The Vietnamese Ministry of Public Security (“MPS”) released the Draft Decree on Sanctions against Administrative Violations in Cybersecurity (“Draft Decree”) for public consultation on 20 September 2021. The public consultation period will close on 18 November 2021. The scheduled effective date is 1 December 2021.
Intended to be a consolidation of administrative sanction provisions for violations occurring in cyberspace, this Draft Decree is the latest of the draft instruments unveiled by the MPS to sit under the Law on Cybersecurity 2018 (“Cybersecurity Law”). Prior to this, a separate draft decree expanding on, among others, the Cybersecurity Law’s data localization requirement was released in 2019, and the draft Decree on Personal Data Protection (“Draft PDP Decree”) earlier this year. If passed as currently worded, the Draft Decree will invalidate several provisions on administrative sanctions in the field of postal services, telecommunications, radio frequencies, information technology and electronic transactions under the existing Decree 15/2020/ND-CP.
This Draft Decree specifies acts constituting administrative violations, relevant sanctions, and remedial measures. It can largely be divided into the following three categories: (i) violations in relation to personal data protection, (ii) cybersecurity violations, and (iii) information security violations. The Draft Decree covers violations of provisions under, among others, the Cybersecurity Law and the Draft PDP Decree. We note that this Draft Decree appears to be based on version of the Draft PDP Decree that has not been shared with the public.
The Draft Decree’s proposed extra-jurisdictional scope is expected to impact domestic and offshore entities. In particular, the Draft Decree includes sanctions for violations for of the Cybersecurity Law’s yet-to-be enforced data localization provision which requires storage of certain types of data in Vietnam and establishment of local presence, as well as the Draft PDP Decree’s proposed requirements for cross border transfer of personal data. Though the data localization and cross border transfer personal data requirements have long been topics of debate due to concerns around, among others, administrative/financial burdens and impacts on data/trade flows, this Draft Decree appears to reflect the Government’s intention to proceed forward them.
Depending on the violation, monetary fines can range from VND 10 – 100 million (approx. US$440 – 4,400). The Draft Decree also provides that the fines levied on companies can be twofold. In serious cases (e.g., repeated violations), the fine can be fivefold or the 5% of the revenue in the Vietnam market of the violating company.
By way of background, the MPS issued this Draft Decree to address growing concerns over cyberspace violations and lack of relevant sanctions under existing legal instruments. According to the proposal accompanying the Draft Decree, the MPS’ areas of focus appear to be, among others, cyberattack/cyber espionage activities, disclosure/loss of state secrets through cyberspace, posting of illegal content on cyberspace, and potential violations on e-commerce platforms.
Violations and their corresponding sanctions under the Draft Decree are provided in the table below.
Category |
Violations |
Sanction(s) |
Personal Data Protection |
Violations in relation to consent |
|
o Processing of personal data without data subjects’ consent o The consent is not explicit o The consent is misused o The consent cannot be printed or copied in writing o Failure to inform that the consent can be made partial or conditional o Failure to inform data subjects that processed data is classified sensitive data o Continuing to process personal data after data subjects have decided differently, or per competent authorities’ written requests o Failure or refusal to confirm entity is in possession of data subject consent o Preventing or intentionally causing difficulties when data subjects want to withdraw consent o (Applicable to Data Controllers) Failure to notify data subjects of possible consequences when consent is withdrawn |
VND 60 – 80 million (approx. US$ 2,640 to 3,500) |
|
Violations in relation to notification of personal data processing |
||
o Failure to notify data subjects before updating, disclosing, or deleting personal data o Failure to comply with the PDP Decree’s requirements on content/format of notification |
VND 60 – 80 million (approx. US$ 2,640 to 3,500) |
|
Violations in relation to personal data protection measures |
||
o Failure to apply management, technical and physical measures to protect personal data o Failure to issue documents on personal data protection detailing on the compliance with the PDP Decree |
VND 60 – 80 million (approx. US$ 2,640 to 3,500) |
|
o Failure to appoint a department/an officer in charge of protecting personal data and making reports to competent authorities o Failure to conduct cybersecurity checks before processing, deleting, or destroying devices containing personal data |
VND 80 – 100 million (approx. US$ 3,500 to 4,400) |
|
Violations in relation to cross-border data transfer |
||
o Failure to fulfill the PDP Decree’s criteria for cross-border data transfer o Failure to provide sufficient information when assessing the impact of cross-border personal data transfer o Failure to have no agreement to legally bind those involved in the transfer/receipt of Vietnamese citizens’ personal data |
VND 60 – 80 million (approx. US$ 2,640 to 3,500)* |
|
o Failure to present required documents in relation to cross-border data transfer upon inspection by authorities/submit such documents to the authorities withing the first 60 working days of operation o Failure to notify the authorities of contact details of individual in charge when transfering data successfully o Leakage or causing loss of personal data as a result of cross-border transfer + impact 10,000 Vietnamese data subjects and above |
VND 80 – 100 million (approx. US$ 3,500 to 4,400) (This sum will be twofold or threefold depending on the gravity of the violation)* |
|
* In addition to monetary fines, violating entities may also have to: · take remedial measure(s) such as issuance of public apologies on mass media and paying compensation; and/or · be subject to additional sanction(s) such as: o cease provision of services o take measures to remedy consequences o revocation of service operation license o suspension of data processing o cease processing of personal data |
||
Cybersecurity Violations |
Violations in relation to users’ data |
|
o Failure to verify users’ personal data upon their registration o Failure to secure users’ data and account o Failure to provide or delay the provision of users’ data to cybersecurity forces for their investigation o Failure to prevent the spread of/failure to remove violating content as prescribed in the Cybersecurity Law within 24 hours upon request of competent authorities |
o VND 60 – 80 million (approx. US$ 2,640 to 3,500) o Revocation of service operation license and business license |
|
Violations in relation to data localization |
||
o Failure to store users’ data in Vietnam, establish a local branch or representative office in accordance with the Cybersecurity Law |
o VND 80 – 100 million (approx. US$ 3,500 to 4,400) o Revocation of business license |
|
Information Security Violations |
Violations in relation to handling of violating content |
|
o Failure to employ technical measures to prevent, detect, block, and remove violating content o Failure to cooperate with competent authorities in implementing management and technical measures to prevent, detect, block and remove violating content o Failure to take technical and managerial measures to prevent, detect, block and remove violating content per request of competent authorities o Failure to remove violating content per request of competent authorities o Failure to provide information about violating content on the online service provider’s information system, product, or service. |
o VND 40 to 60 million (approx. US$ 1,750 to 2,640) (up to VND 100 million – US$ 4,400 per repeated violation) o Revocation of business license o Removal of violating content o Public apology on mass media |