to achieve a balance between personal data protection and personal data trade, and then make recommendations for Viet Nam.

5.1. Legal Challenges in Achieving a Balance between Personal Data Protection and Personal Data Trade in Viet Nam

While there is no doubt that personal data protection is necessary, there is still controversy surrounding the legalization of personal data trade. In order to achieve balance, the first step is to make personal data trade legal to some extent. Therefore, the challenges in achieving balance mostly coincide with the challenges in legalizing personal data trade.

First, the question of consent and ownership of personal data remains unsolved: for data subjects to be able to give consent to the trade of their personal data, they need to have ownership or certain rights over that personal data in the first place. This depends on whether personal data right is considered as a personal right, which is generally inalienable, or a property right, which is transferable.[71] From a personal-right point of view, the trade in personal data poses the fear of “theft of humanistic property”.[72] The right to digital data is already considered a property right in Viet Nam,[73] but the law remains silent on the right to personal data (which can exist in digital or other forms).

Second, assuming that the trade in personal data is legal, the determination of the price of personal data also presents challenges, since it is not an ordinary good or service: which method should be used to price personal data, who should be in charge of pricing personal data and how can authorities supervise this process?[74] Obviously, there are various methods used to determine the price of data in general (such as cost-plus pricing, value-based pricing, etc.), but would it be appropriate to apply these to personal data as well?

Third, there is the risk of discrimination within the personal data market and in the subsequent processing of personal data, as businesses may treat individuals differently according to the value of their personal data, reinforcing existing social disparities.[75]

Fourth, there are concerns about the treatment of the data of dead people, which may become an unfair and “perpetual source of income” for businesses, simply on the basis that consent has been given by these people during their lifetime.[76]

In Viet Nam, there are more tangible and immediate security issues. First, Viet Nam is undergoing a critical period of digital transformation.[77] Data is considered a valuable resource that needs to be strictly protected, ensuring national digital sovereignty,[78] given that Vietnamese authorities and enterprises are increasing targets of cyber assaults[79] because of the emerging digital economy and weak data security systems.[80] Second, the illicit sale and purchase of personal data in Viet Nam often serves the purpose of committing other serious crimes,[81] and together with the lack of awareness among the population on the importance of personal data protection,[82] its consequences are exacerbated. For this reason, the Vietnamese press as well as official national sources almost always discuss the sale and purchase of personal data with negative connotations. Third, similar to China, Viet Nam is characterized by a socialist-oriented market economy, so it seems that establishing central control of data is more appropriate than allowing a data market dictated solely by the rules of supply and demand, especially when it comes to a valuable resource such as personal data.

5.2. Recommendations for Viet Nam

From the challenges pointed out above, this paper believes that in order to achieve balance between personal data protection and personal data trade, Viet Nam should learn from the experience of legal approaches by the EU, California (US) and China. Accordingly, the authors propose the following recommendations for Viet Nam:

First, as the term personal data is more aligned with international legal texts, the authors propose that all Vietnamese legal instruments using the term personal information, including the LCIS, be amended to use the term personal data to create consistency. However, as amending existing laws is a complicated process that is often performed only when substantial changes are required, it suffices for now that future legal instruments use the term personal data consistently.

Second, it is necessary to establish a well-defined legal ground for legitimate, consent-based data trading, for legislation to catch the pace of this emerging reality. In this regard, Viet Nam can start by adopting the definition of sale of personal data in the CCPA. This is helpful even without the intention to legalize the trade in personal data, because in order to effectively prohibit the unlawful sale of personal data and impose administrative penalties on the violators, the kinds of conduct constituting sale of personal data should be established clearly in the definitions clause. Once the right to personal data is recognized as a property right, the provisions in the Civil Code might apply to the sale and purchase of personal data as civil transactions. Nonetheless, the authors argue that Viet Nam should develop specific guidelines to legitimize and regulate the buying and selling of personal data, ensuring that enterprises can confidently operate within a structured and transparent legal environment. In this regard, while Viet Nam’s recent Law on Data has recognized that there is property right over digital data,[83] it is prudent to establish a set of regulations, in the form of a Decree of the Government, guiding the exercise of such right. This is because the nature of data as an asset is very different compared to traditional ones, so the legal concepts and rules conceived for traditional types of assets in the Civil Code cannot be easily applied to data. This can be seen in the experience of real estate and intellectual properties, both requiring the promulgation of separate laws governing their commercial use.[84] If the regulations for digital data as proposed above are successfully implemented, a similar Decree detailing the sale and purchase of personal data can then be considered, bearing in mind of the even more complex nature of personal data as outlined in the previous sections.

Third, while the concept of personal data as an economic asset is an ongoing controversy and there seems to be no pioneering legal instruments in this aspect yet,[85] Viet Nam can still extend certain property rights to personal data by recognizing its possible role as consideration to contracts, learning from the EU experience. The current Decree 147/2024/ND-CP on the Management, Provision, and Use of Internet Services and Cyber Information can be modified to govern also contracts for Internet services “where the trader supplies or undertakes to supply digital content or a digital service to the consumer, and the consumer provides or undertakes to provide personal data to the trader”[86]. However, this does not mean that just a simple modification of the Decree’s application scope is enough. All provisions of Decree 147/2024/ND-CP should be compared with the provisions of the EU Directive 2019/770 on contracts for the supply of digital content and digital services in order to assess whether the EU’s approach would be compatible with Viet Nam’s current legal system and infrastructure. This is also because the EU Directive exists in the context of the high protection guaranteed under the GDPR, which is rarely found in other jurisdictions. It should be emphasized that the adoption of a foreign legal approach without adapting it to domestic circumstances is likely to result in “dead” laws that are impossible to implement.

