Vietnam’s Cybersecurity Administrative Action Draft Decree

Posted by Written by Giulia Interesse Reading Time: 5 minutes

The third draft of Vietnam’s Cybersecurity Administrative Action Decree (CASD), set to take effect on December 1, 2023, brings forth crucial regulatory changes in the realms of cybersecurity and data protection. This article explores the draft CASD’s key aspects, including the wide-ranging violations, stringent penalties, and the need for immediate compliance measures among businesses operating in Vietnam.


The rapidly evolving landscape of cybersecurity and personal data protection in Vietnam has recently witnessed a significant development—the release of the Third Draft of the Cybersecurity Administrative Sanctions Decree (hereinafter referred to as the “Draft CASD”). Scheduled to come into effect on December 1, 2023, the Draft CASD marks a crucial milestone in Vietnam’s commitment to fortify its cybersecurity framework and safeguard personal data.

The Draft CASD introduces a revised set of violations concerning cybersecurity and data privacy regulations. Additionally, it supersedes specific provisions found in the current Decree 15/2020/ND-CP and Decree 14/2022/ND-CP, which pertain to administrative penalties related to postal services, telecommunications, radio frequencies, information technology, and electronic transactions.

In this article, we aim to provide a comprehensive understanding of the importance of the Draft CASD and the far-reaching implications it carries for businesses operating in Vietnam. As we navigate through the nuances of this regulatory update, we explore key aspects, background information, expert insights, and urgent considerations that companies need to keep in mind to ensure compliance with the CASD as it comes into effect later this year.

Background

The Draft CASD was first unveiled to the public by the Ministry of Public Security (MPS) on May 31, 2023, igniting discussion and raising questions among businesses, legal experts, and stakeholders.

This draft builds upon the foundation laid by Decree 13/2023/ND-CP on Personal Data Protection and Decree 53/2022/ND-CP on the Cybersecurity Law, reinforcing Vietnam’s commitment to ensuring the security of its cyberspace and the protection of personal data.

Key aspects of the Draft CASD

Scope of Application

The Draft CASD extends its scope of application beyond entities offering services in the realms of telecommunications, internet, content services in cyberspace, information technology, cybersecurity, and cyberinformation security in Vietnam.

It now encompasses both domestic and foreign individuals and organizations engaged in the processing of personal data related to Vietnam or Vietnamese citizens. Therefore, to remain compliant with Decree 53 and Decree 13 and avoid potential penalties once the Draft CASD comes into effect, all entities covered by this broad scope must take proactive measures.

The document focuses on administering punitive measures within five primary domains:

  • Ensuring information security;
  • Safeguarding personal data;
  • Preventing cyberattacks;
  • Executing cybersecurity protection activities; and
  • Preventing and countering actions that utilize cyberspace, information technology, and electronic means to violate social order and safety laws.

Types of violations and penalties

Within the Draft CASD, a wide array of violations has been meticulously addressed to ensure comprehensive adherence to cybersecurity and data protection regulations. These violations span across several categories, each carrying its own set of penalties and consequences.

Moreover, the Draft CASD grants Vietnamese regulators the authority to enforce penalties on individuals and organizations that breach either or both cybersecurity and data protection regulations, with the extent of the sanctions determined by the assessment of the severity of the violation.

Below, we outline the primary types of violations under the purview of the Draft CASD.

Primary Types of Violations as per the Draft CASD
Type of violation Description Specific penalties
Violation of obligations relating to information security The Draft CASD addresses violations related to information security, which involve actions such as disseminating, storing, or producing fake, misleading, or illegal content. Penalties for these violations may include:

  • Fines range from VND 20 million (US$842) for individuals and VND 40 million (US$1,684) for organizations that spread and store anti-State content; and
  • Fines of up to VND 80 million (approximately US$3,367) for creating and spreading false information affecting the honor and rights of individuals and organizations.
Violation of obligations related to personal data protection The Draft CASD provides a comprehensive list of personal data protection violations, encompassing obligations imposed under Decree 13. These violations cover issues such as mishandling personal data, failure to address data owner rights, and the absence of a suitable data protection framework. Fines for these infringements can range from VND 20 million (US$842) to VND 160 million (US$6,734).

In more severe cases, authorities may impose additional sanctions, including business license withdrawal and personal data destruction.

Notably, for serious violations like using personal data for marketing or engaging in illegal data collection, fines can extend up to VND 200 million (US$8,418) or up to 5 percent of revenue.

Additional measures, such as data processing suspension or data destruction, may also apply.

