Late September 2021, the Ministry of Public Security (MPS) released the Draft Decree on administrative penalties for cybersecurity violation (Draft Decree) for public comments. The Draft Decree is expected to enter into force in early 2022. Together with the draft decree on personal data protection (Draft Decree Data Protection),1 the Draft Decree is meant to form the cybersecurity regime in Vietnam and is influenced by the European Union's General Data Protection Regulation.

In this legal update, we will set out specific noteworthy points.

1. Scope

Under the Draft Decree, both Vietnamese and foreign entities and individuals committing violations in cyberspace will be subject to penalties regulated in the Draft Decree. Foreign entities are defined as the "Foreign enterprises or their branches, representative offices, business locations providing telecommunication, internet, content cyberspace, information technology, cybersecurity, and cyber information security".

2. Types of Penalties

Regarding the cybersecurity violation, the government proposed two principal forms of administrative penalties being a warning and monetary fines.

Furthermore, depending on the nature, the seriousness, and the consequence of the violation, the violating entities or individual could also be subject to additional sanctions or remedial measures, such as:

  • Revoke the right to use the operation license(s) or relevant permit(s);
  • Confiscate the exhibits, means, or documents related to the administrative
  • violations;
  • Prohibit practising or doing work related to cybersecurity;
  • Remove, delete, or deactivate the illegal or unauthorised programs and data; and
  • Return the internet domain, IP address, or illegally obtained gains from the violations.

Moreover, the competent authority could apply penalties up to five times the prescribed monetary fine or 5% of the enterprise's revenue in the Vietnamese market based on the violation's nature, seriousness, and consequence. The sanctions and remedial measures in the cybersecurity sector are pretty severe. Still, the Draft Decree has yet to provide clear guidance on how the nature and seriousness of the violation would be determined to allow imposing suitable sanctions or remedial measures.

3. Violations of Information Security Assurance

The Draft Decree now comprises and specifies many information security violations which were only vaguely mentioned, or not even provided in earlier substantive regulations relating to for example finance, banking, information technology, criminal, or civil transaction. The Draft Decree sets out detailed monetary fines, additional sanctions, and remedial measures for many violations relating to public security, economic management, and especially to benefits of entities or individuals. Some notable violations against information security assurance include the producing, spreading, or storing of:

" Information with fabricates or contains untruthful contents on national sovereignty, security, defence, and public health; " Information to distort historical events; " Untruthful information on the reputation of any entity or individual; and " Untruthful information on banking, e commerce, stock market, insurance sectors, etc.

Moreover, any entity or individual who copied, counterfeited, or reproduced websites, social networks or accounts of other entities or individuals will also be subjected to the penalties as set out in this Draft Decree.

4. Violations of Personal Data Protection

The Draft Decree clarifies that any form of violation of the legal rights of the personal data owner will be penalised, and these include but are not limited to the following:

4 .1. Violations of Personal Data Owner Rights

The Draft Decree clarifies that any form of violation of the legal rights of the personal data owner will be penalised, and these include but are not limited to the following:

  • not informing the owner of the purpose, use, and sharing of their personal data;
  • continuing to collect and process the personal data without the owner's prior consent; and
  • refusing to delete the personal data upon the owner's request.

The penalties amount is VND 60,000,000-80,000,000 (~USD 2,600-3,480) for an individual and twice this amount for a legal entity

4.2. Violations of Processing Children's Personal Data

According to the Draft Decree Data Protection, children's personal data is sensitive information and requires extra caution when being collected and processed. Therefore, the Draft Decree sets out detailed penalties and raises awareness among relevant entities and individuals. For example, the entity or individual who fails to verify and acquire prior consent from the parents or guardians will be subject to penalties of VND 60,000,000-80,000,000 (~USD 2,600-3,480) for an individual and twice this amount for a legal entity.

4.3. Violations on Measures for Personal Data Protection

The Draft Decree Data Protection has specified the necessity of setting up an internal agency and appointing an officer in charge of protecting the collected personal data. Therefore, when entities or individuals do not comply with this regulation, they will be subject to a significant penalty of up to VND 80,000,000-100,000,000 (~USD 3,480-4,350) for an individual, and twice this amount for a legal entity.

5. Conclusion

This Draft Decree underlines that the authorities are taking the protection of the personal data of the citizens of Vietnam serious.

Footnote

1 See our legal update GDPR like draft decree on data protection introduced.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.