Fourth, Viet Nam can consider building an official personal data exchange, so that the government can better perform its management role regarding a valuable resource such as personal data while providing a secure platform for businesses to engage in lawful personal data trade. Note that for this to work, Viet Nam has to first establish a comprehensive legal framework governing personal data trade, as the experience in China shows that businesses are likely to remain cautious and hesitant in the absence of a robust legal framework to guide their actions and protect them from potential liabilities. However, since data exchange platforms as provided by the Law on Data are likely to appear soon, it is important to clarify whether personal data will be allowed on such platforms. It would be useful if these exchange platforms are used for non-personal data for a reasonable period of time first to derive experience and thereby reducing risks when applying the same model to personal data.

Fifth, needless to say, it is necessary to raise public awareness and corporate responsibility as well as improve data security systems on a national level and within private entities. This is essential to prevent illegal data trading for malicious purposes, especially in light of the signing ceremony of the United Nations Convention against Cybercrime (also known as Ha Noi Convention) recently hosted by Viet Nam, which was also the first country to sign.[87] Specifically, Viet Nam should focus on enhancing education on personal data protection through media campaigns and training programs, mandating that these be incorporated in schools, universities, government agencies and enterprises. Furthermore, learning from the experience of the CPPA in California (US), Viet Nam can consider introducing a dedicated data protection enforcement agency at national level under the management of the Ministry of Public Security[88] to enforce the PDPL. Such agency can then issue standards and guidelines on data security for enterprises to follow to ensure compliance with the PDPL. In addition, more investments should be made to upgrade national data protection infrastructure.

Conclusion

Overall, this study has demonstrated that while personal data protection and personal data trade appear to be in conflict, it is both possible and necessary to seek a legal balance between the two in the modern data economy. Through comparative analysis, the paper identified that different jurisdictions adopt markedly distinct approaches: the EU emphasizes the inviolability of personal data as a fundamental right, thereby limiting its economic exploitation; California (US) permits the sale of personal data through an opt-out model, explicitly recognizing its commercial value; and China pursues a state-regulated model that frames personal data as a strategic asset under strong governmental oversight.

In the case of Viet Nam, although Decree 13 and the PDPL introduce a relatively comprehensive framework for data protection, it still lacks clarity regarding the legality of consent-based personal data transactions. This legal ambiguity, compounded by inconsistent terminology, weak enforcement mechanisms, and low public awareness, has resulted in a significant gap between regulatory intent and practical realities.

The research concludes that Viet Nam should consider a gradual and conditional recognition of legitimate personal data trade, guided by a robust and transparent legal framework. Key recommendations include: harmonizing legal terminology in line with international standards; providing clear legal definitions and conditions for consent-based personal data transactions; exploring the recognition of personal data as a form of contractual consideration; and evaluating the feasibility of establishing a state-regulated data exchange platform. These efforts must be accompanied by enhanced enforcement mechanisms and educational initiatives to raise public and institutional awareness. By addressing these gaps and drawing on the lessons of international models, Viet Nam can move toward a legal framework that not only protects individual privacy rights but also fosters innovation and economic development in the digital age. The findings of this study thus contribute meaningfully to the evolving discourse on data governance and provide a legal roadmap for reconciling privacy with progress.

Bibliography

Agreements

Charter of Fundamental Rights of the European Union, [2000] OJ, C 364/1.

Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, 28 January 1981, ETS 108 (entered into force 1 October 1985).

United Nations Convention against Cybercrime (Hanoi Convention), opened for signature 20 March 2025 [not yet in force].

International Documents

APEC, APEC Privacy Framework, Singapore, APEC Secretariat, 2017.

European Commission, A Digital Single Market Strategy for Europe, COM(2015) 192 final.

OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Paris, OECD, 2013, online: OECD www.oecd.org/.

Legislation

EC, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), [2016] OJ, L 119/1 [GDPR].

Lei Geral de Proteção de Dados Pessoais (General Data Protection Law), Law No 13.709 (2018) (Brazil).

Personal Information Protection Law of the People’s Republic of China (2021).

Personal Data Protection Act 2012 (Singapore).

California Civil Code (California).

Colorado Revised Statutes (Colorado).

Connecticut Public Act No 22-15 (Connecticut).

Utah Code (Utah).

Virginia Code (Virginia).

Civil Code, No 91/2015/QH13 (2015) (Vietnam).

Decree No 13/2023/ND-CP on the Protection of Personal Data (2023) (Vietnam).

Law on CyberInformation Security, No 85/2015/QH13 (2015) (Vietnam).

Law on Data, No 60/2024/QH15 (2024) (Vietnam).

Law on Intellectual Property, No 50/2005/QH11 (2005) (Vietnam).

Law on Real Estate Business, No 29/2023/QH15 (2023) (Vietnam).

Personal Data Protection Law, No 91/2025/QH15 (2025) (Vietnam).

Resolution No 57-NQ/TW on Breakthroughs in the Development of Science, Technology, Innovation, and National Digital Transformation (2024) (Vietnam).

Books

Greenleaf, Graham. Asian Data Privacy Laws: Trade and Human Rights Perspectives. Oxford: Oxford University Press, 2014.

