Vietnam's cybersecurity agency calls for objective review of Zalo's user data collection practices

Speaking at a forum titled ‘Personal Data Protection – Rights and Responsibilities’ in Hanoi on Wednesday, Colonel Nguyen Hong Quan, deputy head of the Department of Cybersecurity and High-Tech Crime Prevention under the Ministry of Public Security, said determining whether Zalo’s actions are right or wrong would require a thorough and case-specific assessment

His remarks came amid a series of developments involving Zalo, operated by VNG Corporation, after the popular Vietnamese messaging platform recently revised its terms of service to significantly expand the scope of personal data collection.

The update sparked widespread public criticism and drew regulatory scrutiny, including a summons and follow-up directives from the Vietnam National Competition Commission, which ordered VNG to implement immediate measures to safeguard user rights.

Under the revised terms, Zalo plans to collect a wide range of user data, from basic information such as phone numbers, full names, gender, and family relationships to more sensitive details including citizen ID numbers, location data, usage behavior, and interaction content.

The changes triggered strong reactions online, with many users saying they were given only an ‘accept all’ option to continue using the app, without the ability to selectively consent to specific categories of data.

Users who refuse face account deletion after 45 days, a policy that has fueled intense debate across social media platforms and online forums.

The controversy unfolded just days ahead of January 1, 2026, when Vietnam’s Law on Personal Data Protection came into force.

According to Quan, service providers bear primary responsibility for publicly disclosing how user data is collected and used.

While noting that Zalo has sought user feedback during service use, he stressed that the scope, purpose, and legality of data usage must be assessed in an objective and cautious manner.

“As a Vietnamese law enforcement agency, we will take all necessary measures to ensure the full and fair enforcement of the Law on Personal Data Protection, without discrimination between domestic and foreign enterprises,” Quan said.

Also speaking at the forum, Nguyen Dinh Do Thi, deputy head of the Planning Division at the aforementioned department, pointed to recent complaints from users of e-commerce platforms who reported receiving scam calls allegedly linked to leaked personal information.

Thi emphasized that under the Law on Personal Data Protection, all organizations involved in controlling or processing personal data are required to establish a dedicated personal data management function.

He cited enforcement practices in Europe, where fines of up to US$30,000 have been imposed on entities that failed to put such mechanisms in place.

In Vietnam, he said, organizations must designate personnel responsible for overseeing personal data processing and ensuring legal compliance, adding that data protection requirements should be incorporated from the earliest stages of information system design.

Thi noted that the new law applies not only to Vietnamese individuals and organizations, but also to foreign entities operating in Vietnam, as well as organizations directly involved in personal data management activities.