Vietnam’s Latest Draft Decree on Sanctions for Cybersecurity Violations

Posted by Reading Time: 3 minutes

Vietnam’s latest draft decree on sanctions for violations in cybersecurity and data protection details stringent fines and other penalties, targeting implementation from June 1, 2024. Though further updates and revisions could be made, businesses are advised to prepare for risk exposure in advance.

In recent years, Vietnam has been steadily constructing a comprehensive legal framework to effectively manage activities in cyberspace, focusing particularly on personal data protection. Significant milestones in this effort include the 2018 Law on Cybersecurity, Decree No. 53/2022/ND-CP, and the recent Decree No. 13/2023/ND-CP, which marks the country’s first comprehensive legislation on personal data protection. However, the framework’s enforcement mechanism remains incomplete without the stipulation of sanctions for non-compliance.

To address this gap, Vietnam’s Ministry of Justice released the latest draft decree on administrative sanctions for cybersecurity violations (“Draft Sanction Decree”) on its online platform to solicit feedback from the community and stakeholders. Following the Ministry of Justice’s review, the Ministry of Public Security (MPS), responsible for drafting the decree, may make further revisions before submitting it to the government for final approval. The decree is expected to take effect on June 1, 2024.

The strict penalties for breaches involving personal data are retained in this version from the previous draft, reflecting the MPS’s commitment to enforcing the Personal Data Protection Decree (PDPD).

Key provisions of the draft decree

Expected effective date

The MPS has proposed June 1, 2024, as the effective date, without a grace period. However, given that certain provisions may still need refinement, it is possible that this date could be rescheduled.

No new obligations

The Draft Sanction Decree does not impose new obligations on organizations or individuals but outlines the administrative sanctions that could be imposed on violators starting June 1, 2024, as indicated in Article 49. This indicates the MPS’s readiness to enforce compliance with the obligations under the 2015 Law on Network Information Security, the 2018 Law on Cybersecurity and its guiding decree (Decree 53 – 2022), and the PDPD.

Severe penalties and sanctions for data protection violations

It should be noted that many fines related to PDPD violations have been reduced compared to the previous draft. However, the maximum fixed monetary fine remains VND 1 billion (approx. US$39,285), and severe violations can incur penalties up to 5 percent of the violating enterprise’s turnover in the previous fiscal year in Vietnam.

FIND BUSINESS SUPPORT
De-Risk Your Business with Multi-disciplinary Review and Legal Advisory

Specific violations include:

  • Repeated breaches of personal data protection regulations in marketing and advertising
  • Repeated illegal collection, transfer, purchase, and sale of personal data
  • Disclosure or misplacement of the personal data of 5 million or more Vietnamese citizens

The severity of the fines escalates with the number of affected citizens:

  • Up to 5 percent of total revenue for violations impacting over five million citizens.
  • Fines of up to VND 500,000,000 for breaches affecting one to five million citizens.
  • Fines of up to VND 200,000,000 for breaches impacting 100,000 to one million citizens.

For organizations, these fines could double, potentially reaching 10 percent of their total revenue.

For cross-border violations involving the personal data of over 5 million Vietnamese citizens, fines can range from 3 percent to 5 percent of the enterprise’s previous fiscal year turnover in Vietnam.

Additional penalties for certain violations may include revocation of licenses, confiscation of means used for violations, and various remedial measures, such as suspension from processing personal data, destruction or unrecoverable deletion of personal data, and return of illegal profits.

Retroactive sanctions

Article 50.1 of the Draft Sanction Decree details the transitional provisions for administrative violations in cybersecurity. It clarifies that the decree is not retroactive, stating that violations occurring before its effective date but discovered or reviewed after will be subject to the regulations in force at the time of the violation. If the Draft Sanction Decree imposes lighter sanctions or none for past acts, those provisions will prevail.

Room for interpretation

Despite its advanced stage, the Draft Sanction Decree contains provisions that conflict with existing laws. For instance:

  • Data subject requests: Decree 13 allows 72 hours to respond to data subject requests, while the draft decree shortens this to 48 hours, creating a discrepancy.
  • Data storage conditions: Decree 13 permits data storage with valid consent, whereas the draft decree imposes additional requirements, such as contracts or documents from competent authorities, potentially conflicting with the existing law.
  • Changes from previous draft: The Draft Sanction Decree no longer includes Article 50.2 from the previous draft, which would have annulled various penalties for administrative violations under Decree No. 15/2020/ND-CP, as amended (“Decree 15”). Therefore, the sanctions under Decree 15 are expected to remain in effect. However, under Vietnamese law, a company cannot be fined twice for the same violation, so the relevant authority will need to choose whether to apply sanctions under the Draft Sanction Decree or Decree 15.

Conclusion

The draft decree signifies a crucial step towards a cohesive legal framework for cybersecurity and personal data protection in Vietnam. However, the identified inconsistencies suggest that further review and refinement are necessary. As the decree’s official enactment may be delayed, businesses involved in personal data processing should proactively ensure compliance with current regulations to avoid potential penalties from June 1, 2024.

For more information on how the draft decree might impact your operations and to ensure compliance, please reach out to our advisors at vietnam@dezshira.com.

About Us

Vietnam Briefing is published by Asia Briefing, a subsidiary of Dezan Shira & Associates. We produce material for foreign investors throughout Asia, including ASEAN, China, and India. For editorial matters, contact us here and for a complimentary subscription to our products, please click here. For assistance with investments into Vietnam, please contact us at vietnam@dezshira.com or visit us at www.dezshira.com.

Dezan Shira & Associates assists foreign investors throughout Asia from offices across the world, including in Hanoi, Ho Chi Minh City, and Da Nang. We also maintain offices or have alliance partners assisting foreign investors in China, Hong Kong SAR, Dubai (UAE), Indonesia, Singapore, Philippines, Malaysia, Thailand, Bangladesh, Italy, Germany, the United States, and Australia.