Hoeren, Thomas & Barbara Kolany-Raiser, eds. Big Data in Context: Legal, Social and Technological Insights. Cham: Springer, 2018.

Kalin, Roman Pascal. Digital Trade and Data Privacy. Cham: Springer, 2024.

Naef, Tobias. Data Protection without Data Protectionism: The Right to Protection of Personal Data and Data Transfers in EU Law and International Trade Law. Cham: Springer, 2023, DOI: 10.1007/978-3-031-19893-9.

Vicente, Dário Moura & Sofia de Vasconcelos Casimiro. Data Protection in the Internet. Cham: Springer, 2020.

Chapters and Journal Articles

Bạch Thị Nhã Nam. “Hoàn thiện pháp luật về bảo vệ dữ liệu cá nhân” (2022) 5 Nghiên cứu lập pháp 50.

Bạch Thị Nhã Nam. “Hướng tiếp cận và hoàn thiện pháp luật bảo vệ dữ liệu cá nhân tại Việt Nam trước tác động lập pháp của thế giới và khu vực” (2022) 8 Tạp chí Luật học 67.

Borgesius, Frederik Zuiderveen. “Breyer Case of the Court of Justice of the European Union: IP Address and the Personal Data Definition” (2017) 3:1 European Data Protection Law Review 1.

Burri, Mira. “Cross-Border Data Flows and Privacy in Global Trade Law: Has Trade Trumped Data Protection?” (2023) 39:1 Oxford Review of Economic Policy 85, online: SSRN ssrn.com/abstract=4349797.

Canellopoulou-Bottis, Maria & George Bouchagiar. “Personal Data v. Big Data: Challenges of Commodification of Personal Data” (2018) 8 Open Journal of Philosophy 206.

Cannataci, Joe, Valeria Falce & Oreste Pollicino. “Introduction: New Legal Challenges of Big Data” in Joe Cannataci, Valeria Falce & Oreste Pollicino, eds, Legal Challenges of Big Data. Cheltenham: Edward Elgar Publishing, 2020, [first page to be completed].

Chander, Anupam. “The Racist Algorithm?” (2017) 115 Michigan Law Review 1023.

Chhabria, Pushya. “Right to Privacy and Data Protection” (2021) 3:2 Indian Journal of Law and Legal Research 1.

Cristea, Silvia Lucia & Viorel Banulescu. “The Right to Personal Data Protection: The Right to Privacy — A Comparative Law Approach” (2018) 64:Special Issue Analele Stiintifice Ale Universitatii Alexandru Ioan Cuza Din Iasi Stiinte Juridice 1.

Custers, Bart & Gianclaudio Malgieri. “Priceless Data: Why the EU Fundamental Right to Data Protection is at Odds with Trade in Personal Data” (2022) 45 Computer Law & Security Review 1.

Davis, Kevin E & Florencia Marotta-Wurgler. “Contracting for Personal Data” (2019) 94:4 New York University Law Review 662.

Dudas, Gabor Janos, Andras Gyorgy Kovacs & Marton Schultz. “Personal Data as Consideration” (2023) 9:2 Santander Art & Culture Law Review 215.

Ferracane, Martina F. “The Costs of Data Protectionism” in Mira Burri, ed, Big Data and Global Trade Law. Cambridge: Cambridge University Press, 2021, [first page to be completed].

Fuentes, Itzayana Tlacuilo. “Legal Recognition of the Digital Trade in Personal Data” (2020) 12:2 Mexican Law Review [first page to be completed].

Gathii, James Thuo & Ntina Tzouvala. “Racial Capitalism and International Economic Law: Introduction” (2022) 25:2 Journal of International Economic Law 199.

Guo, Zhilong, Jie Hao & Lewis Kennedy. “Protection Path of Personal Data and Privacy in China: Moving from Monism to Dualism in Civil Law and then in Criminal Law” (2024) 52 Computer Law & Security Review [first page to be completed].

Hazel, Steven H. “Personal Data as Property” (2020) 70:4 Syracuse Law Review 1055.

Heward-Mills, Dyann & Helga Turku. “California and the European Union Take the Lead in Data Protection” (2020) 43:2 Hastings International & Comparative Law Review 319.

Jerome, Joseph. “California Privacy Law Shows Data Protection Is on the March” (2018) 33:1 Antitrust 96.

Laje, Alejandro & Klaus Schmidt. “The Right to Data Portability as a Personal Right” (2024) 13:4 Laws 1.

Lê Hằng. “Bảo vệ dữ liệu cá nhân trong thương mại điện tử” (2009) 3 Công nghiệp 7.

Malgieri, Gianclaudio. “Trade Secrets v Personal Data: A Possible Solution for Balancing Rights» (2016) 6:2 International Data Privacy Law 102.

Mann, Steve. “Computer Architectures for Protection of Personal Informatic Property: Putting Pirates, Pigs and Rapists in Perspective» (2000) 5 First Monday [first page to be completed].

Nguyễn Đức Bình. “Bảo vệ dữ liệu cá nhân người dùng mạng xã hội trong bối cảnh hội nhập quốc tế» (2021) 3 Phát triển Khoa học & Công nghệ: Khoa học – Kinh tế – Luật và Khoa học Quản lý 1764.

Nguyễn Quang Đồng & Nguyễn Lan Phương. “Dòng chảy dữ liệu cá nhân xuyên biên giới: Thực trạng và khuyến nghị chính sách» (2021) 10A Khoa học và Công nghệ Việt Nam 16.

