In today’s digital world, artificial intelligence (AI) is becoming an inseparable part of everyday life, from smartphones and search engines to self-service kiosks. However, behind the convenience AI promises lurks a growing concern: the alarming demand for access to personal data. Recent developments reveal that AI tools are increasingly requiring sweeping permissions to users’ private information, raising serious questions about privacy and security.
Take, for example, Perplexity’s latest Comet web browser, which integrates AI search and automates tasks like summarizing emails and managing calendar events. A recent TechCrunch investigation uncovered that when Comet requests access to a user’s Google Calendar, it simultaneously demands extensive permissions. These include managing and sending emails, downloading contacts, viewing and editing all calendar events, and even copying entire company staff contacts. While Perplexity insists that most data remains stored locally, it openly acknowledges using personal information to improve AI models for other users. This scenario is far from isolated; a trend is emerging where AI applications promise to save time by transcribing meetings or calls but require access to real-time private conversations, calendars, contacts, and more.
Even tech giant Meta is pushing boundaries, experimenting with AI applications that access users’ camera rolls, including photos not yet uploaded. Meredith Whittaker, president of Signal, recently likened the use of AI agents and assistants to "putting your brain in a jar." She explained that for AI to perform simple tasks like booking a restaurant table or purchasing concert tickets, it demands access to sensitive areas: saved passwords, bookmarks, browsing history, credit card details, calendars, and contacts. This level of access grants AI agents the power to act autonomously on behalf of users, requiring a high degree of trust in technologies prone to errors or even fabrications.
Granting such permissions means irrevocably handing over a snapshot of one’s most sensitive personal data at that moment—including emails, messages, and calendar entries that may span years—all for the sake of convenience. Moreover, users must trust the for-profit companies behind these AI products, which rely on personal data to enhance their models. When malfunctions occur, which is common, employees often review private user prompts to diagnose issues, further complicating privacy concerns.
From a security standpoint, the cost-benefit analysis of connecting AI to sensitive personal data often does not justify the risks. Any AI application requesting such extensive permissions should trigger alarm bells, much like a flashlight app demanding constant location access. Users must critically assess whether the benefits truly outweigh the potential exposure of their private information.
Meanwhile, the broader digital landscape is grappling with an alarming surge in data breaches and illegal personal data trading, particularly in Vietnam. According to the Cybersecurity and High-Tech Crime Prevention Department, authorities detected and handled 56 cases of illegal personal data trading in the first half of 2025 alone, involving over 110 million records. Viettel Cyber Security Company reported that in 2024, Vietnam accounted for 14.5 million leaked accounts—12% of the global total. The scale of data leaks is staggering, with 134 incidents exposing nearly 294 million customer records and 184.3 gigabytes of sensitive data.
The types of data compromised range from basic identifiers—names, addresses, phone numbers, emails—to highly sensitive information such as bank transaction histories, medical records, web browsing histories, and biometric data. The fallout is severe: individuals fall victim to scams, spam calls, identity theft, and fraudulent activities, while businesses suffer financial losses and reputational damage.
This rampant data exposure is fueled by the growing demand for personal data in business operations, incentivizing illegal data collection. Compounding the problem are vulnerabilities within organizations’ information systems, including loopholes in regulations and exploitation procedures, which facilitate data theft and misuse. Public awareness about protecting personal data remains limited, leaving many users unaware of their rights and vulnerable to exploitation.
The rise of AI further complicates this picture. AI’s ability to analyze and synthesize vast amounts of data enables unprecedented profiling of user behavior and habits, posing new challenges to privacy, personal secrets, and family confidentiality in cyberspace. Recognizing this, Vietnam has enacted foundational legal frameworks such as the Cybersecurity Law of 2018 and Decree 13/2023/ND-CP on personal data protection. More recently, the Personal Data Protection Law was passed on June 25, 2025, set to take effect January 1, 2026. This law introduces revenue-based penalties for severe violations, with fines up to 5% of the previous year’s revenue.
Experts urge citizens to familiarize themselves with the new law to understand their rights and demand compliance from data processors. Authorities are also called upon to intensify public education campaigns to raise awareness about personal data rights and responsibilities.
Digital platforms—social networks, e-commerce sites, and utility applications—hold vast troves of personal data and bear primary responsibility for safeguarding it. Many are bolstering defenses through enhanced encryption, mandatory multi-factor authentication, improved privacy management tools, anti-phishing and malware detection, strict third-party app controls, and rapid incident response teams. Yet, the threat landscape evolves rapidly, with increasingly sophisticated hackers and the proliferation of Ransomware-as-a-Service (RaaS) making attacks easier and more dangerous.
IT engineer Lam Quan emphasizes the need for platforms to adopt "security by design," embedding data protection at every stage of product development. This approach involves investing in end-to-end encryption, robust security architectures, and regular independent vulnerability assessments. Platforms should also harness AI as an ally to analyze user behavior and build intelligent defense systems that proactively detect and block threats.
Data protection must be viewed as a strategic investment rather than a mere cost. Platforms are expected to provide clear privacy policies and user-friendly tools that allow individuals to access, edit, delete, and control the sharing of their personal information. Transparency is critical; in the event of a breach, platforms must notify users promptly and openly to enable timely responses. Collaboration with regulatory agencies, such as the Information Security Authority and the Ministry of Public Security, is essential to investigate incidents and combat cybercrime. Additionally, platforms bear responsibility for community education, empowering users to protect themselves better.
The Personal Data Protection Law also sets clear boundaries on social media and online media providers. Article 29 prohibits forcing users to provide images or videos containing identification documents for account verification, a vital measure to prevent sensitive data abuse. The law mandates transparency about data collection scope and purpose, requires mechanisms for users to access, edit, delete data, set privacy preferences, and report security violations.
It further details rules for deleting, destroying, and de-identifying personal data, prohibiting unauthorized restoration of deleted data. Data controllers must implement technical safeguards against unauthorized access and restoration. Users have reciprocal responsibilities to protect their data, respect others’ data, provide accurate information as required, and comply with data protection laws. Agencies and organizations must facilitate the exercise of these rights without obstruction and respond promptly to legitimate requests.
The law’s principles, effective from January 1, 2026, emphasize compliance with the Constitution and relevant laws, data collection within clear and lawful purposes, data accuracy and appropriate retention periods, and robust institutional, technical, and human safeguards. It calls for proactive prevention, detection, and strict handling of violations, balancing personal data protection with national interests and legitimate organizational rights.
To enforce these mandates, the law establishes specialized inspection mechanisms to monitor compliance, detect abuses early, and protect citizen privacy. It requires transparent violation reporting and remedial actions. Organizations must build internal risk management frameworks and train employees on security and legal compliance.
Colonel Trieu Manh Tung recently underscored that entities involved in personal data processing must rigorously study and implement the new law to avoid severe penalties once it takes effect. Ultimately, effective protection of personal data in cyberspace requires a triad of efforts: robust regulatory oversight, vigilant self-protection by users, and proactive responsibility from digital platforms.
Only by ensuring these three pillars can Vietnam foster a safe, positive online environment and advance confidently in its digital transformation journey toward a healthy and prosperous digital society.