Violation of obligations relating to cyberattack protection and response The Draft CASD introduces penalties for violations related to the deliberate spreading, manufacturing, or purchasing of harmful computer programs. It also addresses the misuse of cyberspace for terrorist activities or threats of terrorism. The fines for these offenses range from VND 40 million (US$1,683) to VND 160 million (US$6,734).

Moreover, authorities may suspend business licenses for a period of 12-18 months for severe violations.

Delays or obstructions in actions taken by competent authorities or online support for terrorism can result in fines of up to VND 200 million (US$8,418).

Violation of obligations relating to cybersecurity protection Violations pertaining to cybersecurity protection primarily involve intentional illegal acts or non-compliance with authority requests. These infractions include actions like intentionally spreading cybersecurity threats, failing to authenticate user information during digital account registration or obstructing authorities’ requests. Notably, these violations may serve as grounds for authorities to impose data localization or the establishment of branches or representative offices in Vietnam, as mandated by Decree 53.

Fines for these violations can reach up to VND 200 million (US$8,418), with additional remedial measures for non-compliance.

Violation of Obligations Related to the Use of Cyberspace, Information Technology, and Electronic Media Other violations in the Draft CASD pertain to activities in cyberspace, information technology, and electronic media, including actions that incite anti-state sentiments, slander individuals or organizations, infringe upon privacy rights, disrupt economic order, or affect social order. Violations related to authentication, identification, and digital account protection may also lead to fines of up to VND 120 million (US$5,051) for organizations.

Monetary penalties of up to 5 percent of total revenue

In addition to the specified penalties for various violations outlined in the Draft CASD, it’s essential to highlight the particularly stringent monetary penalties that may be imposed under specific circumstances.

For the following scenarios, fines may be up to 5 percent of the offender’s total revenue:

  • Repeated violations of personal data protection in marketing and advertising services: This violation describes businesses that repeatedly fail to uphold personal data protection standards while providing marketing and advertising services.
  • Repeated violations involving unauthorized handling of personal data: It refers to enterprises and individuals who repeatedly neglect to implement proper measures to protect personal data, engage in the unauthorized collection of personal data, or engage in illegal buying and selling of personal data.
  • Illegal disclosure or loss of personal data of five million Vietnamese citizens or more: This is a particularly severe violation, involving the illegal disclosure or loss of personal data belonging to five million or more Vietnamese citizens.
  • Illegal transfer of personal data of five million Vietnamese citizens or more overseas: Similarly, this violation involves the illicit transfer of personal data belonging to five million or more Vietnamese citizens to overseas locations.

While these monetary penalties serve as potent deterrents against non-compliance with cybersecurity and data protection regulations, it’s crucial for entities within the scope of the Draft CASD to remain vigilant and proactive in their efforts to ensure adherence to these evolving standards.

Timely compliance: Establishing cybersecurity and data protection measures

To mitigate the risks associated with the CASD, companies must establish comprehensive cybersecurity and personal data protection measures. This includes implementing robust data security protocols, ensuring compliance with data protection principles, and regularly reviewing and updating policies and procedures.

Moreover, given the stringent penalties for non-compliance and the tight regulatory schedule, businesses should act swiftly to ensure they meet the Draft CASD’s requirements before its official issuance on December 1, 2023.

It is thus advisable that companies designate responsible personnel or departments to oversee data protection initiatives. Examples include addressing data subject rights, conducting data impact assessments, and managing cross-border data transfers in accordance with the law.

As the CASD emphasizes the prevention of cyberattacks, companies should also invest in cybersecurity measures, such as securing their systems, equipment, and services, and collaborating with competent authorities to prevent and remove infringing content.

These are all examples of proactive approaches that not only reduce the risk of penalties but also demonstrate a commitment to data protection and cybersecurity.

To ensure full compliance with the provisions outlined in the Draft CASD, companies operating in Vietnam can seek expert guidance from IT service professionals, such as those at Dezan Shira and Associates.

About Us

Vietnam Briefing is published by Asia Briefing, a subsidiary of Dezan Shira & Associates. We produce material for foreign investors throughout Eurasia, including ASEANChinaIndiaIndonesiaRussia & the Silk Road. For editorial matters please contact us here and for a complimentary subscription to our products, please click here.

Dezan Shira & Associates provide business intelligence, due diligence, legal, tax and advisory services throughout the Vietnam and the Asian region. We maintain offices in Hanoi and Ho Chi Minh City, as well as throughout China, South-East Asia, India, and Russia. For assistance with investments into Vietnam please contact us at vietnam@dezshira.com or visit us at www.dezshira.com