Nguyễn Quỳnh Trang. “Pháp luật về bảo hộ dữ liệu cá nhân trong bối cảnh phát triển trí tuệ nhân tạo và các công nghệ số mới nổi khác» (2022) 50 Pháp luật và Thực tiễn 137.

Nguyễn Thị Thu Trang. “Bảo vệ dữ liệu cá nhân trong kỉ nguyên trí tuệ nhân tạo – Kinh nghiệm của châu Âu và kiến nghị hoàn thiện pháp luật Việt Nam” (2022) 10 Tạp chí Luật học 63.

Onnoghen-Theophilus, Ewuwuni. “Data Free Flow with Trust: ‘Yea’ or ‘Nay’ for Developing Countries” (2025) 6 TWAIL Review [first page to be completed].

Palmieri, Nicholas F III. “Who Should Regulate Data: An Analysis of the California Consumer Privacy Act and Its Effects on Nationwide Data Protection Laws” (2020) 11:1 Hastings Science & Technology Law Journal 37.

Phạm Thị Hiền & Nguyễn Thu Dung. “Pháp luật về bảo vệ dữ liệu cá nhân trong nền kinh tế số ở Việt Nam hiện nay” (2021) 25 Tạp chí Công thương 32.

Rose, Anne. “GDPR Challenges for Blockchain Technology” (2019) 2:1 Interactive Entertainment Law Review 35.

Rupp, Valentin & Max von Grafenstein. “Clarifying ‘Personal Data’ and the Role of Anonymisation in Data Protection Law” (2024) 52 Computer Law & Security Review 1.

Saluzzo, Stefano. “Cross Border Data Flows and International Trade Law: The Relationship Between EU Data Protection Law and the GATS” (2017) 31:4 Diritto del Commercio Internazionale 807.

Sharma, Gunjan & Abhinandan Bassi. “Balancing Privacy and Innovation: Assessing Data Protection Laws in the Modern Era” (2024) 35 Supremo Amicus 1.

Streinz, Thomas. “The Evolution of European Data Law” in Paul Craig & Gráinne de Búrca, eds, The Evolution of EU Law. Oxford: Oxford University Press, 2021.

Terpan, Fabien. “Article 52 of the Charter of Fundamental Rights: A Framework for the Limitation of Rights?” (2018) 3 European Papers 1091, online: www.europeanpapers.eu.

Trần Phương Thảo. “Bảo vệ dữ liệu cá nhân bằng biện pháp tố tụng dân sự ở Việt Nam hiện nay” (2024) 3 Tạp chí Luật học 39.

Trần Thị Thu Phương. “Quy định chung của liên minh Châu Âu về bảo vệ dữ liệu cá nhân và một số khuyến nghị đến Quốc hội, Chính phủ và doanh nghiệp Việt Nam” (2021) 23 Nghiên cứu lập pháp 41.

Trần Thị Thu Phương. “Quyền bảo vệ thông tin cá nhân theo cách tiếp cận của Hoa Kỳ và Liên minh châu Âu” (2021) 8 Bộ Khoa học và Công nghệ 57.

Trần Thị Thu Phương. “Thông tin cá nhân được bảo vệ theo pháp luật của một số quốc gia và gợi ý tham khảo cho Việt Nam” (2020) 8 Tạp chí Luật học 41.

Trakman, Leon, Robert Walters & Bruno Zeller. “Is Privacy and Personal Data Set to Become the New Intellectual Property?” (2019) 50 IIC 937.

Trakman, Leon, Robert Walters & Bruno Zeller. “Trade in Personal Data: Extending International Legal Mechanisms to Facilitate Transnational Trade in Personal Data?” (2020) 6:2 European Data Protection Law Review 243.

Trương Thị Thu Hà. “Luật bảo vệ dữ liệu GDPR – vì sao doanh nghiệp, tổ chức Việt Nam cần quan tâm?” (2022) 3 Tạp chí Công nghệ thông tin và truyền thông 130.

Tuthill, L Lee. “Cross-Border Data Flows: What Role for Trade Rules?” in Aik Hoe Lim & Bart De Meester, eds, Research Handbook on Trade in Services. Cheltenham: Edward Elgar Publishing, 2016, 357.

Velli, Federica. “The Issue of Data Protection in EU Trade Commitments: Cross-border Data Transfers in GATS and Bilateral Free Trade Agreements” (2019) 4:3 European Papers 881, online: www.europeanpapers.eu/ .

Vũ Công Giao & Lê Trần Như Tuyên. “Bảo vệ quyền đối với dữ liệu cá nhân trong pháp luật quốc tế, pháp luật ở một số quốc gia và giá trị tham khảo cho Việt Nam” (2020) 9 Nghiên cứu lập pháp 55.

Vũ Công Giao & Phạm Thị Hậu. “Pháp luật bảo vệ quyền bí mật dữ liệu cá nhân trên thế giới và Việt Nam” (2017) 2 Nhà nước và pháp luật 67.

Vũ Thị Thùy & Nguyễn Thị Thu Trang. “Cách mạng công nghiệp 4.0 với vấn đề đạo đức liên quan đến dữ liệu cá nhân” (2022) 616 Asia-Pacific Economic Review 114.

Warren, Adam. “Stolen Identity: Regulating the Illegal Trade in Personal Data in the Data-Based Society” (2007) 21:2 International Review of Law, Computers & Technology 177.

