The Ministry of Public Security (MPS) has recently submitted an updated version of the draft Cybersecurity Administrative Sanctions Decree (CASD) to the Ministry of Justice (MOJ).
The authorities currently have a very ambitious plan to issue the CASD within May 2024 and for it to take effect as of 1 June 2024. This legal instrument clearly indicates the MPS’s ambition to enforce compliance with Decree No. 13/2023/ND-CP on personal data protection (PDPD), the Cybersecurity Law and Decree No. 53/2022/ND-CP guiding the law. The MPS’s proactive actions in enforcing the PDPD also include initiating the first investigation into PDP compliance of companies in different sectors (including e-commerce, banking and finance, intermediary payments, gaming, education, healthcare, etc.). All of these steps by the MPS show its eagerness in developing a PDP legal framework, alongside the notable in-the-pipeline Law on personal data protection (PDPL).
The latest draft undergoes revisions in response to feedback from the public consultation in mid-2023 but maintains a level of continuity with its previous version. One of the draft CASD’s key highlights is the retention of significant points of businesses’ concern, i.e.:
- The imposition of punitive fines amounting to up to 5% of their revenue in the preceding financial year or profits earned within Vietnam:
- Some violations proposed to be subject to this fine, together with the main sanction, are:
- Leaking the personal data of 5 million or more Vietnamese citizens.
- Repetitive violation of PDP regulations in providing marketing and advertising services.
- This fine has sparked debate due to its potential conflict with the Administrative Sanction Law, which caps the maximum monetary fine for organizations at VND 2 billion (approx. USD 78,562).
- The MPS explained in the draft CASD’s proposal that in 2021 it consulted with the National Assembly Standing Committee (NASC) on the Government’s behalf about applying this fine for certain violations of PDP regulations.
- As the CASD is drafted in accordance with the Administrative Sanction Law, alignment with the maximum fine provision is imperative. Thus, stakeholders are advised to monitor updates regarding the MPS’s engagement with the NASC closely.
- An up-to-three-month revocation of the right to use the business license for sectors that require personal data collection:
- This would pose substantial risks of interfering with businesses’ normal operations.
- This revocation is proposed to apply to, among other violations:
- Failure to cease processing personal data after the data subject has withdrawn consent.
- Failure to prepare a data processing impact assessment.
In comparison to the draft CASD released in mid-2023, this draft introduces several modifications aimed at refining the regulatory framework. Notable updates are as follows:
- Fines for various violations have been reduced, with certain penalties experiencing a significant decrease of up to 75%.
- A new sanction of suspending a business’s operations for up to three months has been introduced, while the remedial measure halting PD processing for one to three months has been removed.
- Proposed provisions on deadlines for deleting personal data and notifying data breaches have been clarified to exclude weekends, holidays, and New Year’s Day from the respective 48-hour and 72-hour timeframe.
The CASD’s remaining legislative process involves the MOJ’s appraisal of the draft, the MPS’ finalization in accordance with the MOJ’s comments and subsequent submission to the government for issuance. While the remaining process indicates that the issuance date of 1 June 2024 is quite tight, businesses are urged to take steps to comply with cybersecurity and PDP regulations in Vietnam.
Authors: Yen Vu, Ly Nguyen and Uyen Doan.