Wojtan, B. “The New EU Model Clauses: One Step Forward, Two Steps Back?” (2011) 1:1 International Data Privacy Law 76.

Yakovleva, Svetlana & Kristina Irion. “The Best of Both Worlds? Free Trade in Services and EU Law on Privacy and Data Protection” (2016) European Data Protection Law Review 20.

Yakovleva, Svetlana & Kristina Irion. “Pitching Trade against Privacy: Reconciling EU Governance of Personal Data Flows with External Trade” (2020) 10:3 International Data Privacy Law 201.

Yanamala, Anil Kumar Yadav, Srikanth Suryadevara & Venkata Dinesh Reddy Kalli. “Balancing Innovation and Privacy: The Intersection of Data Protection and Artificial Intelligence” (2024) 15:1 International Journal of Machine Learning Research in Cybersecurity and Artificial Intelligence 1.

Reports and Working Paper

Ryan D et al. “China’s New Data Security and Personal Information Protection Laws: What They Mean for Multinational Companies”, Skadden Publication (3 November 2021), online: Skadden www.skadden.com/.

Mattoo, Aaditya & Joshua P Meltzer. International Data Flows and Privacy: The Conflict and its Resolution, World Bank Policy Research Working Paper No 8431 (2018), online: SSRN ssrn.com/abstract=3175036.

Mishra, Neha. “Cross Border Data Flows in WTO Law: Moving Towards an Open, Secure and Privacy Compliant Data Governance Framework” (April 2020), online: SpicyIP spicyip.com/.

Scasserra, Sofia & Carolina Martínez Elebi. “Digital Colonialism: Analysis of Europe’s Trade Agenda”, Trade & Investment Policy Briefing, Amsterdam, Transnational Institute, 2021.

Online Sources

Ryan Anh Lê. “5 vụ án mua bán dữ liệu cá nhân chấn động dư luận”, Tạp chí điện tử VietTimes (25 June 2023), online: VietTimes viettimes.vn/.

BakerMcKenzie. “Data as an Asset: Key Themes Across Business Models and Multidisciplinary Trends” (September 2019), online: BakerMcKenzie www.bakermckenzie.com/en/-/media/files/insight/publications/2019/09/data-as-an-asset-report.pdf.

Bảo Bình. “Data Exchange to be Established”, VnEconomy (20 July 2025), online: VnEconomy en.vneconomy.vn/.

Bá Sơn. “Bắt nhóm mua bán dữ liệu của hàng triệu người để lừa đảo, trục lợi”, Tuổi Trẻ (17 February 2025), online: Tuổi Trẻ tuoitre.vn/.

Bhageshpur, Kiran. “Data Is the New Oil — and That’s a Good Thing”, Forbes (15 November 2019), online: Forbes Technology Council www.forbes.com/.

Islam, Md Toriqul. “A Brief Introduction to the Right to Privacy: An International Legal Perspective” (1 February 2022), online: Hauser Global Law School Program, New York University www.nyulawglobal.org/globalex/Right_To_Privacy_International_Perspective.html.

Lê Sơn. “Cần coi dữ liệu cá nhân là một loại tài sản phi truyền thống”, Báo Điện tử Chính phủ (8 June 2021), online: Government News baochinhphu.vn/.

Luscombe, Richard. “Virginia Governor Blocks Bill Banning Police from Seeking Menstrual Histories”, The Guardian (16 February 2023), online: The Guardian theguardian.com.

Meredith, Sam. “Facebook-Cambridge Analytica: A Timeline of the Data Hijacking Scandal”, CNBC (10 April 2018), online: CNBC www.cnbc.com/world/.

Minh Ngọc. “Những cuộc tấn công mạng lớn tại Việt Nam và thế giới”, Tạp chí Thị trường Tài chính Tiền tệ (28 May 2023), online: thitruongtaichinhtiente.vn/.

Ministry of Public Security (Vietnam). “Hồ sơ đề nghị xây dựng Luật Bảo vệ dữ liệu cá nhân” (29 February 2024), online: chinhphu.vn chinhphu.vn/.

Nam Kiên. “Vướng mắc, ‘xung đột’ pháp luật trong triển khai thực hiện Nghị định 13 về bảo vệ dữ liệu cá nhân”, Tạp chí Điện tử Pháp lý (7 July 2023), online: Pháp lý phaply.net.vn/.

Ng, Grace. “As US TikTok Users Flock to Chinese App Xiaohongshu, Interest in Mandarin Rises”, The Straits Times (19 January 2025), online: The Straits Times www.straitstimes.com/global.

Nguyễn Giang Trường. “Thực trạng về vấn đề bảo vệ dữ liệu cá nhân, kinh nghiệm một số quốc gia, khu vực và đề xuất hoàn thiện pháp luật ở Việt Nam hiện nay”, Tạp chí Công thương (24 October 2024), online: tapchicongthuong.vn/.

Nguyễn Hưng Quang & Lê Mai Phương. “Mua bán dữ liệu cá nhân – làm sao để hạn chế tiêu cực nhưng không hạn chế phát triển kinh tế của thời kỳ 4.0”, VNLawFind (16 November 2020), online: VNLawFind vnlawfind.com.vn/.

Phan Anh. “Phát hiện hàng nghìn GB dữ liệu cá nhân bị thu thập, mua bán trái phép trong đó có nhiều dữ liệu nhạy cảm”, VnEconomy (17 July 2024), online: VnEconomy vneconomy.vn/.

Quang Phong. “Chủ tịch Hà Nội lý giải về đề xuất chia sẻ dữ liệu dân cư”, Dân Trí (3 July 2018), online: Dân Trí dantri.com.vn/.

Quốc Trường. “Việt Nam trở thành mục tiêu chính trong cuộc tấn công bằng công cụ truy cập từ xa”, Tạp chí An toàn thông tin (7 April 2021), online: m.antoanthongtin.gov.vn/.

Quý Minh. “Bộ Công an đề xuất các quy định về thẩm quyền chuyển dữ liệu ra nước ngoài”, Tạp chí điện tử Luật sư Việt Nam (28 October 2024), online: lsvn.vn.

Smalley, Suzanne. “California Shuts Down Data Broker for Failing to Register”, The Record (1 March 2025), online: The Record therecord.media/.

Thế Vinh. “Dữ liệu tạo ra cuộc đua khai thác và kiểm soát nguồn tài nguyên ‘quý như vàng’”, Vietnamnet (3 September 2023), online: Vietnamnet vietnamnet.vn/.

Thúy Liên. “Buôn bán dữ liệu tại Trung Quốc”, Tạp chí Tri thức (28 December 2023), online: Tạp chí Tri thức znews.vn/.

Trọng Quỳnh & Phạm Thắng. “Hoàn thiện hệ thống pháp luật về bảo vệ dữ liệu cá nhân, phục vụ phát triển kinh tế, xã hội”, Cổng thông tin điện tử Quốc hội Việt Nam (5 March 2025), online: Quốc hội Việt Nam quochoi.vn/.

Vietnam Pictorial. “Hanoi Convention Reaches Fruition, Heralds New Era of Cyber Trust” (25 October 2025), online: Vietnam Pictorial vietnam.vnanet.vn/english/.

Zerdick, Thomas. “Pseudonymous Data: Processing Personal Data while Mitigating Risks”, European Data Protection Supervisor (21 December 2021), online: EDPS www.edps.europa.eu.

  1. Spiekermann et al., “Personal Data Markets” (2015) 25:2 Electronic Markets 91 at 91.
  2. Gabor Janos Dudas, Andras Gyorgy Kovacs & Marton Schultz, ‘Personal Data as Consideration’ (2023) 9:2 Santander Art & Culture L Rev 215.
  3. Martina F. Ferracane, “The Costs of Data Protectionism” in Mira Burri, ed, Big Data and Global Trade Law (Cambridge: Cambridge University Press, 2021).
  4. Svetlana Yakovleva & Kristina Irion, “Pitching Trade against Privacy: Reconciling EU Governance of Personal Data Flows with External Trade” (2020) 10:3 Int’l Data Priv L 201 at 205.
  5. Manon Oostveen and Kristina Irion, “The Golden Age of Personal Data: How to Regulate an Enabling Fundamental Right?” (2016) Institute for Information Law Research Paper 2016-06 at 8.
  6. Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, 28 January 1981, ETS 108 at art 2(a) (entered into force 1 October 1985) [Convention 108]; OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (2001) at art 1(b) [OECD Guidelines].
  7. “[…] an identifiable natural person is one who can be identified, directly or indirectly […]” Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (2016) OJ L 119/1 at art 4(1) [GDPR].
  8. California Civil Code at sec 1798.140(v)(1) [CCPA]; Personal Information Protection Law of the People’s Republic of China 2021 at art 4 [PIPL].
  9. Bạch Thị Nhã Nam, “Xây dựng khái niệm dữ liệu cá nhân trong pháp luật Việt Nam tham chiếu kinh nghiệm của Liên minh châu Âu” (2022) 6 Ministry of Science and Technology at 22.
  10. Law on CyberInformation Security 2015, at art 3.15 [LCIS].
  11. Decree 13/2023/ND-CP on the Protection of Personal Data at art 2.1 [Decree 13].
  12. Personal Data Protection Law 2025, at art 2.1. [PDPL].
  13. Vũ Thị Thùy & Nguyễn Thị Thu Trang, “Cách mạng công nghiệp 4.0 với vấn đề đạo đức liên quan đến dữ liệu cá nhân” (2022) 616 Asia – Pacific Economic Review 114 at 114-115.
  14. Decree 13, supra note 11, at art 2.5.
  15. PDPL, supra note 12, at art 2.4.
  16. CCPA, supra note 8, at sec 1798.140(ad)(1).
  17. PIPL, supra note 8, at art 10.
  18. Decree 13, supra note 11, at arts 3.4, 22.2; PDPL, supra note 12, at arts 7.6, 8.3, 17.2.
  19. Bart Custers & Gianclaudio Malgieri, ‘Priceless Data: Why the EU Fundamental Right to Data Protection is at Odds with Trade in Personal Data’ (2022) 45 Computer Law & Security Review 1 at 2. The authors would like to point out that in the Vietnamese language, there are no distinct translations for the terms “commerce” and “trade”, as they are both referred to as “thương mại”. Understanding that sale or purchase (of goods, which is personal data in this context) is one form of commercial activity and that the term “personal data trade” is widely used in literature, the authors decide to use such term in this paper.
  20. Itzayana Tlacuilo Fuentes, ‘Legal recognition of the digital trade in personal data’ (2020) 12:2 Mex Law Rev at 96-98.
  21. Kevin E. Davis & Florencia Marotta-Wurgler, ‘Contracting for Personal Data’ (2019) 94:4 NYU L Rev 662 at 673.
  22. Ibid, at 670.
  23. Custers & Malgieri, supra note 19.
  24. This is problematic because businesses are profit-oriented and they cannot allocate an infinite amount of resources to ensure privacy. Even assuming that businesses are compliant, this would eventually result in the increased costs of goods and services (reflecting compliance costs), which is not beneficial to consumers.
  25. From the consumer perspective, in most cases, it is worth it to sacrifice a bit of privacy in exchange for a great service. An example is the reaction to the TikTok ban in the US recently. Despite the government’s explanation of the ban as a security measure, US social media users expressed discontent, to the point of “crashing” into Xiaohongshu – another Chinese social media platform, where they referred to themselves as “TikTok refugees”. See Grace Ng, ‘As US TikTok users flock to Chinese app Xiaohongshu, interest in Mandarin rises’ The Straits Times (19 January 2025), online: https://www.straitstimes.com/global.
  26. OECD Guidelines, supra note 6; APEC Privacy Framework 2017.
  27. Thomas Streinz, “The Evolution of European Data Law” in Paul Craig & Gráinne de Búrca, eds, The Evolution of EU Law (Oxford: Oxford University Press, 2021) at 910.
  28. Ibid.
  29. A current major goal of the EU is to create a Digital Single Market. In 2015, the EU launched its strategy to expand the European Single Market consisting of the “four freedoms” (the free flow of goods, capital, services, and labour) with a fifth freedom – the free flow of data. See A Digital Single Market Strategy for Europe, COM(2015)192 final.
  30. Streinz, supra note 27, at 903.
  31. GDPR, supra note 7, at arts 5-10.
  32. Directive (EU) 2019/770 on contracts for the supply of digital content and digital services at art 3.1.
  33. “The economic use of personal data can deliver up to EUR 330 billion in annual economic benefit to organizations in Europe alone by 2020”; Spiekerman et al., supra note 1, at 91.
  34. Custers & Malgieri, supra note 19.
  35. Charter of Fundamental Rights of the European Union at art 8.
  36. Dyann Heward-Mills & Helga Turku, “California and the European Union Take the Lead in Data Protection” (2020) 43:2 Hastings Int’l & Comp L Rev 319.
  37. CCPA, supra note 8, at sec 1798.120.
  38. Virginia Code at sec 59.1-577.A.5; Colorado Revised Statutes at sec 6-1-1313; Connecticut Public Act No. 22-15, at sec 4(a)(5); Utah Code at sec 13-61-201(4)(b).
  39. GDPR, supra note 7, at arts 5-10; Brazil General Data Protection Law at art 7; Singapore Personal Data Protection Act 2012 at art 13.
  40. CCPA, supra note 8, at sec 1798.140(d).
  41. Ibid, at sec 1798.99.82(a).
  42. Ibid, at sec 1798.199.10.
  43. Suzanne Smalley, ‘California shuts down data broker for failing to register’, TheRecord (01 March 2025) online: https://therecord.media/.
  44. Ryan D. Junck Bradley A. Klein Akira Kumaki Ken D. Kumayama Steve Kwok Stuart D. Levi Siyu Zhang, ‘China’s New Data Security and Personal Information Protection Laws: What They Mean for Multinational Companies’, Skadden Publication (3 November 2021) online: https://www.skadden.com/.
  45. ‘Tin tặc rao bán dữ liệu cá nhân của một tỷ người dân Trung Quốc’, VTV Digital (05 July 2022) online: https://vtv.vn/.
  46. ‘6 cơ quan Chính phủ Trung Quốc công bố Kế hoạch chống thu thập, mua bán dữ liệu bất hợp pháp’, Tạp chí An toàn thông tin (30 January 2025), online: https://m.antoanthongtin.gov.vn/.
  47. Thúy Liên, ‘Buôn bán dữ liệu tại Trung Quốc’, Tạp chí Tri thức (28 December 2023), online: https://znews.vn/.
  48. Ibid.
  49. Ibid.
  50. Bạch Thị Nhã Nam, supra note 9, at 23.
  51. Decree 13, supra note 11, at arts 9 and 22.1; PDPL, supra note 12, at arts 9, 10, 37.
  52. PDPL, supra note 12, at art 2.6.
  53. Decree 13, supra note 11, at art 3.4.
  54. Ibid, at art 22.2.
  55. Viet Nam Civil code 2015 at art 117.1.c.
  56. PDPL, supra note 12, at arts 7.6, 8.3.
  57. Ibid, at art 17.2.
  58. Law on Data 2024, at art 42.
  59. Bảo Bình, “Data exchange to be established”, VnEconomy (20 July 2025), online: https://en.vneconomy.vn/. It is likely that personal data will need to be de-identified to become eligible for transactions on data exchange platforms. However, as established in the PDPL at article 2.1, personal data, once de-identified, is no longer considered personal data. This raises the question of to what extent would this kind of data be useful to businesses, if it cannot assist in the identification of specific individuals. Undoubtedly, access to such data would definitely be of use for business research and analytics, but it is personal data that is needed in order to create personalised advertisements for individual consumers.
  60. Quốc Nam, ‘Đường dây thu thập 17 triệu dữ liệu thông tin cá nhân rồi đem bán’, Báo Tuổi trẻ, online: https://tuoitre.vn/.
  61. Anh Lê, ‘5 vụ án mua bán dữ liệu cá nhân chấn động dư luận’, Tạp chí điện tử VietTimes (25 June 2023), online: https://viettimes.vn/.
  62. Bình Nhi, Linh Giang, Trần Bách, Lâm Nhi, Trần Gia, ‘Nhức nhối nạn mua bán thông tin dữ liệu’, Báo Nhân dân, online: https://nhandan.vn/hangthang/.
  63. Ibid.
  64. Ibid.
  65. While it is suggested in Article 42 of the Law on Data 2024 that digital data with the consent of data subjects is not banned from transactions on data exchange platforms, this seems not to include personal data because digital data in the same law is defined as “data on things, phenomena, and events, including one or a combination of audio, images, numbers, letters, and symbols in digital form” (Article 3.1).
  66. Ibid.
  67. Phan Anh, “Phát hiện hàng nghìn GB dữ liệu cá nhân bị thu thập, mua bán trái phép trong đó có nhiều dữ liệu nhạy cảm”, Vneconomy (17 July 2024), online: https://vneconomy.vn/.
  68. “Viettel IDC đáp ứng Nghị định 13/2023/NĐ-CP về Bảo vệ dữ liệu cá nhân”, online: https://viettelidc.com.vn/.
  69. Nam Kiên, “Vướng mắc, «xung đột» pháp luật trong triển khai thực hiện Nghị định 13 về bảo vệ dữ liệu cá nhân”, Tạp chí Điện tử Pháp lý (7 July 2023), online: https://phaply.net.vn/.
  70. Bình Nhi et al., supra note 62.
  71. Trần Thị Thu Phương, “Quyền bảo vệ thông tin cá nhân theo cách tiếp cận của Hoa Kỳ và Liên minh châu Âu” (2021) 08 Bộ Khoa học và Công nghệ 57 at 60.
  72. Steve Mann, “Computer architectures for protection of personal informatic property: Putting pirates, pigs and rapists in perspective” (2000) 05 First Monday.
  73. Law on Data 2024, at art 3.15.
  74. Gianclaudio Malgieri & Bart Custers, “Pricing Privacy – The Right to Know the Value of Your Personal Data” (2017) Computer Law & Security Review 01 at 03.
  75. Ibid.
  76. Maria Canellopoulou-Bottis & George Bouchagiar, “Personal Data v. Big Data: Challenges of Commodification of Personal Data” (2018) 8 Open Journal of Philosophy 206 at 211.
  77. Resolution No. 57-NQ/TW on Breakthroughs in the Development of Science, Technology, Innovation, and National Digital Transformation.
  78. “Dữ liệu là nguồn tài nguyên mới, là yếu tố then chốt cho chuyển đổi số quốc gia”, Chuyên trang Chuyển đổi số – Bộ Tư pháp (15 February 2024), online: https://dx.moj.gov.vn/Pages/home.aspx.
  79. Quốc Trường, “Việt Nam trở thành mục tiêu chính trong cuộc tấn công bằng công cụ truy cập từ xa” Tạp chí An toàn thông tin (07 April 2021), online: https://m.antoanthongtin.gov.vn/.
  80. “Nhiều hệ thống thông tin còn lỗ hổng bảo mật”, Báo Lao động (22 October 2024), online: https://vnexpress.net/.
  81. Bá Sơn, “Bắt nhóm mua bán dữ liệu của hàng triệu người để lừa đảo, trục lợi”, Tuổi trẻ Online (17 February 2025), online: https://tuoitre.vn/.
  82. Bình Nhi et al., supra note 62.
  83. Law on Data 2024, at art 3.15.
  84. Law on Real Estate Business 2023 and Law on Intellectual Property 2005 and the Decrees and Circulars guiding their implementation.
  85. “Data as an asset: key themes across business models and multidisciplinary trends”, BakerMckenzie (September 2019), online: https://www.bakermckenzie.com/en/-/media/files/insight/publications/2019/09/data-as-an-asset-report.pdf.
  86. Supra note 32.
  87. “Hanoi Convention reaches fruition, heralds new era of cyber trust”, Vietnam Pictorial (25 October 2025), online: https://vietnam.vnanet.vn/english/.
  88. PDPL, at art 36.2: “The Ministry of Public Security of Viet Nam shall assume responsibility before the Government of Viet Nam for implementing state management of personal data protection, excluding the contents under the management of the Ministry of National Defense of Viet Nam”.


Laisser un commentaire

Titre de la publication Nouveaux enjeux, nouveaux acteurs, nouvelles dynamiques : vers une nouvelle mondialisation économique ? New Challenges, New Actors, New Dynamics: Towards a New Global Economic Order?
Sous-titre de la publication Actes du colloque étudiant 2025 2025 Student Conference Proceedings
Auteur Richard OUELLET, LY Van Anh, NGUYEN Ngoc Ha, HA Cong Anh Bao et Antoine COMONT (direction)
Titre du chapitre Balancing Between Personal Data Protection and Personal Data Trade
Sous-titre du chapitre A Legal Challenge
Auteur du chapitre NGUYEN Thao Nhi and NGUYEN Tra My
Date avril 22, 2026
Nombre de pages 662
ISBN livre imprimé 9781917723596
ISBN ebook 9781917723602
DOI 10.55778/ts917723596
Droit d'auteur2026

TeseoPress

Le contenu de cette publication est de la responsabilité exclusive de leur/s auteur/s.